How to Setup WSO2 API Manager with NGINX as a Reverse Proxy in a Containerized Setup

Introduction to Nginx

Nginx is free and open source web server software that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. Let’s see what these terms means in the following sections.

Reverse proxy

proxy server is an intermediary server between client and the servers that provide the resources. Proxy servers offers the following basic functionalities such as firewall and network data filtering, Network connection sharing and Data caching. While a forward proxy proxies in behalf of clients , a reverse proxy proxies in behalf of servers.

Load balance

Load balancing is defined as the methodical and efficient distribution of network or application traffic across multiple servers in a server farm. It basically distribute the incoming requests to any available server capable of fulfilling them. It is commonly used technique for optimizing resource utilization, maximizing throughput, reducing latency, and ensuring fault‑tolerant configurations.

Mail Proxy

NGINX can proxy IMAP, POP3 and SMTP protocols to one of the upstream mail servers that host mail accounts and thus can be used as a single endpoint for email clients. This may bring in a number of benefits, such as:

• easy scaling the number of mail servers
• choosing a mail server basing on different rules, for example, choosing the nearest server basing on a client’s IP address
• distributing the load among mail servers

HTTP cache

HTTP caching is storing the local copies of web resources for faster retrieval the next time the resource is required. Nginx saves responses in a disk cache and uses them to respond to clients without having to proxy requests for the same content every time.

In this post we will use nginx as our reverse proxy server to WSO2 API Manager

Introduction to WSO2 API manager

API management is used for designing, publishing, managing the lifecycle, documenting and analyzing APIs in a secured environment. WSO2 API Manager is an open source API management platform which provide all the aforementioned services in a user friendly manner.

Docker setup

Let’s start creating our docker setup. Before we begin, please make sure to you follow the directory structure as shown below.

<docker-root>
   |----- conf/
           |---- nginx.conf
   |----- log/
           |---- am/
                 |---- https/
           |---- gw/
                 |---- https/
  |----- ssl/
           |---- key.key
           |---- cert.crt
  |----- docker-compose.yml

Now we will create a docker-compose.yml file as follows.

version: ‘3’
services:
 reverse:
 container_name: reverse
 image: nginx
 volumes:
 — ./ssl/:/etc/nginx/ssl
 — ./log/:/etc/nginx/log
 — ./conf/nginx.conf:/etc/nginx/conf.d/nginx.conf
 ports:
 — 80:80
 — 443:443

Let’s create an SSL certificate for the load balancer using the following commands.

1. Create the Server Key.

• sudo openssl genrsa -des3 -out <key_name>.key 1024

2. Submit the certificate signing request (CSR).

• sudo openssl req -new -key <key_name>.key -out server.csr

3. Remove the password.

• sudo cp <key_name>.key <key_name>.key.org sudo openssl rsa -in <key_name>.key.org -out <key_name>.key

4. Sign your SSL Certificate.

• sudo openssl x509 -req -days 365 -in server.csr -signkey <key_name>.key -out <certificate_name>.crt

Let the key name we chose is key.key and the certificate name be cert.crt .

Copy the key and certificate files that you generated in the above step to the <docker-root>/ssl/ location.

Now let’s create configuration file named nginx.conf (location: <docker-root>/conf/nginx.conf) and add the below lines. Please replace {host-ip} with the ip address of your host and {hostname} with your registered domain name (you can use the host ip address if you don’t have a registered domain name).

upstream sslapi.am.wso2.com {
    server {host-ip}:9443;
}
upstream sslgw.am.wso2.com {
    server {host-ip}:8243;
}
server {
    listen 80;
    server_name {hostname};
    rewrite ^/(.*) https://{host-name}/$1 permanent;
}
server {
    listen 443 ssl;
    server_name {hostname};
    proxy_set_header X-Forwarded-Port 443;
    ssl_certificate /etc/nginx/ssl/cacert.crt;
    ssl_certificate_key /etc/nginx/ssl/key.key;

    location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_read_timeout 5m;
            proxy_send_timeout 5m;
            proxy_pass https://sslapi.am.wso2.com/;
        }
access_log /etc/nginx/log/am/https/access.log;
        error_log /etc/nginx/log/am/https/error.log;
}

Finally we will add the following to <API-M_HOME>/repository/conf/deployment.toml file.

[transport.https.properties] 
proxyPort = 443 
[server] 
hostname = "<hostname>"

After starting the container using docker-compose up you can now access your APIM carbon, devportal and publisher portals with{host-name}/carbon , {host-name}/devportal , {host-name}/publisher in your browser.