This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to make an Apigee proxy accessible only internally?

Posted on 06-02-2020 10:34 AM
kramamu1
New Member
Reply posted on --/--/---- --:-- AM

I am trying to achieve the below flow: User -> externalProxy -> internalProxy -> Endpoint.

I have chained the externalProxy and internalProxy so that there is no network hop.

But however, I want the internalProxy to process request only from the externalProxy.

One possible way I did found was, read the request header virtualhost.ip and if this is != "localhost" raise a fault. This did not but not sure if this is the recommended way to do it.

I also tried with the Access Control Policy such that it accepts request only from "127.0.0.1" but that doesn't seem to work. When I trace the request for internalProxy, the ip still shows that as if. it was made from the end user rather than from the externalProxy.

Could you provide recommendations on how do I achieve this use case?

0 4 237
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Argo described how you can do a flavor of this, in this article.

If that's not what you mean, ... if by "internal" you mean only internal hosts can access the proxy, but they may access it over the public network, then you can just rely on mutual TLS, and provision the "internal" TLS certs only to the internal systems.

0 Likes

Posted on --/--/---- --:-- AM
kramamu1
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

For some reason, the description did not show up in the original post.

I am trying to achieve the below flow:

User -> externalProxy -> internalProxy -> Endpoint.

I have chained the externalProxy and internalProxy so that there is no network hop.

But however, I want the internalProxy to process request only from the externalProxy.

One possible way I did found was, read the request header virtualhost.ip and if this is != "localhost" raise a fault. This did not but not sure if this is the recommended way to do it.

I also tried with the Access Control Policy such that it accepts request only from "127.0.0.1" but that doesn't seem to work. When I trace the request for internalProxy, the ip still shows that as if. it was made from the end user rather than from the externalProxy.

Could you provide recommendations on how do I achieve this use case?

0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to kramamu1
Reply posted on --/--/---- --:-- AM

how about set an additional header in the external proxy before sending it to the internal proxy. And if that header is not available, then return a 403

Pass a header like "X-Internal: true" or something like that

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

If you have done proxy chaining, then you can use access control policy where the allowed IPs will be the message processor IPs only. So, that it will be accessible from the same message processor proxy chaining. In my case I have not used proxy chaining, that's why I was able to use mutual TLS and certificate verification.
You can do another thing, in the external proxy set a header value like api key with hashcode or your own encryption algorithm that only can be decrypted using the logic in internalproxy.

0 Likes