Layer7 API Management

Hi !

I have quick question related to the API Portal 4.3.2 Dispatcher Service.
As per documentation it states that "Dispatcher is a public-facing service that proxies traffic to the   web application. Port 80 is exposed but automatically redirects to https (443) traffic".

Question: Does this mean, post API portal Install Dispatcher Services listen on Port 80 and redirects all traffic to 443 ?
Or it listens on both ports 80 and 443  ? 

In case if we have configured to Terminate SSL(443) on Load Balancer. From there  transactions will continue on port 80 and hit API Portal on Port 80? 


Thanks !

Mohammad,

I believe this is more like a port forward situation ( same like software firewall in gateway, where you can set port forwarding in manage firewall rules), in our case  where we do listen on 80, and automatically forward to 443 

kemal 

Original Message:
Sent: 11-14-2019 05:27 AM
From: Mohammad Shaik
Subject: API Portal 4.3.2 Disptacher service

Hi !

I have quick question related to the API Portal 4.3.2 Dispatcher Service.
As per documentation it states that "Dispatcher is a public-facing service that proxies traffic to the 

API Portal

 web application. Port 80 is exposed but automatically redirects to https (443) traffic".

Question: Does this mean, post API portal Install Dispatcher Services listen on Port 80 and redirects all traffic to 443 ?
Or it listens on both ports 80 and 443  ?

In case if we have configured to Terminate SSL(443) on Load Balancer. From there  transactions will continue on port 80 and hit API Portal on Port 80?


Thanks !

Thanks for your response Kemal Ajan !
Original Message:
Sent: 11-20-2019 08:11 AM
From: Kemal Ajan
Subject: API Portal 4.3.2 Disptacher service

Mohammad,

I believe this is more like a port forward situation ( same like software firewall in gateway, where you can set port forwarding in manage firewall rules), in our case  where we do listen on 80, and automatically forward to 443 

kemal 

Original Message:
Sent: 11-14-2019 05:27 AM
From: Mohammad Shaik
Subject: API Portal 4.3.2 Disptacher service

Hi !

I have quick question related to the API Portal 4.3.2 Dispatcher Service.
As per documentation it states that "Dispatcher is a public-facing service that proxies traffic to the 

API Portal

 web application. Port 80 is exposed but automatically redirects to https (443) traffic".

Question: Does this mean, post API portal Install Dispatcher Services listen on Port 80 and redirects all traffic to 443 ?
Or it listens on both ports 80 and 443  ?

In case if we have configured to Terminate SSL(443) on Load Balancer. From there  transactions will continue on port 80 and hit API Portal on Port 80?


Thanks !

Hi,

   When you perform a request on Port 80 of a portal Tenant, you will receive a "302 Moved Temporarily" HTTP Response.

   This response will have a "Location" HTTP header redirecting your request to use HTTPS.

   All request-->response->new_request flow is perform at client (browser) level. 

Marlos Chida
Original Message:
Sent: 11-14-2019 05:27 AM
From: Mohammad Shaik
Subject: API Portal 4.3.2 Disptacher service

Hi !

I have quick question related to the API Portal 4.3.2 Dispatcher Service.
As per documentation it states that "Dispatcher is a public-facing service that proxies traffic to the 

API Portal

 web application. Port 80 is exposed but automatically redirects to https (443) traffic".

Question: Does this mean, post API portal Install Dispatcher Services listen on Port 80 and redirects all traffic to 443 ?
Or it listens on both ports 80 and 443  ?

In case if we have configured to Terminate SSL(443) on Load Balancer. From there  transactions will continue on port 80 and hit API Portal on Port 80?


Thanks !

Hi Marlos Chida!
Thanks again for providing your views/inputs on this query. I have a few follow up queries on this topic. 

Q1: Are you referring to the 'Developer Tenant(developer.broadcom.com)'/'Admin Portal(apim.broadcom.com)' (For internal communications) requests on port 80? This is only applicable in the scenario when you route the traffic directly on to PORTAL host server right ?

Q2: If we are passing the External Tenant Communication through Load Ba-lancer, Its always HTTPS 443 right.
       So no way we can hit on port 80 and port 80 will not be used.

Q3: For the external tenant port 443, there are some recommendations to forward headers and change in host-names in CA documentation.
       Link provided below.
       In that I understand the headers that need to be forwarded as is to API portal.
       But didn't get this requirement "The location header in the response of the portals should be changed to use the load balancer host name,
       for example, https://tenant2.portal.ca.com/admin/login should be changed to https://load.balancer.host.ca/admin/login".

      https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/4-3-2/install-configure-and-upgrade/scale-ca-api-portal/high-availability.html
      
      Let me know your inputs on this Marlos Chida. Appreciate your help!


Original Message:
Sent: 11-28-2019 02:17 PM
From: Marlos Chida
Subject: API Portal 4.3.2 Disptacher service

Hi,

   When you perform a request on Port 80 of a portal Tenant, you will receive a "302 Moved Temporarily" HTTP Response.

   This response will have a "Location" HTTP header redirecting your request to use HTTPS.

   All request-->response->new_request flow is perform at client (browser) level.

