wso2 / product-apim

Welcome to the WSO2 API Manager source code! For info on working with the WSO2 API Manager repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
845 stars 785 forks source link

proxy_context_path does not work as expected #11263

Closed lathlk closed 3 years ago

lathlk commented 3 years ago

Description:

The configuration "proxy_context_path" which is toml equivalent for "ProxyContextPath" in XML based configs; is not working as expected. The carbon management console does not work due to a hardcoded CSRF guard javascript path. All the react web apps are not working because they have not taken this config into account.

Steps to reproduce:

  1. APIM configurations made on deployment.toml
    
    [server]
    hostname = "apim-320.wso2.com"
    node_ip = "127.0.0.1"
    mode = "single" #single or ha
    base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
    server_role = "default"
    proxy_context_path = "apim"

[transport.https.properties] proxyPort = 443


2. Nginx configurations (Generate certificates by following "Create SSL certificates" topic of [https://docs.wso2.com/display/CLUSTER44x/Configuring+NGINX](https://docs.wso2.com/display/CLUSTER44x/Configuring+NGINX))

server { listen 443 ssl; server_name apim-320.wso2.com; client_max_body_size 100M;

ssl_certificate /Users/lakshant/Documents/WSO2/server.crt;
ssl_certificate_key /Users/lakshant/Documents/WSO2/server.key;

location /apim/ {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_read_timeout 5m;
    proxy_send_timeout 5m;

    proxy_pass https://apim-320.wso2.com:9443/;
    proxy_cookie_path / /apim;
    proxy_redirect https://apim-320.wso2.com/ https://apim-320.wso2.com/apim/;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

}


3. Try logging into any of the followings using the base URL as [https://apim-320.wso2.com/apim/](https://apim-320.wso2.com/apim/)
- carbon
- devportal
- publisher

Couldn't find documentation as well for this, but it is referred in carbon.xml.j2 and added the below configurations to the carbon.xml,
apim apim


### Affected Product Version:
3.2.0
dumindurox777 commented 3 years ago

Similar issue is there in the APIM-4.0.0 as well. It will be better to fix this on APIM-4.0.0 as well.

chanaka3d commented 3 years ago

The fix is explained in the following hypothetical scenario.

This scenario is explained with the context of an all-in-one deployment of the API manager.

The domain is knnect.lk and the carbon console, admin, publisher, and devportal apps should be accessible via the following URLs respectively.

In order to achieve the above, it's required to do the following configuration changes.

Nginx configuration

server {
        listen 443 ssl default_server;
        listen [::]:443 default_server ipv6only=on;
        server_name  knnect.lk office.knnect.com;
        access_log  /var/log/nginx/proxy.log;

        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/apim.key;

        ssl_session_timeout  5m;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;

        rewrite \w*(admin|devportal|publisher)$ $1/ permanent;

         location /apim/ {   
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_read_timeout 5m;
            proxy_send_timeout 5m;

            proxy_pass https://localhost:9443/;
            proxy_redirect https://knnect.lk/authenticationendpoint/ https://knnect.lk/apim/authenticationendpoint/;
            proxy_redirect https://knnect.lk/oauth2/ https://knnect.lk/apim/oauth2/;
            proxy_redirect https://knnect.lk/carbon/ https://knnect.lk/apim/carbon/;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
}

Hosts file entries

Add the following host entries

127.0.0.1 knnect.lk

Update the APIM manager configuration - deployment.toml

Open repository/conf/deployment.toml and add or update the following configurations.

[server]
hostname = "knnect.lk"
node_ip = "127.0.0.1"
mode = "single" #single or ha
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}/apim"
server_role = "default"
proxy_context_path = "/apim"

[apim.devportal]
url = "https://knnect.lk/apim/devportal"

[transport.https.properties]
proxyPort = 443

Update the APIM manager configuration - web.xml.j2

Open the following file. repository/resources/conf/templates/repository/conf/tomcat/carbon/WEB-INF/web.xml.j2

Add the following configuration

<context-param>
      <param-name>contextPath</param-name>
      <param-value>apim</param-value>
</context-param>

Update the APIM manager web app configurations

Add the following configuration to each web application.

devportal/site/public/theme/settings.js

context: '/apim/devportal', 
proxy_context_path: '/apim',

publisher/site/public/conf/settings.js

context: '/apim/publisher', 
proxy_context_path: '/apim',

admin/site/public/conf/settings.js

context: '/apim/admin', 
proxy_context_path: '/apim',

Now start/restart the API Manager server and Nginx

You will be able to access the web applications with the URLs mentioned above.

chanaka3d commented 3 years ago

This issue is fixed in the latest update level for 3.2.0 and 4.0.0 and master.

ArqamFarooqui110719 commented 1 year ago

This issue is fixed in the latest update level for 3.2.0 and 4.0.0 and master.

Hi @chanaka3d As mention in above comment, I've confirmed the modified files in the the wso2am-3.2.0 image and "product-apim-3.2.0" binary but fix is not applied on the same. And I've confirmed that the patch is applied on wso2am-4.1.0 image

If my findings are correct can you please commit the updated wso2am-3.2.0 image on docker hub? or Please let me know how I can get updated "wso2am-3.2.0"?