Gateway on Ubuntu

Last updated: 6 minutes read.


Requirements

Ansible is required to run the following commands. Instructions on how install Tyk Gateway with shell is in the Shell tab.

Getting Started

  1. clone the tyk-ansible repositry
$ git clone https://github.com/TykTechnologies/tyk-ansible
  1. cd into the directory
$ cd tyk-ansible
  1. Run initialisation script to initialise environment
$ sh scripts/init.sh
  1. Modify hosts.yml file to update ssh variables to your server(s). You can learn more about the hosts file here

  2. Run ansible-playbook to install tyk-gateway

$ ansible-playbook playbook.yaml -t `tyk-gateway-pro` or `tyk-gateway-hybrid`

Supported Distributions

Distribution Version Supported
Debian 10
Debian 9
Ubuntu 21
Ubuntu 20
Ubuntu 18
Ubuntu 16

Variables

  • vars/tyk.yaml
Variable Default Comments
secrets.APISecret 352d20ee67be67f6340b4c0605b044b7 API secret
secrets.AdminSecret 12345 Admin secret
gateway.service.host Gateway server host if different than the hosts url
gateway.service.port 8080 Gateway server listening port
gateway.service.proto http Gateway server protocol
gateway.service.tls false Set to true to enable SSL connections
gateway.sharding.enabled false Set to true to enable filtering (sharding) of APIs
gateway.sharding.tags The tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as OR operations. If you include a non-filter tag (e.g. an identifier such as node-id-1, this will become available to your Dashboard analytics)
gateway.rpc.connString Use this setting to add the URL for your MDCB or load balancer host
gateway.rpc.useSSL true Set this option to true to use an SSL RPC connection
gateway.rpc.sslInsecureSkipVerify true Set this option to true to allow the certificate validation (certificate chain and hostname) to be skipped. This can be useful if you use a self-signed certificate
gateway.rpc.rpcKey Your organisation ID to connect to the MDCB installation
gateway.rpc.apiKey This the API key of a user used to authenticate and authorise the Gateway’s access through MDCB. The user should be a standard Dashboard user with minimal privileges so as to reduce any risk if the user is compromised. The suggested security settings are read for Real-time notifications and the remaining options set to deny
gateway.rpc.groupId This is the zone that this instance inhabits, e.g. the cluster/data-centre the Gateway lives in. The group ID must be the same across all the Gateways of a data-centre/cluster which are also sharing the same Redis instance. This ID should also be unique per cluster (otherwise another Gateway cluster can pick up your keyspace events and your cluster will get zero updates).

Install Tyk Gateway on Ubuntu

Tyk has it’s own APT repositories hosted by the kind folks at packagecloud.io, which makes it easy, safe and secure to install a trusted distribution of the Tyk Gateway stack.

This tutorial has been tested on Ubuntu 16.04 & 18.04 with few if any modifications.

Please note however, that should you wish to write your own plugins in Python, we currently have a Python version dependency of 3.4. Python-3.4 ships with Ubuntu 14.04, however you may need to explicitly install it on newer Ubuntu Operating System releases.

Prerequisites

  • Ensure port 8080 is available. This is used in this guide for Gateway traffic (API traffic to be proxied).
  • You have MongoDB and Redis installed.
  • You have installed firstly the Tyk Dashboard, then the Tyk Pump.

Step 1: Set up our APT Repositories

First, add our GPG key which signs our binaries:

curl -L https://packagecloud.io/tyk/tyk-gateway/gpgkey | sudo apt-key add -

Run update:

sudo apt-get update

Since our repositories are installed via HTTPS, you will need to make sure APT supports this:

sudo apt-get install -y apt-transport-https 

Create a file /etc/apt/sources.list.d/tyk_tyk-gateway.list with the following contents:

deb https://packagecloud.io/tyk/tyk-gateway/ubuntu/ bionic main
deb-src https://packagecloud.io/tyk/tyk-gateway/ubuntu/ bionic main

Note

bionic is the code name for Ubuntu 18.04. Please substitute it with your particular ubuntu release, e.g. focal.

Now you can refresh the list of packages with:

sudo apt-get update

What we’ve done here is:

  • Added the Tyk Gateway repository
  • Updated our package list

Step 2: Install the Tyk Gateway

We’re now ready to install the Tyk Gateway. To install it, run:

sudo apt-get install -y tyk-gateway

What we’ve done here is instructed apt-get to install the Tyk Gateway without prompting, wait for the downloads to complete.

When Tyk has finished installing, it will have installed some init scripts, but will not be running yet. The next step will be to set up the Gateway - thankfully this can be done with three very simple commands, however it does depend on whether you are configuring Tyk Gateway for use with the Dashboard or without (the Community Edition).

Verify the origin key (optional)

Debian packages are signed with the repository keys. These keys are verified at the time of fetching the package and is taken care of by the apt infrastructure. These keys are controlled by PackageCloud, our repository provider. For an additional guarantee, it is possible to verify that the package was indeed created by Tyk by verifying the origin certificate that is attached to the package.

First, you have to fetch Tyk’s signing key and import it.

wget https://keyserver.tyk.io/tyk.io.deb.signing.key
gpg --import tyk.io.deb.signing.key

Then, you have to either,

  • sign the key with your ultimately trusted key
  • trust this key ultimately

The downloaded package will be available in /var/cache/apt/archives. Assuming you found the file tyk-gateway-2.9.4_amd64.deb there, you can verify the origin signature.

gpg --verify d.deb
gpg: Signature made Wed 04 Mar 2020 03:05:00 IST
gpg:                using RSA key F3781522A858A2C43D3BC997CA041CD1466FA2F8
gpg: Good signature from "Team Tyk (package signing) <[email protected]>" [ultimate]

Configure Tyk Gateway with Dashboard

Prerequisites

This configuration assumes that you have already installed the Tyk Dashboard, and have decided on the domain names for your Dashboard and your Portal. They must be different. For testing purposes, it is easiest to add hosts entries to your (and your servers) /etc/hosts file.

Set up Tyk

You can set up the core settings for Tyk Gateway with a single setup script, however for more involved deployments, you will want to provide your own configuration file.

Note

You need to replace <hostname> for --redishost=<hostname>with your own value to run this script.

sudo /opt/tyk-gateway/install/setup.sh --dashboard=1 --listenport=8080 --redishost=<hostname> --redisport=6379

What we’ve done here is told the setup script that:

  • --dashboard=1: We want to use the Dashboard, since Tyk Gateway gets all it’s API Definitions from the Dashboard service, as of v2.3 Tyk will auto-detect the location of the dashboard, we only need to specify that we should use this mode.
  • --listenport=8080: Tyk should listen on port 8080 for API traffic.
  • --redishost=<hostname>: Use Redis on your hostname.
  • --redisport=6379: Use the default Redis port.

Starting Tyk

The Tyk Gateway can be started now that it is configured. Use this command to start the Tyk Gateway:

sudo service tyk-gateway start
sudo service tyk-gateway enable

Pro Tip: Domains with Tyk Gateway

Tyk Gateway has full domain support built-in, you can:

  • Set Tyk to listen only on a specific domain for all API traffic.
  • Set an API to listen on a specific domain (e.g. api1.com, api2.com).
  • Split APIs over a domain using a path (e.g. api.com/api1, api.com/api2, moreapis.com/api1, moreapis.com/api2 etc).
  • If you have set a hostname for the Gateway, then all non-domain-bound APIs will be on this hostname + the listen_path.