Send Docs Feedback

Note: Most user interface tasks can be performed in Edge Classic or the New Edge experience. For an overview, getting started topics, and release notes specific to the New Edge experience, see the docs.

Using TLS on the portal

You can configure the portal to use TLS. The TLS configuration procedure for the portal depends on how you have deployed the portal:

  • Cloud: Configure TLS from Pantheon or Acquia, the cloud-based hosting services for the portal. 
  • Apigee Edge for Private Cloud: Configure TLS on-premises on the server hosting the portal. 

When configuring TLS settings in the cloud, if an update to sites/default/settings.php is required, to avoid Git conflicts Apigee recommends that you edit sites/default/settings.local.php instead of editing sites/default/settings.php directly.

TLS and the portal

The following image show the two places where the portal uses TLS:

  1. For communication between the portal and the Edge management API.

    The portal does not function as a stand-alone system. Instead, much of the information used by the portal is actually stored on Edge, where Edge can be deployed either in the cloud or on-premises as a Private Cloud installation. When necessary, the portal makes an HTTP or HTTPS request to the Edge management API to retrieve information or to send information.

    When you create your portal, one of the first steps you must perform is to specify the URL of the Edge management API. Depending on how the Edge management API is configured, that URL can use TLS. See Creating a developer portal for more.
  2. For communication between developers and the portal.

    When you use the Developer Services portal to deploy your APIs, your developers log in to the portal to register apps and receive API keys. The login credentials and the API key are proprietary information that you want to send over HTTPS to ensure their security. This type of proprietary information should be sent over HTTPS. 

    The way you configure TLS for this scenario depends on how you have deployed the portal: cloud or Apigee Edge for Private Cloud. The following sections describe both scenarios.

Configuring TLS between the portal and the Edge management API

The configuration of the Edge management API determines whether or not communication can use TLS. If the Edge management API is configured to use TLS, then the portal can use HTTPS. Otherwise, the portal communicates with Edge over HTTP. Therefore, as a portal developer, you only need to know how Edge is configured to set the connection between the portal and Edge. 

Apigee recommends that you configure the Private Cloud version of the Edge management API to use TLS, unless you have deployed both Edge and the portal behind a firewall with no public access. For information on configuring Edge to use TLS, see the Edge Operations Guide.

Edge 管理 API への接続を構成する手順については、「デベロッパポータルの作成」を参照してください。

クラウドベースバージョンの Edge

If your portal connects to the cloud-based version of Edge, then the URL for the Edge management API is preconfigured by Apigee to use TLS. When configuring the portal, you access the Edge management API by using the URL https://api.enterprise.apigee.com/v1.

プライベートクラウドインストールの Edge

For a Private Cloud installation of Edge, the URL of the Edge management API is in the form:
http://EdgePrivateCloudIp:8080/v1​
or:
https://EdgePrivateCloudIp:TLSport/v1

where EdgePrivateCloudIp is the IP address of the Edge Management Server server and TLSport is the TLS port for the Edge management API. For example, the port number could be 8443 or even 8080 based on the Edge configuration.

Configuring TLS between developers and the portal

The way you configure TLS between developers and the portal depends on how you deployed the portal: cloud or Apigee Edge for Private Cloud. 

クラウドベースのポータル

Pantheon

Pantheon provides free automated HTTPS for all sites on its platform through the Pantheon Global CDN and using Let's Encrypt. See also HTTPS on Pantheon's Global CDN.

For customers using Pantheon's legacy HTTPS support, to upgrade see Enabling the Global CDN and the FAQ.

Acquia

To enable TLS/SSL using Acquia, see Enabling SSL.

Edge for Private Cloud ポータル

ポータルの推奨される全プライベートクラウドインストールでは、次に示すように、ロードバランサの内側にポータルを配置する必要があります。

Therefore, for on-premises installations, you have two options for configuring TLS:

  • Configure TLS on the load balancer: Configure TLS on the load balancer itself, and not on the portal. The procedure that you use to configure TLS is therefore dependent on the load balancer. See the documentation on your load balancer for more information.
  • Configure TLS on the portal itself: If necessary, you can configure TLS on the web server that hosts the portal. By default, Apigee installs the Apache web server. For information on configuring TLS for Apache, see https://www.drupal.org/https-information

You must obtain your own TLS certificate before you can deploy the portal to a production environment. 

Configuring additional TLS settings

You can edit the sites/default/settings.local.php (cloud) or sites/default/settings.php (Private Cloud) file to make configuration changes to TLS for the portal.

ファイルを編集するとき、ini_set()関数のインスタンスを追加してプロパティを設定します。この関数の詳細については、http://php.net/manual/en/function.ini-set.php を参照してください。 

sites/default/settings.local.php (クラウド) または sites/default/settings.php (プライベートクラウド) ファイルで次のプロパティを設定できます。

  • cookie_httponly: (推奨) HTTP プロトコルの場合に限り cookie にアクセスできると指定します。このプロパティは次のように設定します。

    ini_set('session.cookie_httponly', true); 
  • session.cookie_secure: (省略可能) セキュリティで保護された接続のみで cookies を送信できると指定します。ただし、これはすべてのコンテンツを HTTPS で送受信する必要があることを意味しています。この設定が有効になっている場合、サイトは HTTP 経由では動作しなくなります。このプロパティは次のように設定します。

    ini_set('session.cookie_secure', true);
  • gc_maslifetime および cookie_lifetime: (省略可能) gc_lifeteime は、データの消去が許されるようになるまでの時間を秒数で指定します。cookie_lifetime は cookie の有効時間を秒数で指定します。これらのプロパティは次のように設定します。

    ini_set('session.gc_maxlifetime', 3600);
    ini_set('session.cookie_lifetime', 3600);

For more information on setting up TLS between the developer portal and clients, see Enable SSL for Secure HTTPS Communication on the Pantheon doc site.

