WSO2 Identity Server — how to configure reverse proxy
After we had install WSO2 IS in the last post , today we extended Identity Server approach in a PoC environment where we will configure a reverse proxy.
In this PoC we are running with these products and versions:
IIS Version 8.5
Apache 2.4.6
WSO2 Identity Server 5.7.0
The architecture is being showed below:
For testing purposes these installation is not considering high availability and cluster environment. In the top of my architecture we have a Microsoft IIS responsible for accepting HTTPS requests and provide SSL offloading functionality.
Apache will be receiving traffic that was come from IIS with http protocol and it will be using ProxyPass and ProxyPassReverse directives to proxy to WSO2 identity server.
A few changes in WSO2 Identity Server was needed in order to receive http request. We will address these questions.
Step by step:
1- Create a DNS entry, in my case was: wso2sso.mydomain.net
2- Configure URL Rewrite in ISS
3- Create a new virtual host in Apache like this (%HTTPD_HOME%/conf.d/wso2is.conf):
In my case apache software was installed in the same machine of WSO2 IS.
4- Enable console access by using this URL https://wso2sso.mydomain.net/carbon
Update the file below %WSO2IS_HOME%/repository/conf/carbon.xml
5- Disable csfrguard filter
Let’s disabled the csfrguard filter , because after the steps if you try to log in in the management console, you’ll get ‘Forbidden’.
Open the file %WSO2IS_HOME%/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
After all these steps, you’ll be able to login using this URL https://wso2sso.mydomain.net/carbon
There are a couple of blog posts about reverse proxy with WSO2. Some of them have focus in using Apache for SSL offloading funcionality or Nginx. If it is your architecture I’ll suggest you to take a look these links below: