Internal (non Public) Proxy

Not applicable

Hi,

I'd like to know if it's possible to enforce an Apigee proxy to be only accessible from other proxies (e.g. for policy composition pattern).

I want to create a few public Apigee proxies that will use the above "private" proxy via ServiceCallouts. However, I'd like to reject direct request to the "private" proxy. The public proxies have OAuth2 authentication policies.

Ideally, the OAuth2 flow variables should also be propagated to the "private" proxy.

Any advice will be very appreciated.

Regards,

Julio

0 4 307
4 REPLIES 4

Not applicable

One simple solution is to use a custom header. The private proxy will check for the presence of the custom header in the request and the private proxy will reject requests that do not have that header.

Another solution if you are using OPDK or a dedicated POD on the cloud, you can IP whitelist the private proxy to the Message Processor IPs. So the private proxy will only allow calls from the MP, which means from another proxy, not from outside.

Thanks for your suggestion, I thought about it too, but I don't know how to prevent the external clients from just adding that header too (a part from security by obscurity)

@Julio Rincon , Yes, there's a good way to do it using Proxy Chaining.

See an article here by @Arghya Das that talks in detail about the technique.

Hi @Anil Sagar that's an interesting link. Unfortunately, I'm using the Edge on Cloud so I can't create a new private virtual host, which is required for the proxy chaining.