How to start one specific api proxy (or some) per ...

francois-xavier · 05-26-2016 09:41 AM

Hello,

We have several services and are willing to use the first EMG deployment model, as mentioned on http://docs.apigee.com/microgateway/latest/edge-microgateway-overview : one EMG co-located with the back-end service.

Of course, we use a HTTPTargetConnection of http://localhost:8080 to avoid both the SSL CPU impact & leverage the loopback device efficiency. This is the case for all of our API proxies: say both API proxies edgemicro_foo & edgemicro_bar have a configured HTTPTargetConnection behind http://localhost:8080.

On nodes running service foo, I am therefore expected to start EMG running only edgemicro_foo
On nodes running service bar, I am therefore expected to start EMG running only edgemicro_bar

How can I select which API proxy is active? edgemicro start does not seem to have any option...

$ ./edgemicro start -h

  Usage: start [options]

  start the gateway based on configuration

  Options:

    -h, --help                   output usage information

    -o, --org <org>              the organization

    -e, --env <env>              the environment

    -k, --key <key>              key for authenticating with Edge

    -s, --secret <secret>        secret for authenticating with Edge

    -c, --cluster                will cluster the server

    -p, --processes <processes>  number of processes to start, defaults to # of cores

    -d, --pluginDir <pluginDir>  absolute path to plugin directory

... and the config.yaml file reference does not see to define it either http://docs.apigee.com/microgateway/latest/edge-microgateway-operations

Needless to say that if each EMG starts every API proxies for every services of my organisation on every nodes (whatever the service), this will be creating numerous security holes to non-controlled URL's (bar getting calls from edgemicro_foo at unknown URL's & conversely).

Or do I miss something obvious?

Former Community Member

You are correct. This is the current behaviour of EdgeMicro. In the private cloud, you can try and create an environment with only those proxies deployed that you want for EM1 (for ex) and another environment with only proxies deployed for EM2. This isn't a great solution if you want only one proxy per EM.

krishnaprasadm

@Srinandan Sridhar Is this configuration is only form Private cloud, or SaaS also will work> Because I set a proxy in EMG config file , the config object created at the EMG starting does not contain product resources and apikey validation fails , below is my config object with a proxy setting in the emg file ..

With Proxy configuration:



{


  "productOnly":
true,


  "allowNoAuthorization":
false,


 
"allowInvalidAuthorization": false,


 
"verify_api_key_url": "https://hpcorp-stage.apigee.net/edgemicro-auth/verifyApiKey",


  "public_key":
"-----BEGIN
CERTIFICATE-----\nMIICpDCCAYwCCQCwL6jpsPW+6jANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls\nb2NhbGhvc3QwHhcNMTcwOTE0MjIxNzMwWhcNMTcwOTE1MjIxNzMwWjAUMRIwEAYD\nVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv\nsJymrrVndiSYAtBtTKDcuQu7CUzf9aX/D9jpcU5RQkdnkCSBksKr357TRODqO4ST\nmwMhrWmnqr7w9oE9rpzkgiU4qbg2Mth/Jqe/vrYuMrWHhXNi59sdXDkevgzJXT6n\nV/F+43QTE7LRoxDjA71yoaTUzGR28oasXymt6a94Mo5N1DqG+Bcb+EYDKqDD1rui\nHvlc341DJyVEI7sV3PESTzMA8hMmg1ZHGlSr9/bi7+wnkIJ8VLdu9lntoquEfSeK\nhHJxPGLaVsgbEkvJumrXzOYoI5AmkE67PNHGoiOENCdtIPUFDK1RUiOfFUltJl08\ngZ57YsR0FpKc8KzwERpNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJZ3sAauwZi7\nXFK6cOPorlrzfGLkPHVDTQ9Nc5UzocN8YNoSvFx/ZEOuttzyue0ejUWnGhdGOQNt\n8wE/g5SfvNk/LIK88AG36uPgv9LTSw1EmjGMEQWGxrS8bUOWTYamTwBTkmtYnOJY\nPgmXjmK71E6FwyWzayNvKSLDgef9OPbJXLp7T8GcbCXju9GL2ru3n6Rw/hNbOCC5\nLTTI+9JH5pJ0p3BAFcK9ihG/QkmtOKI21a+7z+PLaYBHl8ffQMjuFQf3Q/3obInG\n0z9Uc9BJFY+VJPY2Q4SoQ3dI9fD3Ow+e71Q1GS5Ngwi0UmGMDMuKl9nOPQihu5bD\naOtVlCVFv7Y=\n-----END
CERTIFICATE-----",


  "product_to_proxy": {},


  "product_to_api_resource": {},


  "key":
"xxx"

  "secret":
"xxxx"

}

francois-xavier

So to cope with the current behaviour, organizations need to define one environment for each machine-template where EMG&Service are co-located http://docs.apigee.com/microgateway/latest/edge-microgateway-overview? That sounds like a bug, no?

I would rather expect to have something like the below in the ~/.edgemicro/<org>-<env>-config.yaml, so that I (as a machine/node owner) can choose which API proxies (among those configured in my org+env) are actually running on my EMG instance:

edgemicro:
  port: 5000
  [...]
  proxies:
  - edgemicro-oauth
  - edgemicro_myservicefoo
  - edgemicro_myservicebar

For backward compatibility, in case no "proxies" is present, then all of the "edgemicro_*" proxies listed in the org+env would be started (which is today's behaviour).

The above is simple, backward-compatible & very likely easy to implement... Could we have it?

Former Community Member

Sorry, I don't understand Kp. I think what you're asking is different from FiX. Can you please start a new thread? We can discuss there.

krishnaprasadm

@Srinandan Sridhar it is somewhat related what we are doing , but I have started a new thread as below

https://community.apigee.com/questions/48093/emg-configuration-with-proxy-tag-failing-api-key-v.html

robinm

Old question needing an update. Later releases of Edge Microgateway now provide a filtering option.

See Filtering downloaded proxies in the Operation and Configuration reference.

edge_config:
   …
   proxyPattern: edgemicro_f*

How to start one specific api proxy (or some) per node, but not _ALL_