WSO2 API 5 min

WSO2TORIAL: Load balancing WSO2 Identity Server and WSO2 API Manager

Integration Experts
WSO2torial rgb600 2

When creating a new environment for WSO2 products you need to think about scalability and high availability architecture. You don’t want to be out of business if one of your servers goes down!

At least you need 2 nodes for the same product and if better with geo location redundancy; WSO2 provides out of the box solutions to build the servers in a cluster-like environment [1]. But on top of the servers you need to provide a balancing layer. In this post we are going to discuss how to create a redundant system for the WSO2 Identity Server and the WSO2 API Manager, both part of the same open source integration platform WSO2. This way you can create for instance high available WSO2 sso concepts, a high available WSO2 API manager architecture or a high available WSO2 Identity server architecture.

This post covers the a WSO2 API manager architecture and WSO2 Identity Server architecture scenario, supporting such a high availability:



Load Balancer

As we are using the same endpoint for both products we need to split the traffic between both products, in this example we are going to split the traffic the following way:

  • our load balancer is assigned with the following hostname: sso.yenlo.com
  • all requests going to sso.yenlo.com/apim-* will be managed by the APIM load balancer
  • all requests going to sso.yenlo.com/is-* will be managed by the IS load balancer

Our main load balancer is using SSL Offloading to decrypt HTTP traffic, in other words, the load balancer provides secure connection with the actual user of that endpoint and internally uses a non secure connection; it also uses cookie persistance (you can read this post about using coockie persistence [2]) to redirect the same origin traffic to the same node to avoid any session issues.

Apache HTTP Server

We are going to use the features from Apache HTTP server to handle properly the redirects used by WSO2 products. Using the ProxyPass and ProxyPassReverse commands [3] we can modify the HTTP header `Location` to make our internal infrastructure invisible for the end user.

You can install Apache following their website [4]

As the load balancer has decrypted the traffic we need to tell Apache to redirect all the traffic to the non-ssl ports of wso2, by default with offset of 0, the plain port for servlets is 9763 and 8280 for API endpoints, see [5] for more information about the default ports on wso2. Remember we are using new urls (apim-* and is-*)? We also need to set them on the Apache virtual host configuration.

APIM apache conf:

<VirtualHost *:80> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|OPTIONS) RewriteRule .* - [F]
ErrorLog /var/log/apache2/wso2apim.error.log CustomLog /var/log/apache2/wso2apim.access.log combined
Header edit Location ^http https
ProxyRequests Off ForceType application/json
ProxyPass /apim-token http://localhost:8280/token ProxyPassReverse /apim-token http://localhost:8280/token
ProxyPass /apim-t http://localhost:8280/t ProxyPassReverse /apim-t http://localhost:8280/t
ProxyPass /apim-authenticationendpoint http://localhost:9763/authenticationendpoint ProxyPassReverse /apim-authenticationendpoint http://localhost:9763/authenticationendpoint ProxyPassReverse /apim-authenticationendpoint https://localhost:9343/carbon/../authenticationendpoint
ProxyPass /apim-commonauth http://localhost:9763/commonauth ProxyPassReverse /apim-commonauth http://localhost:9763/commonauth ProxyPassReverse /apim-commonauth https://localhost:9443/commonauth
ProxyPass /apim-oauth2/authorize http://localhost:9763/oauth2/authorize ProxyPassReverse /apim-oauth2/authorize http://localhost:9763/oauth2/authorize

IS apache conf:

<VirtualHost *:80>
RewriteEngine On
RewriteRule .* - [F]ErrorLog /var/log/apache2/wso2is.error.log
CustomLog /var/log/apache2/wso2is.access.log combinedHeader edit Location ^http httpsProxyPass /is-samlsso http://localhost:9763/samlsso
ProxyPassReverse /is-samlsso http://localhost:9763/samlsso
ProxyPass /is-authenticationendpoint http://localhost:9763/authenticationendpoint

ProxyPassReverse /is-authenticationendpoint http://localhost:9763/authenticationendpoint
ProxyPassReverse /is-authenticationendpoint https://localhost:9443/authenticationendpoint
ProxyPass /is-commonauth http://localhost:9763/commonauth

ProxyPassReverse /is-commonauth http://localhost:9763/commonauth
ProxyPassReverse /is-commonauth https://localhost:9443/commonauth

Now all the redirects sent by WSO2 will be managed seamless by Apache.

Uh? Did you see that `Header` line? As the traffic coming to Apache is on HTTP and not in HTTPS as the user is expecting, Apache will set the `Location` header as plain http, Apache doesn’t know anything about the load balancer on top of him! With that command we are forcing that all the redirects are going through HTTPS. If you want to use the `Header` command you need to enable the `Header` module.

APIM and IS config

Most of the time the first thing that we configured is the hostname of the product located under `[wso2]/repository/conf/carbon.xml`. We are going to avoid this step and leave the default value `localhost`, why? otherwise we need to tell Apache server how to deal with the redirects, this is the easiest way if you have to maintain several environments.


WSO2 products don’t have any restriction on which type of connection use but, of course, you should try to use SSL connections as much as possible unless you know that your network is secured, you can also configure Apache to do the SSL Offloading by itself and load balancing, the only change on the configuration would be to add the certificate configuration [6] and load balancing [7].

Using load balancer capabilities and WSO2 session replication is quite straightforward to build a production ready environment.

Read also our other WSO2 tutorials and blogs about WSO2 Identity Server or WSO2 API Manager, written by our WSO2 Gurus. In case you need WSO2 support, contact the Yenlo WSO2 Guru team to get WSO2 Development Support or WSO2 Operational Support. Of course we do deliver excellent WSO2 training services as well, based on reallife WSO2 tutorials.

[1] https://docs.wso2.com/display/CLUSTER420/Clustering+WSO2+Products
[2] https://devcentral.f5.com/articles/sessions-and-cookies-and-persistence-oh-my
[3] https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse
[4] https://httpd.apache.org/
[5] https://docs.wso2.com/display/Carbon410/Default+Ports+of+WSO2+Products
[6] https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
[7] https://www.rackspace.com/knowledge_center/article/simple-load-balancing-with-apache

WSO2TORIALS help you to change, update or improve WSO2 products and are based on our experiences with the products. WSO2TORIALS will guide you step by step with minimal knowledge required.   WSO2TORIAL.jpeg


The Identity and Access Management selection guide

Get it now
What's on our menu