[WSO2 ESB] All you need to know about ESB Proxy Profiles

With WSO2 ESB 5.0.0 proxy profiles have been introduced. The concept behind proxy profiles is to allow users to manage more than one proxy server as a reverse proxy. For example, let’s say you need to route requests coming to www.domain1.com via Proxy server A and www.domain2.com via Proxy server B, this feature allows you to do exactly that. Let’s take a look at how we can configure proxy profiles in WSO2 ESB 5.0.0.

Pre-Requisites:-

  • At least one or more proxy servers should be available. Some of the commonly used proxy servers are Squid, Tiny Proxy and Apache mod proxy. For this tutorial I will be using Squid3 and Burp Suite as proxy servers.
  • WSO2 ESB 5.0.0

Installing and Configuring Squid Server

Execute the following command to install squid3 on your Ubuntu machine.

sudo apt-get install squid3

Once you have installed Squid3 you can find the configuration file at /etc/squid3 direcotry in squid.conf file.

Now let’s configure the server and set up a user to secure the requests going through Squid3.

Rename the squid3.config file as squid3.config_original. Then create a new file with name squid3.config and add the following set of configurations to the file. Please keep in mind that squid3 listens to port 3128 by default.

acl SSL_ports port 443 8443 8448 8248 8280
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025–65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/basic_pw
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_port 3128

Now, let’s create a user name and a password for basic authentication for Squid server by executing following commands.

htpasswd -c /etc/squid3/basic_pw username

This will request you to type your new password and confirm it. To verify the user is successfully created, execute the following command.

sudo /usr/lib/squid3/basic_ncsa_auth /etc/squid3/basic_pw

Then type your username and password separated by a single space

eg:- squid3user squid3pw

If the user is created successfully, you should see ‘OK’ printed on your terminal.

Once all this is done, let’s restart the squid3 server by executing the following command.

sudo service squid3 restart

Now you have successfully configured the squid3 server.

Testing the Squid Server:-

Testing Squid server is fairly easy. Simply open your Firefox browser, go to Edit > Preferences > Advanced Tab and click on Settings button. Then select Manual Proxy Configuration option and provide your IP address and the port of Squid server, in this case 3128.

Testing squid server with Firefox

Now open a new terminal and type the following command to view Squid3 server logs.

sudo tail -f /var/log/squid3/access.log

Now open the browser and go to a url. This should ask you to type Squid3 user credentials as displayed below.

Squid3 user credentials

Provide the user name and password you created earlier in this post and hit OK and go to a URL on your browser. You will see the Squid3 logs are being printed. This means you have successfully configured the Squid3 Server on your machine.

Squid3 server logs

Configuring Burp Suite as a Proxy Server

Download Burp Suite jar file from here. Then simply double click on the jar file to start the burp suite. Click Next > Start Burp Suite and go to Proxy tab. Go to Options tab under proxy tab. Create a proxy by clicking on Add button as displayed below. I have used port 8090 and selected Specific IP address radio button.

Using Burp Suite as a Proxy

Once you have created the proxy select the check box in front of the respective proxy in burp suite.

That’s it. You can test the proxy created with burp suite by adding the relevant IP and port into Firefox as explained above. You should be able to access the websites via Firefox when burp suite proxy is active. If the proxy is not active you will not be allowed to access the web via Firefox. Now that we have configured proxy servers to use with Proxy Profiles in ESB, let’s take a look at how ton configure ESB Proxy Profiles.

Configuring ESB Proxy Profiles with Squid3 and Burp Suite.

  1. Open axis2.xml file located at [$ESB_HOME]/repository/conf/axis2/ directory.
  2. Search for transportSender in axis2.xml file. You will see following two sections for http and https configurations.

For http requests:-

<transportSender name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpSender">

For https requests:-

<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">

Depending on your endpoint type you can add the Proxy Profile configs in either section. I have added two Proxy Profiles under http transportSender (One secure and one unsecured) and one Proxy Profile under https transportSender section (secure)

Http transPortSender with a secure and unsecured Proxy Profiles

<transportSender name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpSender">
<parameter name="non-blocking" locked="false">true</parameter>
<!--<parameter name="warnOnHTTP500" locked="false">*</parameter>-->
<!--parameter name="http.proxyHost" locked="false">localhost</parameter-->
<!--<parameter name="http.proxyPort" locked="false">3128</parameter>-->
<!--<parameter name="http.nonProxyHosts" locked="false">localhost|moon|sun</parameter>-->
<parameter name="proxyProfiles">

<profile>
<targetHosts>demo5224632.mockable.io</targetHosts>
<proxyHost>xxx.xxx.xxx.xxx</proxyHost>
<proxyPort>3128</proxyPort>
<proxyUserName>squid3u</proxyUserName>
<proxyPassword>squid3u</proxyPassword>
</profile>
<profile>
<targetHosts>
www.mocky.io</targetHosts>
<proxyHost>xxx.xxx.xxx.xxx</proxyHost>
<proxyPort>8090</proxyPort>
</profile>
</parameter>
</transportSender>

In above configuration first proxy profile checks for HTTP requests being sent to the domain demo5224632.mockable.io and sends those requests via the secured squid proxy we created above. You need to provide the proxy server host in proxyHost section.

Second proxy profile checks all the HTTP requests and route those through unsecured proxy we created with Burp Suite above.

Https transportSender with a secure Proxy Profile

<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="HostnameVerifier">DefaultAndLocalhost</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</parameter>
<parameter name="proxyProfiles">
<profile>
<targetHosts>demo5224632.mockable.io</targetHosts>
<proxyHost>xxx.xxx.xxx.xxx</proxyHost>
<proxyPort>3128</proxyPort>
<proxyUserName>squid3u</proxyUserName>
<proxyPassword>squid3u</proxyPassword>
</profile>
</parameter>

</transportSender>

In here we have configured a secure proxy profile to route all the HTTPS requests sent to demo5224632.mockable.io domain via squid3 server. Also, take a look at the HostnameVerifier property is set as DefaultAndLocalhost to avoid this issue.

Testing Proxy Profiles

In order to test http secure proxy (squid3), create an ESB proxy service which calls the following endpoint http://demo5224632.mockable.io/test123

Similarly, to test https secure proxy (squid3), create an ESB proxy service which calls the following endpoint https://demo5224632.mockable.io/test123

Test http unsecured proxy (burpsuite) by creating an ESB proxy service with following endpoint http://www.mocky.io/v2/57a4dbf30f00002c1dc9a3b3

You can test each proxy profile given above by creating the proxy services and changing the end point and service name of the following config.

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="SimpleProxy"
transports="http,https"
statistics="disable"
trace="disable"
startOnLoad="true">
<target>
<inSequence>
<property name="POST_TO_URI" value="true" scope="axis2"/>
<call>
<endpoint>
<address uri="http://www.mocky.io/v2/57a4dbf30f00002c1dc9a3b3"/>
</endpoint>
</call>
<respond/>
</inSequence>
</target>
<description/>
</proxy>

In order to verify each invocation is successfully going through your proxy profile, try to invoke the service while the proxy server is down. You should then get a timeout for your invocations going through proxies.

Proxy Profiles in a Clustered Environment:-

If you are setting up Proxy Profiles in a clustered environment, then you need to add the configuration to the axis2.xml file of all the nodes of your cluster.

That’s about it. Hope you now understand how to set up the Proxy Profiles and carry out some basic level testing with Proxy Profiles in WSO2 Enterprise Service Bus.

You can find the official WSO2 documentation for Proxy Profiles here.

Like what you read? Give Pubudu D.P. a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.