Fixing 502 Bad Gateway error using API Proxy

08 Feb 2021

blog details

Fixing 502 Bad Gateway error using API Proxy

By: RSDigitech | Published At : 08 Feb 2021    


HTTPS Enabled API Proxy – 502 Bad Gateway Error

Steps to fix 502 Bad Gateway Error

Issue Replication Steps:


1.    Create a self-signed JKS certificate

keytool -genkeypair -keystore keystore.jks -dname "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass ******** -storepass ******* -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -alias mule -ext SAN=DNS:localhost,IP:0.0.0.0 -validity 9999

 

2.    Create a simple mule application with HTTP Listener using the created JKS certificate in Listener keystore configuration

text projectFlow

<? xml version = "1.0" encoding = "UTF-8" ?>

 

< mule xmlns:tls = "http://www.mulesoft.org/schema/mule/tls" xmlns:http = "http://www.mulesoft.org/schema/mule/http"

      xmlns = "http://www.mulesoft.org/schema/mule/core"

       xmlns:doc = "http://www.mulesoft.org/schema/mule/documentation" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation = "http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd

http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd

http://www.mulesoft.org/schema/mule/tls http://www.mulesoft.org/schema/mule/tls/current/mule-tls.xsd" >

       < http:listener-config name = "HTTP_Listener_config" doc:name = "HTTP Listener config" doc:id = "0b269da2-a517-41a9-91cf-66c468871b39" >

             < http:listener-connection protocol = "HTTPS" host = "0.0.0.0" port = "8082" >

                    < tls:context >

                           < tls:key-store type = "jks" path = "keystore/keystore.jks" alias = "mule" keyPassword = "rsdigitech" password = "rsdigitech" />

                    </ tls:context >

             </ http:listener-connection >

       </ http:listener-config >

       < flow name = "test-projectFlow" doc:id = "303a4e7f-3feb-4394-af04-c16a4b2e7e56" >

             < http:listener doc:name = "Listener" doc:id = "0d846d29-820b-42a8-8df6-98e864c0aa57" config-ref = "HTTP_Listener_config" path = "/testjks" />

             < logger level = "INFO" doc:name = "Logger" doc:id = "702ed14b-06eb-42d5-a71b-e711da233c17" message = " #[payload] " />

             < set-payload value = ' #["Success"] ' doc:name = "Set Payload" doc:id = "82baf4cb-cdc2-449f-8603-93c6b51b4e8a" />

       </ flow >

</ mule >

 

3.    Deploy the application in Cloudhub and try to invoke it using HTTPS URL, the API returns success response

single https test app

API Invocation URL : https://simple-https-test-app.us-e2.cloudhub.io/testjks

postman API Invocation URL

4.    Deploy a HTTP API proxy pointing to this newly deployed application and invoke Proxy application endpoint, the proxy returns correct response as expected

HTTP API Endpoint Configuration

Endpoint configuration

Endpoint Conguration 2

App test https proxy

API Invocation URL : http://test-app-http-proxy-app.us-e2.cloudhub.io/testjks ( Success )

App test https proxy in postman

 

 

 

5.    Deploy a separate new HTTPS API proxy pointing to same earlier deployed application, using TLS secret context and same JKS certificate in Keystore, after deployment when we try to invoke Proxy application HTTPS endpoint, the proxy returns HTTP 502 – Bad gateway error

JKS Secret Group


JKS Secret Group edit keystore

JKS Secret Group edit TLS context


HTTPS API Configuration

HTTPS API Configuration

HTTPS API Configuration 2

test app http-proxy-app v1

API Invocation URL : https://test-app-https-proxy-app.us-e2.cloudhub.io/testjks ( Fails with 502 error )

fails with 502 error


All Deployed Applications List

All Deployed Applications List





Resolution:

We need to specify relevant ciphers while creating TLS context

For example, we have created a JKS certificate as below, using signature algorithm SHA256withRSA, so we have to specify relevant cipher matching with algorithm used in JKS certificate generation at time of creating JKS context and then have to use this context in inbound. PFB the screenshot for reference.

The HTTPS proxy API will work fine then as depicted in screenshots on next page.


keytool -genkey -keystore testks.jks -alias mule -keypass ****** -storepass ****** -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 2048

 

D:workspaceskeystore> keytool -list -v -keystore testks.jks

Enter keystore password:

Keystore type: jks

Keystore provider: SUN

 

Your keystore contains 1 entry

Alias name: mule

Creation date: 4 May, 2020

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=testmuleapp, OU=abctest, O=abc, L=noida, ST=up, C=IN

Issuer: CN=testmuleapp, OU=abctest, O=abc, L=noida, ST=up, C=IN

Serial number: 5b35eb6d

Valid from: Mon May 04 19:55:26 IST 2020 until: Tue May 04 19:55:26 IST 2021

Certificate fingerprints:

        MD5: 41:6E:A0:92:A9:5C:66:F6:B6:A6:BC:EB:A6:D8:51:DD

        SHA1: 8E:31:10:FD:F9:69:3F:29:09:28:AF:69:81:40:AE:2F:73:1F:92:F3

        SHA256: 5B:CE:8E:8F:A6:66:15:E3:C9:68:0E:1D:FD:51:B2:D9:59:B0:2C:1B:0D:44:EF:A3:78:93:D0:5D:EF:02:1D:01

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 77 D1 38 46 7F 68 5C 32  82 E6 FE 42 6E 17 E9 13 w.8F.h2...Bn...

0010: 21 7E 34 99                                       !.4.

]

]

*******************************************

*******************************************

 


secrets manager


test-app-http-proxy-app


test-app-http-proxy-app 2


postman request


graph

 




 


 


Technologywe use

  • PHP
  • Angular
  • Android
  • Laravel
  • Salesforce
  • Tibco
  • Mulesoft