Layer7 API Management

Expand all | Collapse all

API Exposure over port 443

Jump to Best Answer
  • 1.  API Exposure over port 443

    Posted 05-10-2017 01:26 AM

    Hi,

     

     Can we expose APIs developed on Gateway at port 443 rather than 8443?

     

    Thanks,

    Sid



  • 2.  Re: API Exposure over port 443
    Best Answer



  • 3.  Re: API Exposure over port 443

    Posted 05-18-2017 09:16 AM

    Hi,

     

     Did all the settings mentioned in document, however still not working. Do we need to make some changes in default config as well?

     

    Thanks,

    Siddharth



  • 4.  Re: API Exposure over port 443

    Posted 05-18-2017 10:53 AM

    Siddharth,

     

    When you make a change through the UI to add in the redirects it creates dynamic firewall rules that do a redirect to the port. When you run the command "service iptables status| grep 443" your output should look like the following:
    27   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8443
    29   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9443
    3    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 redir ports 8443

    If the iptables service has been disabled this will not function.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: API Exposure over port 443

    Posted 05-19-2017 12:06 AM

    Getting this after running command:

     

    29 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
    31 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9443

     

    No mention of port 443. Do I need to add that entry manually? Please suggest.

     

    Thanks,

    Siddharth



  • 6.  Re: API Exposure over port 443

    Posted 05-19-2017 12:33 AM

    Siddharth,

     

    Please provide what version of the gateway, form factor of the gateway (virtual, hardware, software, AWS, etc), and also if you can provide the /etc/sysconfig/iptables file for review. The steps in the guide should be all that you need to get this to work across all nodes in the cluster.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 7.  Re: API Exposure over port 443

    Posted 05-19-2017 12:46 AM

    Hi Stephen,

     

    Version:9.0

    Form factor : Virtual Appliance

    iptables file : attached.



  • 8.  Re: API Exposure over port 443

    Posted 05-19-2017 12:49 AM

    Hi,

     

     iptables file has been attached to Support CASE#00745283.

     

    Thanks,

    Sid



  • 9.  Re: API Exposure over port 443

    Posted 05-19-2017 01:26 AM

    Hi,

     

     We added following in ipatbles file:

     

    -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

     

    and took iptables restart. It seems to be working. thanks for your prompt suggestions. Please let me know if anything else need to be added.

     

    Thanks,

    Siddharth



  • 10.  Re: API Exposure over port 443

    Posted 05-19-2017 01:31 PM

    Siddharth,

     

    I've reviewed the iptables that was uploaded in the case and it is not a standard one delivered with any of our appliances so that is why it is not working. We look for certain portions of the file and the order of the load to insert our rules so the gateway is unable to add the rule dynamically.  I would suggest that you add back in our default iptables file and use the Manage Firewall Rules through the Manage Listen Port interface. This will allow you to control it centrally through the Policy Manager or upload it through restman and all nodes in the cluster would get them right away without having to touch the file.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 11.  Re: API Exposure over port 443

    Posted 05-22-2017 12:24 AM

    Hi Stephen,

     

    We will surely check it. However I couldn't get any document explaining why port 443 is not available by default for Gateway; whereas it is a default port for HTTPS exposure? Can there be some repercussions in terms of Gateway performance or security, once we enable 443 port ?

     

    Thanks,

    Sid



  • 12.  Re: API Exposure over port 443

    Posted 05-10-2017 11:06 PM

    Hi,

    Usually there is a load balancer in front of the gateway cluster, expose port 443 can be done on LB.

     

    Regards,

    Mark