I believe that Proxy Services not being Sequences don't have statistics facilities. I core requirement I have is to acquire statistics & service availability stats for my Proxies. What is the standard approach? Wrap a Proxy Service within a Sequence? Is there an example of this?
Also The Monitor/Mediation Statistics page has a section Proxy Service Statistics, is there a means to turning on Proxy Service stats that I have missed. if not, exactly where does this data derive?
To enable statistics for a mediation component using the Synapse configuration language, set the value of the "statistics" attribute to "enabled" on the sequence, proxy or endpoint configuration as mentioned in https://docs.wso2.com/display/ESB470/Monitoring+the+ESB document.
Here is a sample proxy which enabled statistics.
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="oldmac"
transports="https,http"
statistics="enable"
trace="disable"
startOnLoad="true">
<target>
<inSequence>
<log level="full"/>
<send>
<endpoint>
<address uri="http://www.google.com"/>
</endpoint>
</send>
</inSequence>
</target>
<description/>
</proxy>
Related
I am trying to get a local version of Lucee ColdFusion running my app - which resides as two directories... the main app, and the client custom code.
To that myDomain.com should pull from the 'site' and myDomain.com/app/ should pull from the app.
I can be logged in to my site, and pulling data via includes etc, but if I try to browse (or make a call to) /app/cfc/myCFC.cfc ...
the behavior redirects to the 'root' and logs my app out.
my server XML looks like this
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN" >
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<Service name="Catalina" >
<Connector port="8888"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443" />
<Engine name="Catalina"
defaultHost="127.0.0.1" >
<Host name="local.dev.myDomain.com" appBase="webapps" >
<Context path="/" docBase="C:\wwwroot\site" />
<Context path="/app" docBase="C:\wwwroot\app" />
</Host>
</Engine>
</Service>
</Server>
If it helps to understand; this is a legacy app running in production on Windows, Apache 2.2 and ColdFusion 11. I have the app aliased in Apache 2.2 like this:
Alias /app/ C:/wwwroot/app
I am trying to evaluate Lucee to see if our app will work on that platform without too many changes.
One noticeable difference, due to using the built in webserver, is the port 8888
so the actual url looks like: mydomain.com:8888/app/cfc
I do not know if this is the problem or something else. If I cannot find a solution, I'll install Apache 2.2 and match the config
Any help is greatly appreciated - jp
NOTE: I just changed the host in this txt to accurately mimic my setup - if that makes a difference.
local.dev.myDomain.com (only the 'myDomain' is specifically my domain, not literally myDomain)
Say an instance of WSO2's API Manager receives API calls from an external client, it is possible to pass the caller's IP address to the backend (in the header for example, other solutions are welcome too)? If yes how?
HTTP Header is the way to do it. You can create a sequence like this and attach to API.
<?xml version="1.0" encoding="UTF-8"?>
<sequence xmlns="http://ws.apache.org/ns/synapse" name="sample">
<property name="client_ip" expression="get-property('axis2', 'REMOTE_ADDR')" scope="transport"/>
</sequence>
If you have a proxy before API Manager, you may not be able to identify the real client using REMOTE_ADDR. It will be the IP of the proxy. In such cases you can use X-Forwarded-For http header.
I have configured SSL in my web application. I have installed the certificate in my Tomcat as per the required steps.
The tutorial that I have been following is
https://www.mulesoft.com/tcat/tomcat-security
I have enforced the use of https over http which means that any request to http will be forwarded to https. I made the following changes in my server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyHost="10.1.1.1" proxyPort="80"
URIEncoding="UTF-8"
maxHttpHeaderSize="32768"/>
See more at: https://www.mulesoft.com/tcat/tomcat-security#sthash.6zIVA27x.dpuf
The web.xml changes are as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
However, the redirect that is taking place is temporary re-direct ie 302.
I want to use 301 re-direct ie., permanent redirect.
How can I achieve that?
