How to secure API for single partner.

paul_martin
Participant II

We have a partner that wants to call an API on our side through a somewhat outdated system. We have asked them if the could modify their system to send a API Key. Their answer was no. We don't want to leave our API unsecure as this API will save data in our sytem and we don't want to end up with fictitious data in our system. We tried using the Access Control Policy but what I have found is that the client.ip or X-Forwarded-For is the same whether I hit our API from their website or if I hit our API from within our network using postman. Is their something I am doing wrong? Does apigee need to configure something so we see the correct IP Address? Are there other alternatives I should be considering to secure this API that don't require our partner making changes? Thanks, Paul

Solved Solved
0 8 558
1 ACCEPTED SOLUTION

paul_martin
Participant II

I was able to get Access Control Policy to work, once I figured out that Zscaler was the problem. I was able to test from a machine that didn't have Zscaler on it. Thank you everyone for the help.

View solution in original post

8 REPLIES 8

Is the website making a CORS request? If so you should be able to use the Origin or Referer headers to restrict access.

I am guessing not cause when I trace I see no options preflight request come through. How else would I determine this. As far as the referer goes I looked into this but its easily spoofed and when I sent a header with the domain of the partner from my postman it showed as if the request was from the partners domain.

Odd that the IP address wouldn't be different. Is this OPDK or Apigee hosted Edge?

Apigee Edge

I did a reverse IP on the address that is showing up.

3637-ipaddress.png

Our company uses a product call zscaler which prevents access to restricted sites. Is this messing with us.

What's the URL for their website? Is it restricted access?

If it's hosted Edge, then the IP shown in trace shouldn't be affected by zscaler.. I'd expect that's limited to your network.

It seems to me you can restrict access to an API based on the contents of the inbound message. Specific options are:

  • something passed in the HTTP request header, like the APIKey, or an OAuth token
  • security provided in the transport, eg, a client-side TLS certificate
  • something implicit in the request, like the client IP address
  • Some combination or elaboration of the above, like a hash of the payload, signed with a shared secret (like an API key)

It's odd that you cannot see the original IP Address. Perhaps the partner is going through a proxy that masks the true IP, and your tests are going through the same proxy. Is that possible? Have you tried to make a request from the Trace window in the Edge UI? That request would come from the Edge server, should be different.

When I invoke my own APIs running in the Apigee-managed Edge service, I see different IP addresses in proxy.client.ip, depending on whether I use curl from my development workstation, or the Trace UI. Do you?

It's frustrating that they cannot modify the client to pass in a new header value (apikey), but yeah, I get it. Sometimes embedded systems (point of sale, or otherwise) are difficult to update quickly.

If they ARE sending requests through a proxy, sometimes it is possible to configure the proxy server to add a header. For example, Apache2's has a mod_proxy and a companion mod_headers that would allow this. There is similar function with haproxy, nginx, or hardware based network proxies. Doing things this way, requires only a network reconfiguration, not an update to the app itself. This may be more feasible than updating the app.

paul_martin
Participant II

I was able to get Access Control Policy to work, once I figured out that Zscaler was the problem. I was able to test from a machine that didn't have Zscaler on it. Thank you everyone for the help.