Apigee API Proxy - What's the easy way to create a proxy which allows only certain URI Paths ?

I would like to allow only /abc/def/*, /abc/feg/* and block remaining paths.

Solved Solved
0 3 403
1 ACCEPTED SOLUTION

Leverage conditional flows, create a universal conditional flow with raise fault policy after allowed conditions.

For Example,

    <Flows>
        <Flow name="testCases">
            <Description>Allow Only abc/def/* proxy path suffix</Description>
            <Request/>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/abc/def/*") and (request.verb = "POST")</Condition>
        </Flow>
        <Flow name="testSuites">
            <Description>Allow only /abc/feg/* proxy path suffix</Description>
            <Request/>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/abc/feg/*") and (request.verb = "POST")</Condition>
        </Flow>
        <Flow name="restrictAccess">
            <Description>restrictAccess if none of the above conditional flow matches</Description>
            <Request>
                <Step>
                    <Name>fault-path-not-allowed</Name>
                </Step>
            </Request>
            <Response/>
        </Flow>
    </Flows>

Raise fault Policy,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault enabled="true" continueOnError="false" async="false" name="fault-path-not-allowed">
    <DisplayName>fault-path-not-allowed</DisplayName>
    <FaultResponse>
        <Set>
            <StatusCode>404</StatusCode>
            <Payload contentType="application/json">
                \{"code":404, "message":"Invalid URI Path"}
            </Payload>
        </Set>
    </FaultResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

View solution in original post

3 REPLIES 3

Leverage conditional flows, create a universal conditional flow with raise fault policy after allowed conditions.

For Example,

    <Flows>
        <Flow name="testCases">
            <Description>Allow Only abc/def/* proxy path suffix</Description>
            <Request/>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/abc/def/*") and (request.verb = "POST")</Condition>
        </Flow>
        <Flow name="testSuites">
            <Description>Allow only /abc/feg/* proxy path suffix</Description>
            <Request/>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/abc/feg/*") and (request.verb = "POST")</Condition>
        </Flow>
        <Flow name="restrictAccess">
            <Description>restrictAccess if none of the above conditional flow matches</Description>
            <Request>
                <Step>
                    <Name>fault-path-not-allowed</Name>
                </Step>
            </Request>
            <Response/>
        </Flow>
    </Flows>

Raise fault Policy,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault enabled="true" continueOnError="false" async="false" name="fault-path-not-allowed">
    <DisplayName>fault-path-not-allowed</DisplayName>
    <FaultResponse>
        <Set>
            <StatusCode>404</StatusCode>
            <Payload contentType="application/json">
                \{"code":404, "message":"Invalid URI Path"}
            </Payload>
        </Set>
    </FaultResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

Hi @Anil Sagar

One of the possible way is to use Regular Expression Threat Protection in your pre-flow

@maivizhi , Agree, But writing complex regular expressions is little difficult unless you are regex pro.