Tuesday, April 25, 2017

Enabling SSL Tunneling through a Squid Proxy Server

This post will describe how we can proxy our outgoing requests through ESB using a Squid Proxy Server. For more information on the scenario, you can refer the WSO2 ESB documentation.

Step 1 - Setting up Squid Proxy Server

To setup a Squid Proxy Server locally, you can follow the instructions available here.

Step 2 - Configuring Squid Proxy Server - updating the squid.conf file

Add the following line under the acl section

acl squid.proxy.server src appserver.wso2.com

The following should be added before the http_access TAG

http_access allow squid.proxy.server

Note: We will be referring to this proxy server instance by the name squid.proxy.server. Hence, you need to add this entry to the /etc/hosts file which resides in your local instance as well as to the instance where the Squid server is running.

Add the following port information before the https_port TAG section

http_port 8888

Once the above is added to the squid.conf file, restart the Squid server

sudo service squid3 restart
Step 3 - Enabling the proxy configuration in WSO2 ESB

To do this, add the below configuation to the axis2.xml under the PassThroughHttpSender, PassThroughHttpSSLSender configuration

<parameter name="http.proxyHost" locked="false">squid.proxy.server</parameter> <parameter name="http.proxyPort" locked="false">8888</parameter>
Steps 4 - Creating a Proxy Service

Once the above configurations are done and the WSO2 ESB server is restarted, you can create a simple Passthrough Proxy service to test the scenario.
Note that as the endpoint, I am using a backend where I'm referring to from a host name called appserver.wso2.com. This was the hostname which we added to the squid.conf file above under the acl section.

<proxy name="SSLTunnelingProxy"
          transports="https http"
                  <address uri="https://appserver.wso2.com/services/SimpleStockQuoteService"/>

Steps 5 - Invoking the Proxy Service

Using a preferred client of yours you can test the scenario. If the message is sent through the Proxy server, you should see logs as shown below in /var/logs/squid/access.log file.

1493112155.126  49234 TCP_MISS/200 2335 CONNECT appserver.wso2.com:443 - HIER_DIRECT/ -
1493112888.241      0 TCP_DENIED_REPLY/403 3429 CONNECT appserver.wso2.com:443 - HIER_NONE/- text/html

Reason for "PasswordInvalidAsk Password Feature is disabled" error when adding through RemoteUserStoreManager

When trying to add users from RemoteUserStoreManager it returned the following SOAP fault.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
            <faultstring>PasswordInvalidAsk Password Feature is disabled</faultstring>

The reason for this issue is that I have forgotten to add the element in the SOAP message.  Once this element was added, I was able to successfully create the user.