Gateway on Ubuntu
Ansible is required to run the following commands. Instructions on how install Tyk Gateway with shell is in the Shell tab.
- clone the tyk-ansible repositry
$ git clone https://github.com/TykTechnologies/tyk-ansible
cdinto the directory
$ cd tyk-ansible
- Run initialisation script to initialise environment
$ sh scripts/init.sh
hosts.ymlfile to update ssh variables to your server(s). You can learn more about the hosts file here
Run ansible-playbook to install
$ ansible-playbook playbook.yaml -t `tyk-gateway-pro` or `tyk-gateway-hybrid`
|gateway.service.host||Gateway server host if different than the hosts url|
||Gateway server listening port|
||Gateway server protocol|
|gateway.sharding.tags||The tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as OR operations. If you include a non-filter tag (e.g. an identifier such as
|gateway.rpc.connString||Use this setting to add the URL for your MDCB or load balancer host|
||Set this option to
||Set this option to
|gateway.rpc.rpcKey||Your organisation ID to connect to the MDCB installation|
|gateway.rpc.apiKey||This the API key of a user used to authenticate and authorise the Gateway’s access through MDCB. The user should be a standard Dashboard user with minimal privileges so as to reduce any risk if the user is compromised. The suggested security settings are read for Real-time notifications and the remaining options set to deny|
|gateway.rpc.groupId||This is the
Tyk has it’s own APT repositories hosted by the kind folks at packagecloud.io, which makes it easy, safe and secure to install a trusted distribution of the Tyk Gateway stack.
This tutorial has been tested on Ubuntu 16.04 & 18.04 with few if any modifications.
Please note however, that should you wish to write your own plugins in Python, we currently have a Python version dependency of 3.4. Python-3.4 ships with Ubuntu 14.04, however you may need to explicitly install it on newer Ubuntu Operating System releases.
- Ensure port
8080is available. This is used in this guide for Gateway traffic (API traffic to be proxied).
- You have MongoDB and Redis installed.
- You have installed firstly the Tyk Dashboard, then the Tyk Pump.
Step 1: Set up our APT Repositories
First, add our GPG key which signs our binaries:
curl -L https://packagecloud.io/tyk/tyk-gateway/gpgkey | sudo apt-key add -
sudo apt-get update
Since our repositories are installed via HTTPS, you will need to make sure APT supports this:
sudo apt-get install -y apt-transport-https
Create a file
/etc/apt/sources.list.d/tyk_tyk-gateway.list with the following contents:
deb https://packagecloud.io/tyk/tyk-gateway/ubuntu/ bionic main deb-src https://packagecloud.io/tyk/tyk-gateway/ubuntu/ bionic main
Now you can refresh the list of packages with:
sudo apt-get update
What we’ve done here is:
- Added the Tyk Gateway repository
- Updated our package list
Step 2: Install the Tyk Gateway
We’re now ready to install the Tyk Gateway. To install it, run:
sudo apt-get install -y tyk-gateway
What we’ve done here is instructed apt-get to install the Tyk Gateway without prompting, wait for the downloads to complete.
When Tyk has finished installing, it will have installed some init scripts, but will not be running yet. The next step will be to set up the Gateway - thankfully this can be done with three very simple commands, however it does depend on whether you are configuring Tyk Gateway for use with the Dashboard or without (the Community Edition).
Verify the origin key (optional)
Debian packages are signed with the repository keys. These keys are verified at the time of fetching the package and is taken care of by the
apt infrastructure. These keys are controlled by PackageCloud, our repository provider. For an additional guarantee, it is possible to verify that the package was indeed created by Tyk by verifying the
origin certificate that is attached to the package.
First, you have to fetch Tyk’s signing key and import it.
wget https://keyserver.tyk.io/tyk.io.deb.signing.key gpg --import tyk.io.deb.signing.key
Then, you have to either,
- sign the key with your ultimately trusted key
- trust this key ultimately
The downloaded package will be available in
/var/cache/apt/archives. Assuming you found the file
tyk-gateway-2.9.4_amd64.deb there, you can verify the origin signature.
gpg --verify d.deb gpg: Signature made Wed 04 Mar 2020 03:05:00 IST gpg: using RSA key F3781522A858A2C43D3BC997CA041CD1466FA2F8 gpg: Good signature from "Team Tyk (package signing) <[email protected]>" [ultimate]
Configure Tyk Gateway with Dashboard
This configuration assumes that you have already installed the Tyk Dashboard, and have decided on the domain names for your Dashboard and your Portal. They must be different. For testing purposes, it is easiest to add hosts entries to your (and your servers)
Set up Tyk
You can set up the core settings for Tyk Gateway with a single setup script, however for more involved deployments, you will want to provide your own configuration file.
You need to replace
--redishost=<hostname>with your own value to run this script.
sudo /opt/tyk-gateway/install/setup.sh --dashboard=1 --listenport=8080 --redishost=<hostname> --redisport=6379
What we’ve done here is told the setup script that:
--dashboard=1: We want to use the Dashboard, since Tyk Gateway gets all it’s API Definitions from the Dashboard service, as of v2.3 Tyk will auto-detect the location of the dashboard, we only need to specify that we should use this mode.
--listenport=8080: Tyk should listen on port 8080 for API traffic.
--redishost=<hostname>: Use Redis on your hostname.
--redisport=6379: Use the default Redis port.
The Tyk Gateway can be started now that it is configured. Use this command to start the Tyk Gateway:
sudo service tyk-gateway start sudo service tyk-gateway enable
Pro Tip: Domains with Tyk Gateway
Tyk Gateway has full domain support built-in, you can:
- Set Tyk to listen only on a specific domain for all API traffic.
- Set an API to listen on a specific domain (e.g. api1.com, api2.com).
- Split APIs over a domain using a path (e.g. api.com/api1, api.com/api2, moreapis.com/api1, moreapis.com/api2 etc).
- If you have set a hostname for the Gateway, then all non-domain-bound APIs will be on this hostname + the