Configuring TLS with Load Balancers

For better performance, load balancers are sometimes configured to perform TLS termination. With TLS termination, load balancers decrypt messages sent over https:// and forward the messages to backend servers over http://. That saves backend servers the overhead of decrypting https:// messages themselves.

同じデータセンター内でロードバランサが暗号化されていない http メッセージをサーバーに転送する場合、セキュリティは問題にはなりません。ただし、ロードバランサが Apigee デベロッパポータルなど、データセンターの外部にあるサーバーに http:// 経由でメッセージを転送する場合、メッセージは暗号化されていないため、セキュリティホールが生じることになります。

If your developer portal sits behind load balancers that are using TLS termination, and you want all traffic served over https://, the website pages will need to contain https:// links only and you will need to add the following code to your developer portal sites/default/settings.local.php (cloud) or sites/default/settings.php (Private Cloud) file. Because the load balancer does not automatically transform the content of the HTML pages, the code ensures that all links passed to the client start with https://.

To configure TLS with load balancers, add the following lines to the sites/default/settings.local.php (cloud) or sites/default/settings.php (Private Cloud) file:

The following assumes your load balancer is configured to include the X-Forwarded-Proto HTTP header.

// Only check for SSL if we are not using PHP from the command line.
if (PHP_SAPI != 'cli') {
  // Assume we can't detect SSL unless proven otherwise.
  $can_detect_ssl = FALSE;

  // Set HTTPS URL of portal 
  $base_url = 'https://developers.myCo.com';

  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')) {
    $can_detect_ssl = TRUE;
  }

  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
    $_SERVER['HTTPS'] = 'on';
  }

  if ($can_detect_ssl && $_SERVER['HTTPS'] != 'on') {
    header('HTTP/1.0 301 Moved Permanently');
    // You could optionally substitute a canonical server name for $_SERVER['HTTP_HOST'] here.
    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    exit;
  }
}

詳細については、次を参照してください。

HTTPS へのポータルトラフィックのリダイレクト

sites/default/settings.local.php (クラウド) または sites/default/settings.php (プライベートクラウド) ファイルを更新することで、すべてのポータルトラフィックを HTTPS にリダイレクトできます。必要とされる更新は、同じホスト名と複数のホスト名のどちらで HTTPS にリダイレクトするかで異なります。

All Canonical Name records (CNAMEs) in your DNS must have corresponding certificates. For *.devportal.apigee.io, a default certificate is provided. (For portals created prior to June 15, 2017, a default certificate is provided for *.devportal.apigee.com, which is the default domain.)

同じホスト名での HTTPS へのリダイレクト

Add the following code to your sites/default/settings.local.php (cloud)  or sites/default/settings.php (Private Cloud) file to redirect to all portal traffic to HTTPS on the same hostname (for example, *.devportal.apigee.io).

In this scenario, if a developer is visiting your portal at live-example.devportal.apigee.io, but needs to access a certificate that was uploaded for devportal.example.com, the request will fail.

// コマンドラインから PHP を使用しない場合、SSL のみを確認してください。
if (PHP_SAPI != 'cli') {
  // 別途設定がない限り SSL は検出できないと思われます。
  $can_detect_ssl = FALSE;

  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')) {
    $can_detect_ssl = TRUE;
  }

  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
    $_SERVER['HTTPS'] = 'on';
  }

  if ($can_detect_ssl && $_SERVER['HTTPS'] != 'on') {
    header('HTTP/1.0 301 Moved Permanently');
    header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    exit;
  }
}

複数のホスト名での HTTPS へのリダイレクト

以下のコードを sites/default/settings.local.php ファイル (クラウド) または sites/default/settings.php ファイル (プライベートクラウド) に追加して、複数のホスト名ですべてのポータルトラフィックを HTTPS にリダイレクトします。

devportal.example.com をカスタムホスト名に置き換えます。また Apigee Edge オンプレミスユーザーは、PANTHEON_ENVIRONMENT スイッチ条件を、環境で有効とされる値に置き換える必要があります。
  // コマンドラインから PHP を使用しない場合、SSL のみを確認してください。
if (PHP_SAPI != 'cli') {
  // 別途設定がない限り SSL は検出できないと思われます。
  $can_detect_ssl = FALSE;
  // 別途設定がない限り、リダイレクトを強制しないと仮定しています。
  $force_redirect = FALSE;

  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')) {
    $can_detect_ssl = TRUE;
  }

  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
    $_SERVER['HTTPS'] = 'on';
  }
  
  if ($can_detect_ssl && $_SERVER['HTTPS'] != 'on') {
    // HTTPS が必要であるため、リダイレクトを強制します。
    $force_redirect = TRUE;
  }
  
  // これは Pantheon のみで動作します。定数は他の場所では定義されていません。
  switch (PANTHEON_ENVIRONMENT) {
    case 'dev':
      $canonical_hostname = 'dev.devportal.example.com';
      break;
    case 'test':
      $canonical_hostname = 'test.devportal.example.com';
      break;
    case 'live':
      $canonical_hostname = 'devportal.example.com';
      break;
    default:
      $canonical_hostname = strtolower($_SERVER['HTTP_HOST']);
      break;
  }
  if ($canonical_hostname != strtolower($_SERVER['HTTP_HOST'])) {
    // ホスト名が正規ではないため、リダイレクトを強制します。
    $force_redirect = TRUE;
  }

  if ($force_redirect) {
    header('HTTP/1.0 301 Moved Permanently');
    header('Location: https://' . $canonical_hostname . $_SERVER['REQUEST_URI']);
    exit;
  }
}
 

Help or comments?