This is configured on your Realm. See the transportGuaranteeRedirectStatus attribute of your particular Realm implementation.
https://tomcat.apache.org/tomcat-8.5-doc/config/realm.html
Ex: server.xml has this out-of-the-box
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
It does not set transportGuaranteeRedirectStatus so it defaults to 302. If you want to make it use a 301, just add the attribute transportGuaranteeRedirectStatus="301" to the top level Realm (you may not have nested Realms depending on your configuration) and restart Tomcat.
Ex:
<Realm className="org.apache.catalina.realm.LockOutRealm" transportGuaranteeRedirectStatus="301">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
</Realm>
If you do not have a Realm tag defined in your configuration, Tomcat will default to using a NullRealm. If you want to override the redirect in this situation, you'd just need to define a NullRealm under with the transportGuaranteeRedirectStatus property set on it.
Hope that helps!
I am trying to configure alfresco with remote authentication using apache (shibboleth module) in front of Alfresco - essentially passing REMOTE_USER from apache to alfresco after authenticating. I am able to configure alfresco where I can successfully log into /alfresco (classic explorer gui), however, /share (newer gui) does not log me in. Has anyone experienced/solved this issue?
Here is some details:
setup apache with the shibboleth mod (which works since i get automatcially logged into /alfresco)
setup ajp entry for both /alfresco and /share in apache.
Alfresco Explorer
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
Alfresco Share
ProxyPass /share ajp://127.0.0.1:8009/share
ProxyPassReverse /share ajp://127.0.0.1:8009/share
setup tomcat ajp entry
set /tomcat/shared/classes/alfresco-global.properties with
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyUserName=
external.authentication.proxyHeader=
external.authentication.enabled=true
in share-config-custom.xml, i have put in the suggested xml entries below:
Blockquote
<alfresco-config>
<!-- Repository Library config section -->
<config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
<!--
Whether the link to the Repository Library appears in the header component or not.
-->
<visible>true</visible>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<endpoint>
<id>alfresco-noauth</id>
<name>Alfresco - unauthenticated access</name>
<description>Access to Alfresco Repository WebScripts that do not require authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>none</identity>
</endpoint>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-feed</id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>http</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<basic-auth>true</basic-auth>
<identity>user</identity>
</endpoint>
<endpoint>
<id>activiti-admin</id>
<name>Activiti Admin UI - user access</name>
<description>Access to Activiti Admin UI, that requires user authentication</description>
<connector-id>activiti-admin-connector</connector-id>
<endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>
<identity>user</identity>
</endpoint>
</remote>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
Blockquote
Try defining a connector called 'alfrescoHeader':
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>X-Alfresco-Remote-User</userHeader>
</connector>
Of course, change the header name to what you are using.
Then, use it in the alfresco endpoint:
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
I have Apache as front-end to my Tomcat server where I have deployed a CXF web service. All access to my web service happens through SSL which is handled by Apache web server. This means that my Tomcat server is totally unaware of SSL. As a result my CXF generated web service has a http endpoint URL. How do I make it HTTPS while giving the opportunity of handling SSL to Apache web server. Any clue to override endpoint URL scheme?
If you do that, you should also set proper address (that with HTTPS) in publishedEndpointURL.
Like here: How to start cxf service on localhost but return external address in wsdl?
This will make imports in generated WSDL point to proper URLs.
In you case you need to enable SSL connector for Tomcat (in case you use mod_proxy in Apache), or you need to to enable secured AJP connector (in case you use mod_jk):
<Connector protocol="AJP/1.3" redirectPort="443" scheme="https" secure="true" address="127.0.0.1" port="8009" />
CXF is out of game here.
I had the same problem, and solved it by using a JNDI lookup for a base URL, then constructing a url for publishEndpointUrl. In XML config, it looks something like this:
<jee:jndi-lookup id="ProxyURL" jndi-name="myProxyURL" resource-ref="true" cache="true" />
<bean id="EndpointURL" class="java.lang.String">
<constructor-arg value="#{ProxyURL+'/myServiceAddress'}"/>
</bean>
<jaxws:endpoint
id="myServiceEndpoint"
...[other parameters]...
publishedEndpointUrl="#EndpointURL">