Issues with reverse proxy for DevPortal and Publisher

[malinthaprasan]

Tried to create a reverse proxy for DevPortal and Publisher using below Nginx configuration:

server {

      listen 443;
      ssl on;
      ssl_certificate /etc/nginx/ssl/nginx.crt;
      ssl_certificate_key /etc/nginx/ssl/nginx.key;

      location /publisher {
          index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/publisher;
           proxy_redirect  https://localhost:9443/publisher  https://localhost/publisher;
           proxy_redirect  https://localhost:9443/oauth2  https://localhost/oauth2;
           proxy_redirect https://localhost:9443/oidc  https://localhost/oidc;
      }

      location /devportal {
          index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/devportal;
           proxy_redirect https://localhost:9443/devportal  https://localhost/devportal;
           proxy_redirect  https://localhost:9443/oauth2  https://localhost/oauth2;
           proxy_redirect https://localhost:9443/oidc  https://localhost/oidc;
      }

      location /api/am/publisher/v1.0 {
           index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/api/am/publisher/v1.0;
           proxy_redirect https://localhost:9443/api/am/publisher/v1.0 https://localhost/api/am/publisher/v1.0;
      }

      location /api/am/store/v1.0 {
           index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/api/am/store/v1.0;
           proxy_redirect https://localhost:9443/api/am/store/v1.0 https://localhost/api/am/store/v1.0;
      }

      location /authenticationendpoint {
          index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/authenticationendpoint;
           proxy_redirect  https://localhost:9443/authenticationendpoint  https://localhost/authenticationendpoint;
      }

      location /logincontext {
          index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/logincontext;
           proxy_redirect  https://localhost:9443/logincontext  https://localhost/logincontext;
      }

      location /commonauth {
          index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/commonauth;
           proxy_redirect  https://localhost:9443/commonauth  https://localhost/commonauth;
           proxy_redirect  https://localhost:9443/oauth2  https://localhost/oauth2;
      }

      location /oauth2 {
          index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/oauth2;
           proxy_redirect  https://localhost:9443/oauth2  https://localhost/oauth2;
           proxy_redirect  https://localhost:9443/authenticationendpoint  https://localhost/authenticationendpoint;
           proxy_redirect https://localhost:9443/devportal  https://localhost/devportal;
           proxy_redirect  https://localhost:9443/publisher  https://localhost/publisher;
      }

      location /oidc {
          index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/oidc;
           proxy_redirect  https://localhost:9443/oidc  https://localhost/oidc;
           proxy_redirect  https://localhost:9443/authenticationendpoint  https://localhost/authenticationendpoint;
           proxy_redirect  https://localhost:9443/publisher  https://localhost/publisher;
           proxy_redirect  https://localhost:9443/devportal  https://localhost/devportal;
      }
}

I faced a couple of issues:

1. The login flow seems to break in the last step of redirection to the webapps after login:
   For example: see below screenshots for devportal:

• State variable has a full URL(It should only be the subresource eg:/apis)
  

• Because of that, the last redirection to devportal app fails due to the wrong context. Browser will be redirected to the carbon console.

2. There is an issue in MacOS environment with REST APIs when fronted by Nginx. I doesn't seem to get response of the GET /apis/am/v1.0/publisher/swagger.yaml or GET /apis/am/v1.0/devportal/swagger.yaml. It received a 500 status code with an error similar to "No message body writer found for .. ". This doesn't reproduce in Linux environments.

[malinthaprasan]

Anyway, I bypassed the first issue by manually changing the URL and the rest of the stuff seems to work without an issue. Tried creating APIs from the publisher, publish it and invoke it from dev portal.
Logout also works without an issue.

[malinthaprasan]

Reason for the wrong redirection URL is that we are mandating the port of the webapp URL which is used for redirecting back to webapp (as the state variable). Port is not mandatory in reverse proxy environments. We need to remove that. The fix should go to idp.jag files in both publisher and devportal webapps.

[bhathiya]

With the above fix all works fine.

[malinthaprasan]

I also tested with the latest changes and it seems the issue is fixed.

[bhathiya]

This is not yet working with different contexts. @isharac is working on it.

[bhathiya]

Fixed by wso2/carbon-apimgt#7731