How can I disable HTTPS for WSO2 Api Manager (admin/gw/other components)? We want to SSL-terminate on our front load-balancers - and not on the end WSO2-products. If I visit port 9763 I'll get redirected to 9443. We're running 2.1.0 deployed with the docker-images.
WSO2 - disable HTTPS
Asked Answered
You have to do the following,
Go to the $WSO2_HOME/repository/conf and open carbon.xml, and uncomment
<EnableHTTPAdminConsole>true</EnableHTTPAdminConsole>Disable secure cookie parameter in $WSO2_HOME/repository/conf/tomcat/carbon/WEB-INF/web.xml file as well.
<session-config> <cookie-config> <secure>false</secure> </cookie-config> </session-config>
Thanks, I still get redirected to https/9443 for published though, is that maybe another config? Basically I want all components to run on http as they will have external SSL-terminating proxy-servers in front of them (or be internal traffic between the components) –
Munguia
Hi, is there a solution with all configuration files provided by wso2 ? thx –
Foreandaft
Abimaran Thanks. @DavidKarlsen I have the same issue with store as well. I tried changing the urls in api-manager.xml as well. It redirects to http. But when I try to sign in it redirects to https. Maybe the redirection url is set to https somewhere in the jaggery app. Abimaran Any clue about this. –
Gown
In store it happens after calling the redirector.jag. It has a redirection to the HTTPS URL. Whe I tried to redirect it to the http utl by editing the redirector.jag. But it ended up after calling the localhost:9763/store/site/blocks/tag/tag-cloud/ajax/…. How can we solve this? –
Gown
Assuming the system configuration of David doesn't introduce security issues following should work. (If the load balancers and WSO2 products are in the same private network or VPC there should be no additional security problems)
Note: Following approaches were tested with single tenant (super tenant) scenario only.
- For the carbon console, the approach Abimaran has suggested should work.
- For the store component couple of changes are required.
Replace the content in repository/deployment/server/jaggeryapps/store/site/themes/wso2/templates/user/login/redirector.jag with following.
<%
include("/jagg/jagg.jag");
var site = require("/site/conf/site.json");
var tenant = jagg.getTenantDomain();
var queryString = "";
session.put("showLogin", "true");
session.put("redirectToHTTPS", jagg.getHttpsUrl("/site/pages/login.jag")+queryString);
response.sendRedirect(jagg.getHttpsUrl("/site/pages/login.jag") + queryString);
%>
Replace the getHttpsUrl function definition in repository/deployment/server/jaggeryapps/store/jagg/jagg.jag
var getHttpsUrl = function(path, parameters){
var hostname = "";
var requestSegments = getRequestSegments();
var protocol = "https://";
mod = jagg.module("manager");
var requestUrl = request.getRequestURL();
if(requestUrl.indexOf("https://") != -1 ){
hostname = mod.getHTTPsURL();
hostname = hostname.replace("https://","");
} else if (requestUrl.indexOf("http://") != -1 ) {
hostname = mod.getHTTPURL();
hostname = hostname.replace("http://","");
protocol = "http://";
}
// if the site is fronted by a proxy server
if(isReverseProxyEnabled()){
hostname = site.reverseProxy.host ;
//if a custom https port is used
if(site.reverseProxy.hosts_port){
hostname = hostname + ":" + site.reverseProxy.hosts_port;
}
}
return protocol + hostname + url(path, parameters);
}
- For the publisher component, the following change should be done.
repository/deployment/server/jaggeryapps/publisher/site/themes/wso2/templates/user/login/template.jag
replace the part
<% if(request.isSecure()){
if(jagg.getUser() != null){
response.sendRedirect('index.jag');
}
%>
with
<% if(true){
if(jagg.getUser() != null){
response.sendRedirect('index.jag');
}
%>
Note: The security totally depends on the system architecture. Additionally, the above configurations are independent. If you need to let https access to all components then do all. For particular one, the respective configuration alone should work.
Hope it helps.
In case of version 5.10.0 and windows 10,
#1 Open "C:\Program Files\WSO2\Identity Server\5.10.0\repository\resources\conf\default.json"
#2 Change three fields
from
"transport.https.properties.scheme": "https",
"transport.https.properties.secure": "true",
"transport.https.properties.SSLEnabled": "true",
to
"transport.https.properties.scheme": "http",
"transport.https.properties.secure": "false",
"transport.https.properties.SSLEnabled": "false",
#3 start server batch wso2server.bat
#4 open browser http://localhost:9443/
Disabling SSL on WSO2 API Manager implies changing different files (for the different components that it has), introduces some security problems and in case of update you have to be careful to maintain the same logic (at least figure it out what files to change).
But there is another possibility than disabling HTTPS on WSO2. You can still terminate SSL on your Load Balancer/Reverse Proxy, but the connection between the Load Balancers/Reverse Proxy and WSO2 be a "new" SSL connection that uses the "normal" SSL WSO2 behaviour.
For this, you have to change deployment.toml to include the following (assuming Load Balancers/Reverse Proxy serve on the same ports as WSO2 and in a determined hostname that you can set in environment:
[server]
hostname = "REPLACE_BY_PUBLIC_DOMAIN"
...
[apim.devportal]
url = "https://REPLACE_BY_PUBLIC_DOMAIN:${mgt.transport.https.port}/devportal"
Then you need to configure your Load Balancer/Reverse Proxy to "Proxy Pass" to WSO2. In the reference below there is the configuration for NGINX. For Apache can be something like this:
LoadModule ssl_module modules/mod_ssl.so
ErrorLog "/dev/stdout
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /dev/stdout common
Listen 9443
Listen 8243
Listen 8280
NameVirtualHost *:80
NameVirtualHost *:9443
NameVirtualHost *:8243
NameVirtualHost *:8280
<VirtualHost *:80>
ServerName REPLACE_BY_PUBLIC_DOMAIN
Redirect "/" "https://REPLACE_BY_PUBLIC_DOMAIN/"
</VirtualHost>
<VirtualHost *:9443>
ServerName REPLACE_BY_PUBLIC_DOMAIN
SSLProxyEngine on
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerExpire Off
SSLEngine on
SSLCertificateFile "/usr/local/apache2/cert/fullchain.pem"
SSLCertificateKeyFile "/usr/local/apache2/cert/privkey.pem"
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://REPLACE_BY_WSO2_IP:9443/
ProxyPassReverse / https://REPLACE_BY_WSO2_IP:9443/
</VirtualHost>
<VirtualHost *:8243>
ServerName REPLACE_BY_PUBLIC_DOMAIN
SSLProxyEngine on
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerExpire Off
SSLEngine on
SSLCertificateFile "/usr/local/apache2/cert/fullchain.pem"
SSLCertificateKeyFile "/usr/local/apache2/cert/privkey.pem"
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://REPLACE_BY_WSO2_IP:8243/
ProxyPassReverse / https://REPLACE_BY_WSO2_IP:8243/
</VirtualHost>
<VirtualHost *:8280>
ServerName REPLACE_BY_PUBLIC_DOMAIN
SSLProxyEngine on
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerExpire Off
SSLEngine on
SSLCertificateFile "/usr/local/apache2/cert/fullchain.pem"
SSLCertificateKeyFile "/usr/local/apache2/cert/privkey.pem"
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://REPLACE_BY_WSO2_IP:8280/
ProxyPassReverse / https://REPLACE_BY_WSO2_IP:8280/
</VirtualHost>
In this case all public ports are the same as the "private" ports.
© 2022 - 2024 — McMap. All rights reserved.