Send Docs Feedback

Using SSL on the portal

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a web client, such as a browser or app. An encrypted link ensures that all data passing between the web server and the client remains private. To use SSL, a client makes a secure request to the web server by using the secure https:// protocol, instead of the insecure http:// protocol.

You can configure the portal to use SSL. The SSL configuration procedure for the portal depends on how you have deployed the portal:

  • Cloud: Configure SSL from Pantheon, the cloud-based hosting service for the portal. 
  • Apigee Edge for Private Cloud: Configure SSL on-premises on the server hosting the portal. 

SSL and the portal

The following image show the two places where the portal uses SSL:

  1. For communication between the portal and the Edge management API.

    The portal does not function as a stand-alone system. Instead, much of the information used by the portal is actually stored on Edge, where Edge can be deployed either in the cloud or on-premises as a Private Cloud installation. When necessary, the portal makes an HTTP or HTTPS request to the Edge management API to retrieve information or to send information.

    When you create your portal, one of the first steps you must perform is to specify the URL of the Edge management API. Depending on how the Edge management API is configured, that URL can use SSL. See Creating a developer portal for more.
  2. For communication between developers and the portal.

    When you use the Developer Services portal to deploy your APIs, your developers log in to the portal to register apps and receive API keys. The login credentials and the API key are proprietary information that you want to send over HTTPS to ensure their security. This type of proprietary information should be sent over HTTPS. 

    The way you configure SSL for this scenario depends on how you have deployed the portal: cloud or Apigee Edge for Private Cloud. The following sections describe both scenarios.

Configuring SSL between the portal and the Edge management API

The configuration of the Edge management API determines whether or not communication can use SSL. If the Edge management API is configured to use SSL, then the portal can use HTTPS. Otherwise, the portal communicates with Edge over HTTP. Therefore, as a portal developer, you only need to know how Edge is configured to set the connection between the portal and Edge. 

Apigee recommends that you configure the Private Cloud version of the Edge management API to use SSL, unless you have deployed both Edge and the portal behind a firewall with no public access. For information on configuring Edge to use SSL, see the Edge Operations Guide.

For the procedure that you use to configure the connection to the Edge management API, see Creating a developer portal.

Cloud-based version of Edge

If your portal connects to the cloud-based version of Edge, then the URL for the Edge management API is preconfigured by Apigee to use SSL. When configuring the portal, you access the Edge management API by using the URL

Private Cloud installation of Edge

For a Private Cloud installation of Edge, the URL of the Edge management API is in the form:




where EdgePrivateCloudIp is the IP address of the Edge Management Server server and SSLport is the SSL port for the Edge management API. For example, the port number could be 8443 or even 8080 based on the Edge configuration.

Configuring SSL between developers and the portal

The way you configure SSL between developers and the portal depends on how you deployed the portal: cloud or Apigee Edge for Private Cloud. 

However, in both instances you must obtain your own SSL certificate before you can deploy the portal to a production environment. 

Cloud-based portals

Portals deployed in the cloud on Pantheon are preconfigured with three environments: development, test, and production. The way you configure and use SSL depends on the environment:

  • Development and test environments: Requests can use http:// or https://. Requests over https:// use the Apigee SSL certificate so that you can build and test your portal. However, you must obtain your own SSL certificate to move to a production environment.
  • Production environment: If you want to encrypt portal data transfers, then you require your own SSL certificate. 

You use the Pantheon UI to configure SSL for the portal. Before starting this process, you should be familiar with the Pantheon documentation:

You must have access to the Pantheon dashboard to configure SSL. You can get access by requesting it from your portal administrator, or by making a request to Apigee Support.

To configure SSL for the portal in Pantheon:

  1. Obtain an SSL certificate.
  2. Log in to Pantheon at
  3. Use the instructions at to:
    • Generate the RSA Key (.key) and CSR (certificate signing request).
    • Enable SSL.
    • Enter the RSA Key and CSR.
  4. In Pantheon, select Domains > Domain Setup.
  5. Ensure that the IP address generated when you registered your SSL certificate appears as a record type of A, references the generated IP directly, and does not use a redirect.

Edge for Private Cloud portals

All Apigee recommended Private Cloud installations of the portal require the portal to be behind a load balancer, as shown below:

Therefore, for on-premises installations, you have two options for configuring SSL:

  • Configure SSL on the load balancer: Configure SSL on the load balancer itself, and not on the portal. The procedure that you use to configure SSL is therefore dependent on the load balancer. See the documentation on your load balancer for more information.
  • Configure SSL on the portal itself: If necessary, you can configure SSL on the web server that hosts the portal. By default, Apigee installs the Apache web server. For information on configuring SSL for Apache, see

Additional SSL settings for settings.php

You can edit the sites/default/settings.php file to make configuration changes to SSL for the portal. When editing the sites/default/settings.php file, add instances of the ini_set() function to set a property. For more information on this function, see:

You can set the following properties in the sites/default/settings.php file:

  • cookie_httponly: (Recommended) Specifies that cookie as accessible only over the HTTP protocol. Set this property as:

    ini_set('session.cookie_httponly', true);
  • session.cookie_secure - (Optional) Specifies that cookies can only be sent over secure connections. However, this means that all content must be served over HTTPS. If this setting is enabled, the site will not work over HTTP. Set this property as:

    ini_set('session.cookie_secure', true);
  • gc_maslifetime and cookie_lifetime: (Optional) gc_lifeteime specifies the number of seconds after which data can potentially be cleaned up, and cookie_lifetime specifies the lifetime of the cookie in seconds. Set these properties as:

    ini_set('session.gc_maxlifetime', 3600);
    ini_set('session.cookie_lifetime', 3600);

For more information on setting up SSL between the developer portal and clients, including making sure all http calls are redirected to https, see Enable SSL for Secure HTTPS Communication on the Pantheon doc site.

Configuring SSL with Load Balancers

For better performance, load balancers are sometimes configured to perform SSL termination. With SSL termination, load balancers decrypt messages sent over https:// and forward the messages to backend servers over http://. That saves backend servers the overhead of decrypting https:// messages themselves.

If load balancers forward unencrypted http messages to servers in the same data center, security is not an issue. However, if load balancers forward messages over http:// to servers outside the data center, such as your Apigee developer portal, the messages are unencrypted, which opens a security hole.

If your developer portal sits behind load balancers that are using SSL termination, and you want all traffic served over https://, the website pages will need to contain https:// links only and you will need to add the following code to your developer portal sites/default/settings.php file. Because the load balancer does not automatically transform the content of the HTML pages, the code ensures that all links passed to the client start with https://.

To configure SSL with load balancers, add the following lines to the sites/default/settings.php file:

$_SERVER['HTTPS'] = 'on'; 
$base_url = "";
$can_detect_ssl = FALSE;

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')) {
 $can_detect_ssl = TRUE;

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
 $_SERVER['HTTPS'] = 'on';

if ($can_detect_ssl && $_SERVER['HTTPS'] != 'on') {
 header('Location: https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);

For more information, see:


Help or comments?