Hi There,
I have enable TLS/SSL on tyk gateway but when I tried to access API over http protocol, I am getting below error
could you please let me know how I can allow https request on TYK gateway?
https response
Hi @Rohit_Thakur, how many API definitions do you have and also, do you have any API definition at the root path /?
If you only have one API definition, then your issue might be similar to this thread
If not, then can you share the Tyk offering:
- Open Source
- Self Managed
- Cloud
and your gateway config file if available.
Hi Olu,
we have multiple API definition TYK gateway, please find attached sample API.
we using open source TYK
curl -v -k -H "x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7" \
-s \
-H "Content-Type: application/json" \
-X POST \
-d '{
"name": "sample",
"api_id": "Sample",
"org_id": "default",
"definition": {
"location": "header",
"key": "version"
},
"use_keyless": true,
"auth": {
"auth_header_name": ""
},
"version_data": {
"not_versioned": true,
"versions": {
"1.0.0": {
"name": "1.0.0",
"expires": "",
"use_extended_paths": true,
"extended_paths": {
"ignored": [],
"white_list": [
{
"path": "/OrganizationAffiliation/{id}",
"method": "GET"
},
{
"path": "/OrganizationAffiliation",
"method": "GET"
},
{
"path": "/Endpoint/{id}",
"method": "GET"
},
{
"path": "/Endpoint",
"method": "GET"
},
{
"path": "/Organization",
"method": "GET"
},
{
"path": "/HealthcareService",
"method": "GET"
},
{
"path": "/InsurancePlan",
"method": "GET"
},
{
"path": "/Location/{id}",
"method": "GET"
},
{
"path": "/Location/planet-location-{id}",
"method": "GET"
},
{
"path": "/Location/address={country}",
"method": "GET"
},
{
"path": "/Practitioner/planet-location-{id}",
"method": "GET"
},
{
"path": "/Practitioner",
"method": "GET"
},
{
"path": "/PractitionerRole/planet-location-{id}",
"method": "GET"
},
{
"path": "/PractitionerRole",
"method": "GET"
},
{
"path": "/Location",
"method": "GET"
},
{
"path": "/r4",
"method": "GET"
}
],
"black_list": null,
"track_endpoints": [
{
"path": "/OrganizationAffiliation/{id}",
"method": "GET"
},
{
"path": "/OrganizationAffiliation",
"method": "GET"
},
{
"path": "/Endpoint/{id}",
"method": "GET"
},
{
"path": "/Endpoint",
"method": "GET"
},
{
"path": "/Organization",
"method": "GET"
},
{
"path": "/HealthcareService",
"method": "GET"
},
{
"path": "/InsurancePlan",
"method": "GET"
},
{
"path": "/Location/{id}",
"method": "GET"
},
{
"path": "/Location/planet-location-{id}",
"method": "GET"
},
{
"path": "/Location/address={country}",
"method": "GET"
},
{
"path": "/Location",
"method": "GET"
},
{
"path": "/Practitioner/planet-location-{id}",
"method": "GET"
},
{
"path": "/Practitioner",
"method": "GET"
},
{
"path": "/PractitionerRole/planet-location-{id}",
"method": "GET"
},
{
"path": "/PractitionerRole",
"method": "GET"
}
]
}
}
}
},
"proxy": {
"listen_path": "/patient/paa/r4",
"target_url": "https://x.x.x.x:31613/patient/paa/r4",
"strip_listen_path": true,
"transport": {
"ssl_insecure_skip_verify": true
}
},
"enable_batch_request_support": true,
"active": false,
"global_rate_limit": {
"rate": 100000,
"per": 60
},
"response_processors": [
{
"name": "header_injector",
"options": {
"remove_headers": ["Server"]
}
}
]
}' https://xxx.zzz.com:8280/tyk/apis/ | python -mjson.tool
TYK offering
Open source
Error while reloading the APIs
Regards
Rohit Thakur
Thanks for providing your Tyk offering but I may still need your gateway config file to confirm the issue.
From your earlier message I see you are trying to access the your gateway on a custom domain and port. However, the result of the request was not shared.
