Configure Oracle GoldenGate Reverse Proxy with NGINX

Learn how to configure reverse proxy service using NGINX for accessing Oracle GoldenGate Microservices without using port numbers.

Prerequisites for Using ReverseProxySettings

You can use any reverse proxy service with MA. The following example provides a process that you can follow to configure other reverse proxy services in conjunction with the documentation for your proxy server.

The following prerequisites provide details on the minimum requirements to configure an NGINX Reverse Proxy. Similar requirements may be required for your environment and reverse proxy, if you are using a different utility for proxy configuration.

Note:

When installing Oracle GoldenGate 23ai on Oracle Linux 8 or RHEL 8, ensure that the NGINX version is 1.19.4 or higher by enabling the appropriate NGINX module stream.

Install NGINX, see Install the NGINX Web Server and Proxy on Oracle Linux. For Oracle Linux, the command to install NGINX is:

yum -y install nginx
Check the JRE version to be JRE 8 or higher.
Install Oracle GoldenGate MA.
Create one or more active MA deployments.
Ensure that the Oracle user has sudo permissions.
Configure the PATH environment variable to include the NGINX installation directory path.

Run the ReverseProxySettings Utility to Configure NGINX

An Oracle GoldenGate Microservices Architecture installation includes the ReverseProxySettings utility. The ReverseProxySettings utility is located in the $OGG_HOME/lib/utl/reverseproxy directory.

To identify additional commands that can be used with the ReverseProxySettings utility, run the utility with the --help option:

$OGG_HOME/lib/utl/reverseproxy/ReverseProxySettings --help

Options available with the ReverseProxySettings utility are:

-o or --output: The output file name. The default file name is ogg.conf.
-P or --password: A password for a Service Manager account.
-l or --log: Log file name and initiates logging. The default is no logging.
--trailOnly: Configure only for inbound trail data.
-t or --type: The proxy server type. The default is Nginx.
-s or --no-ssl: Configure without SSL.
-h or --host: The virtual host name for reverse proxy.
-p or --port: The reverse proxy port number. The defaults are 80 or 443.
-? or --help: Display usage information.
-u or --user: Name of the Service Manager account to use.
-v or --version: Displays the version.

Run the ReverseProxySettings Utility

To use the ReverseProxySettings utility:

To generate a configuration file for NGINX reverse proxy, navigate to the location of the ReverseProxySettings utility:
```
cd $OGG_HOME/lib/utl/reverseproxy
```
Run the ReverseProxySetting utility:
```
ReverseProxySettings -u adminuser -P adminpwd -o ogg.conf http://localhost:9100
```
In this code snippet, adminuser is the deployment user name and adminpwd is the deployment user password used to login to the deployment.
Copy the ogg.conf file generated in step 2 to /etc/nginx/conf.d directory.
```
sudo cp ogg.conf /etc/nginx/conf.d/.
```
Update the ogg.conf file for SSL/TLS settings using the following steps:
1. Find ssl_ciphers line, replace it with the following:
```
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
```
2. Add another line below this line:
```
ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
```
3. If you are using a self-signed certificate, make sure that you have the private key and the certificate pem file copied to /etc/nginx directory, as shown in the following sample:
```
sudo cp ogg.key /etc/nginx/.
sudo cp ogg.pem /etc/nginx/.
```
  Change the following two lines to point to the correct file location:
```
ssl_certificate          /etc/nginx/ogg.pem;
ssl_certificate_key      /etc/nginx/ogg.key;
```
4. If you are using a root CA signed certificate, make sure that you have all the intermediate CA certificates added to your server certificate:
```
cat server_cert.pem intermediate_ca_cert1.pem intermediate_ca_cert2.pem > ogg_chain.pem
```
  Copy the private key and the certificate chain to /etc/nginx:
```
sudo cp ogg_chain.pem /etc/nginx/. 
sudo cp ogg_key /etc/nginx/.
```
  Change the following two lines to point to the correct file location:
```
ssl_certificate         /etc/nginx/ogg_chain.pem;
ssl_certificate_key     /etc/nginx/ogg.key;
```

Validate the NGINX configuration:

sudo nginx -t

The output would show the following, if the command is successful:


NGINX: the configuration file /etc/NGINX/NGINX.conf syntax is ok
NGINX: configuration file /etc/NGINX/NGINX.conf test is successful

Restart NGINX service:
```
sudo systemctl restart nginx
```
If the changes for the configuration file are not loaded, stop and restart the proxy.
To test if you can access the microservices after NGINX is set up successfully, open the web browser.
Enter the proxy URL for the Service Manager using port number 443, similar to the following:

http://dc.example.com:443

This would open the Service Manager login page, from where you can access the other microservices also. If you want to directly access a microservice, you can enter the proxy URL for that microservice, as given in the ogg.conf file, generated previously.

Also see this video on configuring the NGINX reverse proxy.

SSL Termination

When there is an unsecure connection between the reverse proxy, which uses a TLS-based connection, and the origin server, it is referred to as reverse proxy SSL-termination.

Note:

In SSL-Termination the connections between the reverse proxy and the origin servers are unsecure.

However, SSL-bridging is also supported where the connections between the client and reverse proxy is secured and the connection between the reverse proxy and the origin server is also secured.

Note:

mTLS is not supported when a Reverse Proxy is used.