Solved: What can we do to configure Apigee not to listen o...

akashtp · 07-17-2015 02:24 AM

If the "default" virtual host is removed from the proxy, the incoming request is received on Port 80, Apigee responds with a 404 not found error which essentially means that the Apigee is still listening on port 80.

Is this correct?

So, is there any way for us to block port 80 (HTTP) access to only some API Proxies while allowing some proxies to be operational on both port 80 and port 443 ?

sudheendras

Removing "default" virtual host entry from the proxy xml does not remove the Virtual host itself. It only means you don't want your API proxy to listen on alias/port of the virtual host. Hence Apigee continues to listen on this port. If you don't want Apigee to listen on a particular port, you need to remove the Virtual host itself. There is an API to do that.

If you are using the private cloud installation you can configure a the virtual host with custom port. For e.g. you configure your test environment with "default" (on port 9001), while production environment with "secure" virtual host (on 443). In this case Apigee does not listen on port 80, but listen on both port 9001 and 443. You can move proxies between test and prod based on the transport level security you need.

View solution in original post

sudheendras

There are other ways in Apigee (security policies, IP access control policy and also concept of API products) to control access to APIs. I am curious to know why you want to restrict certain API calls based on port... Could you please share more details on the use case?

akashtp

@sudheendra1 For an environment I want to disable all unencrypted (i.e., http) traffic and only "secure" (HTTPS) port needs to be accessible.

Tried by removing the "default" virtual host from the proxy xml.

However, when the incoming request is received on Port 80, Apigee responds with a 404 not found which essentially means that the Apigee is still listening on port 80. What can we do to configure Apigee not to listen on port 80 for some APIs while listening on port 80 for other APIs? Essentially does deleting default virtual host mean that Apigee will stop listening on that port for the entire org?

sudheendras

Removing "default" virtual host entry from the proxy xml does not remove the Virtual host itself. It only means you don't want your API proxy to listen on alias/port of the virtual host. Hence Apigee continues to listen on this port. If you don't want Apigee to listen on a particular port, you need to remove the Virtual host itself. There is an API to do that.

If you are using the private cloud installation you can configure a the virtual host with custom port. For e.g. you configure your test environment with "default" (on port 9001), while production environment with "secure" virtual host (on 443). In this case Apigee does not listen on port 80, but listen on both port 9001 and 443. You can move proxies between test and prod based on the transport level security you need.

akashtp

Thanks @sudheendra1

akashtp

@sudheendra1 This is somewhat problematic sometimes because there can be some APIs which need to listen on only 443 while there could be others which can listen on port 80/9001 etc., So this should ideally be at the API Proxy level rather than at the org level.

Please let me know if my understanding it wrong.