Marlos Chida
Original Message:
Sent: 11-14-2019 05:27 AM
From: Mohammad Shaik
Subject: API Portal 4.3.2 Disptacher service

Hi !

I have quick question related to the API Portal 4.3.2 Dispatcher Service.
As per documentation it states that "Dispatcher is a public-facing service that proxies traffic to the 

API Portal

 web application. Port 80 is exposed but automatically redirects to https (443) traffic".

Question: Does this mean, post API portal Install Dispatcher Services listen on Port 80 and redirects all traffic to 443 ?
Or it listens on both ports 80 and 443  ?

In case if we have configured to Terminate SSL(443) on Load Balancer. From there  transactions will continue on port 80 and hit API Portal on Port 80?


Thanks !

Hi again.

Q1: Are you referring to the 'Developer Tenant(developer.broadcom.com)'/'Admin Portal(apim.broadcom.com)' (For internal communications) requests on port 80? This is only applicable in the scenario when you route the traffic directly on to PORTAL host server right ?

   I am referring to All connections arriving at the Portal server on port 80, regardless of the destination URL.

   The Dispatcher container listens to connections arriving ate the portal server on port 80 and redirects the connection to the service running inside the container listening on port 9080 (Nginx reverse proxy).


  Inside the container, Nginx has the following configuration:


  This way, all requests will receive a response "301/Redirect" with the https version of the original URL as redirect URI


Q2: If we are passing the External Tenant Communication through Load Ba-lancer, Its always HTTPS 443 right.
       So no way we can hit on port 80 and port 80 will not be used.

      It will depend on how your load balancer is configured. If you configure your load balancer to reproduce the above behavior (redirect to  https) instead of redirecting the connection on port 80 to the Portal server, all connections between the load balancer and portal will be on port 443. 

    All this 80/443 stuff if just a convenience so if the user just types "your.portal.server.com" instead of "https://your.portal.server.com" in their browser they will get a valid response.

Q3: For the external tenant port 443, there are some recommendations to forward headers and change in host-names in CA documentation.
       Link provided below.
       In that I understand the headers that need to be forwarded as is to API portal.
       But didn't get this requirement "The location header in the response of the portals should be changed to use the load balancer host name,
       for example, https://tenant2.portal.ca.com/admin/login should be changed to https://load.balancer.host.ca/admin/login".

The "public facing" URL for your users will be the load balancer host. The load balancer will terminate the connection and open a new one to the Portal server, this time acting as a client, and the response headers from Portal will contain the "original" hostnames of the portal tenants. The user is unaware of this hostenames and cannot connect directly to them, so if a location header is forwarded without changing the hostname to the load balancer hostname the users' browsers won't be able to reach the server and the connection will fail.

I will try to illustrate this to be more clear:


I hope i have helped to clarify your questions.

Regards,

Marlos Chida
Original Message:
Sent: 11-29-2019 03:43 AM
From: Mohammad Shaik
Subject: API Portal 4.3.2 Disptacher service

Hi Marlos Chida!
Thanks again for providing your views/inputs on this query. I have a few follow up queries on this topic.

Q1: Are you referring to the 'Developer Tenant(developer.broadcom.com)'/'Admin Portal(apim.broadcom.com)' (For internal communications) requests on port 80? This is only applicable in the scenario when you route the traffic directly on to PORTAL host server right ?

Q2: If we are passing the External Tenant Communication through Load Ba-lancer, Its always HTTPS 443 right.
       So no way we can hit on port 80 and port 80 will not be used.

Q3: For the external tenant port 443, there are some recommendations to forward headers and change in host-names in CA documentation.
       Link provided below.
       In that I understand the headers that need to be forwarded as is to API portal.
       But didn't get this requirement "The location header in the response of the portals should be changed to use the load balancer host name,
       for example, https://tenant2.portal.ca.com/admin/login should be changed to https://load.balancer.host.ca/admin/login".

      https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/4-3-2/install-configure-and-upgrade/scale-ca-api-portal/high-availability.html

      Let me know your inputs on this Marlos Chida. Appreciate your help!


Original Message:
Sent: 11-28-2019 02:17 PM
From: Marlos Chida
Subject: API Portal 4.3.2 Disptacher service

Hi,

   When you perform a request on Port 80 of a portal Tenant, you will receive a "302 Moved Temporarily" HTTP Response.

   This response will have a "Location" HTTP header redirecting your request to use HTTPS.

   All request-->response->new_request flow is perform at client (browser) level.

Marlos Chida
Original Message:
Sent: 11-14-2019 05:27 AM
From: Mohammad Shaik
Subject: API Portal 4.3.2 Disptacher service

Hi !

I have quick question related to the API Portal 4.3.2 Dispatcher Service.
As per documentation it states that "Dispatcher is a public-facing service that proxies traffic to the 

API Portal

 web application. Port 80 is exposed but automatically redirects to https (443) traffic".

Question: Does this mean, post API portal Install Dispatcher Services listen on Port 80 and redirects all traffic to 443 ?
Or it listens on both ports 80 and 443  ?

In case if we have configured to Terminate SSL(443) on Load Balancer. From there  transactions will continue on port 80 and hit API Portal on Port 80?


Thanks !