1. Microservices Architecture Documentation
  2. Secure
  3. Oracle GoldenGate Security Feature: Implementation
  4. Configure Oracle GoldenGate Reverse Proxy with NGINX

Configure Oracle GoldenGate Reverse Proxy with NGINX

Learn how to configure reverse proxy service using NGINX for accessing Oracle GoldenGate Microservices without using port numbers.

Prerequisites for Using ReverseProxySettings

You can use any reverse proxy service with MA. The following example provides a process that you can follow to configure other reverse proxy services in conjunction with the documentation for your proxy server.

The following prerequisites provide details on the minimum requirements to configure an NGINX Reverse Proxy. Similar requirements may be required for your environment and reverse proxy, if you are using a different utility for proxy configuration.

Note:

When installing Oracle GoldenGate 23ai on Oracle Linux 8 or RHEL 8, ensure that the NGINX version is 1.19.4 or higher by enabling the appropriate NGINX module stream.

  1. Install NGINX, see Install the NGINX Web Server and Proxy on Oracle Linux. For Oracle Linux, the command to install NGINX is:

    yum -y install nginx

  2. Check the JRE version to be JRE 8 or higher.

  3. Install Oracle GoldenGate MA.

  4. Create one or more active MA deployments.

  5. Ensure that the Oracle user has sudo permissions.

  6. Configure the PATH environment variable to include the NGINX installation directory path.

Run the ReverseProxySettings Utility to Configure NGINX

An Oracle GoldenGate Microservices Architecture installation includes the ReverseProxySettings utility. The ReverseProxySettings utility is located in the $OGG_HOME/lib/utl/reverseproxy directory.

To identify additional commands that can be used with the ReverseProxySettings utility, run the utility with the --help option: 

$OGG_HOME/lib/utl/reverseproxy/ReverseProxySettings --help

Options available with the ReverseProxySettings utility are:

-o or --output

The output file name. The default file name is ogg.conf.

-P or --password

A password for a Service Manager account.

-l or --log

Log file name and initiates logging. The default is no logging.

--trailOnly

Configure only for inbound trail data.

-t or --type

The proxy server type. The default is Nginx.

-s or --no-ssl

Configure without SSL.

-h or --host

The virtual host name for reverse proxy.

-p or --port

The reverse proxy port number. The defaults are 80 or 443.

-? or --help

Display usage information.

-u or --user

Name of the Service Manager account to use.

-v or --version

Displays the version.

Run the ReverseProxySettings Utility

To use the ReverseProxySettings utility:

  1. To generate a configuration file for NGINX reverse proxy, navigate to the location of the ReverseProxySettings utility: 

    cd $OGG_HOME/lib/utl/reverseproxy
  2. Run the ReverseProxySetting utility:
    ReverseProxySettings -u adminuser -P adminpwd -o ogg.conf http://localhost:9100

    In this code snippet, adminuser is the deployment user name and adminpwd is the deployment user password used to login to the deployment.

  3. Replace the existing NGINX configuration with the configuration that was generated using the ReverseProxySetting utility for your MA deployment: 

    sudo mv ogg.conf /etc/nginx/conf.d/nginx.conf

    However, this NGINX configuration isn't complete without the events section, and enclosing the map and server sections in http.

    Optionally, you can use the default nginx.conf file and add the generated ogg.conf by adding an include statement similar to this:

    include /etc/nginx/conf.d/ogg.conf;

    In this case, you must comment out the other servers section.

  4. Generate a self-signed certificate for NGINX:

    sudo sh /etc/ssl/certs/make-dummy-cert /etc/nginx/ogg.pem

    For distribution paths to go through the reverse proxy, you need to use a valid certificate. It's better to specify the same certificate that the deployment is using to process incoming requests, otherwise, starting the path will fail with the next error in Distribution Service:

    2019-03-26T11:26:00.324-0700 ERROR| ERROR OGG-10351  Oracle GoldenGate Distribution
 Service for Oracle:  Generic error -1 noticed. Error description - Certificate validation
 error: Unacceptable certificate from test00abc: application verification failure. (A4)

  5. Validate the NGINX configuration:

    sudo nginx -t
    The output would show the following, if the command is successful:
    
NGINX: the configuration file /etc/NGINX/NGINX.conf syntax is ok
NGINX: configuration file /etc/NGINX/NGINX.conf test is successful

  6. Reload NGINX with the new configuration:

    sudo nginx -s reload

    If the changes for the configuration file are not loaded, stop and restart the proxy.

  7. To test if you can access the microservices after NGINX is set up successfully, open the web browser.

  8. Enter the proxy URL for the Service Manager using port number 443, similar to the following:

    http://dc.example.com:443

    This would open the Service Manager login page, from where you can access the other microservices also. If you want to directly access a microservice, you can enter the proxy URL for that microservice, as given in the ogg.conf file, generated previously.

Also see this video on configuring the NGINX reverse proxy.

SSL Termination

When there is an unsecure connection between the reverse proxy, which uses a TLS-based connection, and the origin server, it is referred to as reverse proxy SSL-termination.

Note:

In SSL-Termination the connections between the reverse proxy and the origin servers are unsecure.

However, SSL-bridging is also supported where the connections between the client and reverse proxy is secured and the connection between the reverse proxy and the origin server is also secured.