[HOW TO] Developing WSO2 Identity Server behind Proxy or Load Balancer.

In production development of Identity Server, You need to deploy it in behind the Proxy server or Load balacer. Let see how we could properly deploy it.

Assume Identity Server is running in following host and port

Host : node1.wso2is

Port : 9443

Proxy is trying exposing identity server in

Host : wso2is

Port : 443

There can be few cases here…

Proxy (Load balacer) supports to handle the server’s redirects

Let assume that proxy can handle the redirects that are done by the identity server. You can find more details on handling server redirects by proxies from here

Step 1. Configure reverse proxy configurations in your proxy server to handle the identity server redirects.

As an example, in Apache HTTP server, you need to define the “ProxyPassReverse” configuration as follows

ProxyPassReverse / https://node1.wso2is:9443/

Step2. Configure host name properties in the “carbon.xml” file of the Identity server

Default following two properties has been configure to localhost, You need to configure them to the actual host name of the machine

<HostName>node1.wso2is</HostName>
<MgtHostName>node1.wso2is</MgtHostName>

Now everything must work fine…

Proxy (Load balacer) does not support to handle the server’s redirects

Lets assume proxy can not handle the server redirect or you do not have access to configure it.
Then even you can configure the identity server properly using following approaches

Approach 1

Step1. Configure proxy port and name

Open “catalina-server.xml” file which can be found at the <IS_HOME>/repository/conf/tomcat directory

Locate HTTPS connector

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
 port="9443"

Configure following two properties within the Connector configurations.

proxyPort="443" 

proxyName="wso2is"

Approach 2

Step1. Configure proxy host name

Open “carbon.xml” and change the <MgtHostName> and <HostName> properties in to proxy’s host names

Step2. Configure proxy port

Open “catalina-server.xml” file which can be found at the <IS_HOME>/repository/conf/tomcat directory

Locate HTTPS connector

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
 port="9443"

Configure following two properties within the Connector configurations.

proxyPort="443"

However, if you find some issue such as following,

You can skip it by disabling thrift server. This issue is already fixed in newer identity server versions

Open identity.xml file and disable it by configuring following property in to “false”

<EnableThriftService>false</EnableThriftService>

Please note :

Once you configure the proxy port in “catalina-server.xml”, you are not able to access the Identity server behind proxy by such as following   https://node1.wso2is:9443/

Because, when Identity server tries to do redirects, it changes them to https://wso2is:443/ . Therefore if you are in a machine which is not access to the proxy server, you can not login to identity server’s management console.
However, you can access the identity server’s management console through the proxy without any issues.

However, there is some workaround for that as well. We can start a fresh server and we only uses the fronted of that server. Then we can login to the another server’s backend (https://{host}:{port}) using it. (Basically fresh server’s FE would communicate with BE and load the management console Using this method, you can login in to any backend server by providing direct URL and credentials in the login page)

1. Extract fresh WSO2IS 5.0.0 distribution .

2. Open carbon.xml file which can be found at <IS_HOME>/repository/conf directory And disable local transport and enable servlet transport as following.

Disable this by commenting

<!--ServerURL>local:/${carbon.context}/services/</ServerURL-->

Enable this uncommenting

<ServerURL>https://localhost:${carbon.management.port}${carbon.context}/services/</ServerURL>

3. Start server instance.

4. Goto Login page, You can see the “Server URL” in the login box. Enter the your Identity Server actual URL here (https://{host}:9443/services/) that you want to login https://node1.wso2is:9443/

5. Enter user name and password of the Identity Server (https://{host}:{port}/services/) that you want to login

6. You would be login in to the Identity Server (https://{host}:{port}/services/).

Here, you do not want to configure this identity server instance in to any user store or database. You can just start the server

Configuring  Apache HTTP Server as Proxy

Please find sample proxy configuration for identity server with reverse proxy.

<IfModule mod_proxy.c>
<VirtualHost *:443>
 ServerAdmin techops@wso2.com
 ServerName wso2is
 ServerAlias wso2is

 ProxyRequests Off

 SSLEngine On
 SSLProxyEngine On
 SSLCertificateFile /home/asela/security/server.crt
 SSLCertificateKeyFile /home/asela/security/server.key

<Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>

ProxyPass / https://localhost:9443/
ProxyPassReverse / https://localhost:9443/

</VirtualHost>
</ifModule>

Following is the load balancer configuration,  If you are using more than one Identity Server nodes behind the proxy

<IfModule mod_proxy.c>
<VirtualHost *:443>
 ServerAdmin techops@wso2.com
 ServerName wso2is
 ServerAlias wso2is

 ProxyRequests Off

 SSLEngine On
 SSLProxyEngine On
 SSLCertificateFile /home/asela/security/server.crt
 SSLCertificateKeyFile /home/asela/security/server.key

<Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>

ProxyPass /balancer-manager !
 ProxyPass / balancer://wso2.identity.domain/ lbmethod=byrequests stickysession=JSESSIONID
 ProxyPassReverse / https://localhost:9443/
 ProxyPassReverse / https://localhost:9444/

<Proxy balancer://wso2.identity.domain>
 BalancerMember https://localhost:9443 route=isNode1 loadfactor=1
 BalancerMember https://localhost:9444 route=isNode2 loadfactor=1
 </Proxy>
</VirtualHost>
</ifModule>

Please find more detail from here as well..

Discuss this article on Stack Overflow

Comments

  1. Hi… great article…

    I need to deploy the Identity Server behind a F5 balancer, however I need to do a offload SSL, where i will put the certified in the balancer instead of the Identity Server, this because I need insert the X-Forwarded-for header in the HTTP packet… so, how can I run the Identity Server in the HTTP? I have been search in the all configurations file, but I not found yet.

    Thanks..

Leave a Reply

Your email address will not be published. Required fields are marked *