Based on your API definition the full path should be
https://fastplusdemo.citiustech.com:8280/patient/paa/r4/{{whitelist-subpath}}
Did you try the reaching any of the endpoints as specified in your whitelist? For example
https://fastplusdemo.citiustech.com:8280/patient/paa/r4/Location
It is worth noting that once a whitelist or allowlist is specified, then all other endpoints, paths or sub paths are blocked. This simply means anything not specified in a whitelist is restricted and not sent upstream.
The error message is also thrown
{
"error": "Requested endpoint is forbidden"
}
As for reloading your APIs, please specify HTTPS as the protocoll.
Hi Olu,
Actually that environment was down but on other environment I am getting below response
Please find tyk.conf gateway file
{
"listen_port": 8280,
"secret": "352d20ee67be67f6340b4c0605b044b7",
"template_path": "/opt/tyk-gateway/templates",
"use_db_app_configs": false,
"app_path": "/opt/tyk-gateway/apps",
"middleware_path": "/opt/tyk-gateway/middleware",
"storage": {
"type": "redis",
"host": "127.0.0.1",
"port": 6379,
"username": "",
"password": "",
"database": 0,
"optimisation_max_idle": 2000,
"optimisation_max_active": 4000
},
"enable_analytics": false,
"analytics_config": {
"type": "",
"ignored_ips": [],
"normalise_urls": {
"enabled": true,
"normalise_uuids": true,
"normalise_numbers": true,
"custom_patterns": []
}
},
"health_check": {
"enable_health_checks": false,
"health_check_value_timeouts": 60
},
"dns_cache": {
"enabled": false,
"ttl": 3600
},
"allow_master_keys": false,
"policies": {
"policy_source": "file",
"policy_record_name": "policies/policies.json"
},
"hash_keys": true,
"suppress_redis_signal_reload": false,
"close_connections": false,
"enable_non_transactional_rate_limiter": true,
"enable_sentinel_rate_limiter": false,
"local_session_cache": {
"disable_cached_session_state": false
},
"uptime_tests": {
"disable": false,
"config": {
"enable_uptime_analytics": false,
"failure_trigger_sample_size": 2,
"time_wait": 10,
"checker_pool_size": 50
}
},
"http_server_options": {
"enable_http2": true,
"enable_websockets": true,
"use_ssl": true,
"min_version": 771,
"ssl_ciphers":["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_GCM_SHA384"],
"certificates": [
{
"domain_name": "fastint.citiustech.com",
"cert_file": "/usr/share/ca-certificates/fasint/9e5864bf45194115.crt",
"key_file": "/usr/share/ca-certificates/fastint/fastplus_new.key"
}
]
},
"hostname": "",
"enable_custom_domains": true,
"proxy_enable_http2": true,
"enable_jsvm": true,
"oauth_redirect_uri_separator": ";",
"coprocess_options": {
"enable_coprocess": false,
"coprocess_grpc_server": "",
"python_path_prefix": "/opt/tyk-gateway"
},
"pid_file_location": "./tyk-gateway.pid",
"allow_insecure_configs": true,
"public_key_path": "",
"close_idle_connections": false,
"allow_remote_config": false,
"enable_bundle_downloader": true,
"bundle_base_url": "",
"global_session_lifetime": 100,
"force_global_session_lifetime": false,
"max_idle_connections_per_host": 500,
"jwt_ssl_insecure_skip_verify": false
}
About that reload error can you let me know why I am getting “client sent and HTTP request to an HTTPS server”
Do we have any configuration in TYK gateway to allow requests on HTTPS only and disable HTTP requests
Regards
Rohit Thakur
Do we have any configuration in TYK gateway to allow requests on HTTPS only and disable HTTP requests
Yes, It’s the use_ssl field in the config. By the looks of it you have set to true.
Actually that environment was down but on other environment I am getting below response
Can you share the API definition for that one? From the error message I am unsure whether the response is coming from Tyk or your upstream. Tyk returns json response by default so it may be unlikely it is coming from Tyk.
I see that the API is set as inactive for the definition file you shared earlier. So, it may be worth checking the authentication mode and the active state of the API.
Hi Olu,
I have configured log data in tyk gateway, below are the logs
Jun 10 05:12:12 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:12" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Jun 10 05:12:22 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:22" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Jun 10 05:12:32 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:32" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Jun 10 05:12:42 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:42" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg=Started api_id="patient_hims" api_name="patient_hims" mw=VersionCheck org_id=default origin=14.142.147.68 path="/patienthims/paa/r4" ts=1654837971541717304
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg=Finished api_id="patient_hims" api_name="patient_hims" code=200 mw=VersionCheck ns=151212 org_id=default origin=14.142.147.68 path="/patienthims/paa/r4"
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg=Started api_id="patient_hims" api_name="patient_hims" mw=RateCheckMW org_id=default origin=14.142.147.68 path="/patienthims/paa/r4" ts=1654837971541909319
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg=Finished api_id="patient_hims" api_name="patient_hims" code=200 mw=RateCheckMW ns=45404 org_id=default origin=14.142.147.68 path="/patienthims/paa/r4"
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg=Started api_id="patient_hims" api_name="patient_hims" mw=RateLimitForAPI org_id=default origin=14.142.147.68 path="/patienthims/paa/r4" ts=1654837971542018928
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg=Finished api_id="patient_hims" api_name="patient_hims" code=200 mw=RateLimitForAPI ns=54005 org_id=default origin=14.142.147.68 path="/patienthims/paa/r4"
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg="Started proxy"
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg="Stripping: /patienthims/paa/r4"
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg="Upstream Path is: "
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg=Started api_id="patient_hims" api_name="patient_hims" mw=ReverseProxy org_id=default ts=1654837971542141838
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg="Upstream request URL: " api_id="patient_hims" api_name="patient_hims" mw=ReverseProxy org_id=default
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg="Outbound request URL: https://10.2.0.6:31863/patienthims/paa/r4" api_id="patient_hims" api_name="patient_hims" mw=ReverseProxy org_id=default
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg="Creating new transport" api_id="patient_hims" api_name="patient_hims" mw=ReverseProxy org_id=default
Jun 10 05:12:51 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:51" level=debug msg="Out request url: https://10.2.0.6:31863/patienthims/paa/r4" api_id="patient_hims" api_name="patient_hims" mw=ReverseProxy org_id=default
Jun 10 05:12:52 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:52" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Jun 10 05:12:53 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:53" level=debug msg=Finished api_id="patient_hims" api_name="patient_hims" mw=ReverseProxy ns=1627474088 org_id=default
Jun 10 05:12:53 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:53" level=debug msg="Upstream request took (ms): 1627.547094"
Jun 10 05:12:53 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:53" level=debug msg="Done proxy"
Jun 10 05:12:53 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:53" level=debug msg=Started api_id=r4 api_name=r4 mw=VersionCheck org_id=default origin=14.142.147.68 path="/favicon.ico" ts=1654837973489029345
Jun 10 05:12:53 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:53" level=debug msg="EVENT FIRED: VersionFailure"
Jun 10 05:12:53 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:12:53" level=debug msg=Finished api_id=r4 api_name=r4 code=403 error="Requested endpoint is forbidden" mw=VersionCheck ns=339728 org_id=default origin=14.142.147.68 path="/favicon.ico"
Jun 10 05:13:02 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:13:02" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Jun 10 05:13:12 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:13:12" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Jun 10 05:13:22 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:13:22" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Jun 10 05:13:32 AZFPPLS-API-PERF-01 tyk[14629]: time="Jun 10 05:13:32" level=debug msg="Primary instance set, I am master" prefix=host-check-mgr
Regards
Rohit Thakur
From looking at the logs, the Tyk gateway successfully sends the request upstream to https://10.2.0.6:31863/patienthims/paa/r4. So can you try hitting your backend directly at that endpoint and confirm if the same behavior occurs?
If an authentication is required at your backend then you can use Transform Headers middleware to inject one.
Thanks for your help 