I've got:
- a WSO2 API MAnager 1.3 on a host in a private LAN.
- an nginx host with two NIC one on the same private ALN of the API manager and another with a public IP.
I need to set up the environment so that it will be possible to access the API store and publisher (and even the management through the nginx host using a proxy pass).
How do I have to configure the files in the API manager (and possible the rules also for niginx).
Considering also that the API will have to be published with the public address and also the Authorization token need to be created so that it will be accepted by users calling the public address.
Lets suppose that the public address is www.public.eu (194.1.1.150) and the private LAN is apimanager.private.local (10.1.1.141). I will keep the same port for sake of easiness, but it could be nice to have indications on how to change ports.
I've tryed to modify ap-manager.xml, carbon.xml and axix2.xml with no success.
Thanks
Luca
Related
Anyone can tell me what kind of service fits on this use case below:
I want to expose a public IP that receive HTTPS/HTTP requests and forward the traffic to my services I have in on-prem.
Looking for Azure, AWS, etc, etc, are there some service that serve to my problem?
Regards...
If you are using using Azure and you want HTTPS based request to be sent to your backend APIs (which can be on prem or on any cloud) you can check for Azure API Management (APIM).
You can use the APIM with or without VNET.
APIM can be used in External Mode if you want to integrate a VNET to perform data plane operations which will expose a Public IP as well as a Gateway URL which you can be used to send HTTPS traffic.
Reference:
https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2
https://learn.microsoft.com/en-us/azure/api-management/api-management-key-concepts#scenarios
Additionally, you can also check out Application Gateway
Reference:
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway
I have an Apache server running the front end (Angular) which relies on an API which is hosted on the same instance as the Apache. I don't want my API (Express) open to public yet but need access to it with my front end which shares the same IP. Things I've tried,
Setting API base url as 'localhost' doesn't seem to work.
Adding a security rule in AWS security groups to allow connections only to the same IP (to itself) doesn't work.
Is there any workaround for this?
Connections to same IP are always open by default. You may need to add private IP of the ec2 instance as your api base URL. (Port you know better). Cors too should be enabled for that private IP.
First of all, using Angular as the front-end means needing an API that can access publicly you just need to implement securities, because you just serve the UI to the client user and their browsers are the one accessing the API not the server of the angular.
You can setup another API which can be deploy on the same server of your UI and same url which will serve as controller of your "Private API" that you can manage using Security groups in AWS
Replaced ${IP} to 172.17.0.1 so it can connect to the same EC2 after restarting. Add a rule for the inbound connection from the same SG
I have a SOAP Service running on tomcat that is deployed in an Azure Scaling Set. I have an Azure Application gateway that is font ending the scale set. When I try to access the wsdl (/service?wsdl) file via a web browser using the Application Gateway DNS, the wsdl that is returned has the private IP addresses of the VM that processed the file in it. This prevents the endpoints from being accessed since they are private. If I access the wsdl going directly to the back end VM's DNS name, the address returned contains the public host name of the VM that I sent the request to and can be accessed since its public. I don't have this problem when I deploy a similar deployment in the AWS environment using AWS ELB in front of the scaling group.
I am able to get this to work by configuring tomcat connector to use proxyName and proxyPort to specify the host name of the Azure Application Gateway. However, there are other SOAP clients that are required to access the back end VMs directly on that same connector, and by specifying the proxy parameters for the connector forces them to go through the Azure application gateway as well.
I realize that a different tomcat connector can be configured to address this, but this is not an optimal solution for the back end application.
So to the question. Is there some Azure Application gateway configuration setting that I can change, so I can make this work like AWS ELB and not have to use the proxyName tomcat parameter?
Thanks.
Basically my problem is I want to do following things :
Develop a web service on work space
Now give demo of that web service usage from my AWS works space by a public IP like
http://172.23.0.1:8090
I want an IP for my workplace by which I can access web app or web service hosted locally on that machine to be accessed from any where from internet.
Is that possible if not then tell me alternative ?
Below are the steps that you should follow:
Select Assign Public IP while creating the new instance
In the assigned Security Group settings, open the port 8090 for 0.0.0.0 (means accessible for all) along with the protocol you will be using (TCP, UDP, etc)
Not sure of the best way of achieving something...
We've got a number of web services running on asp.net v3.5 on a couple of web servers. They all talk nicely to each other and to the public internet.
Now we'd like to keep some of these web services 'private' ie make them not available to the public internet, whilst leaving others accessible.
AFAICS the simplest way to do this is simply to run the private services on a different port and keep the public ones on port 80. Our firewall only permits internet access via port 80 so would drop any requests from the internet to the private web services. Sorted... I think?
Is this idea a reasonable solution? Or is there some drop dead simple IIS mechanism that I ought to use?
Thanks
SAL
You can restrict access to a site via a blacklist/whitelist in the IIS control Panel (directory security tab). That's what I've done in the past to filter by IP address.
AFAICS the simplest way to do this is
simply to run the private services on
a different port and keep the public
ones on port 80. Our firewall only
permits internet access via port 80 so
would drop any requests from the
internet to the private web services.
This is exactly the approach we take. We also have a VPN so that employees can access the site if they're working remotely.
You can put IP access restrictions onto any site/app you want. We have several internal web services that only allow access on the 10.x.x.x range for example.
It really depends on how secure you want the internal web services.
If you have sensitive data on the internal web services, you need to have them on a completely different server, even if you don't allow access to them from the outside by assigning them a different port.
However, if you don't have an issue with sensitive data then assigning a different port, or IP-address, for internal and external users is a good way to go.
Besides the port, you could use the restriction for the caller (using IP address filtering, for example).
Also you could actually require authentication for the caller of a web-service, which should be easy to configure in case you use ActiveDirectory.
In any case if you have a 'public' web service, which is private as well, you may want to 'publish' it twice: once for public (with nice external URL) and one for internal, so that your other internal services and/or clients do not have to go via 'external' URL. Then you could configure restrictions (client IP, authentication, ..) differently for different publishers of the same service.