This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to specify an "Allow List" of URLs (not IPs using Access Control) in a Apigee Edge proxy

Posted on 01-23-2020 02:27 AM
abhinabanag92
New Member
Reply posted on --/--/---- --:-- AM

We got a requirement in hand where consumer team are not able to provide IPs for access control and they have provided URLs instead.

Please let us know, if URLs can be "allowed" in Apigee? If yes, then how?

1 4 1,082
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
cjking
Staff
Reply posted on --/--/---- --:-- AM

A URL doesn't make sense as a source of traffic, so I'm guessing you probably mean a domain name instead. I can't think of any way to do this natively, but you could use a script to look up the results on a regular basis and store them in a KVM, then use the "IPs in a KVM" technique described here: https://docs.apigee.com/api-platform/reference/policies/access-control-policy#sourceaddress

Posted on --/--/---- --:-- AM
abhinabanag92
New Member
In response to cjking
Reply posted on --/--/---- --:-- AM

Thank you Christian. I'll take your answer as "no way to do this natively" and for "IPs in a KVM" I need to know IPs corresponding to particular domain/domains.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

You can use javascript/javacaalout/python with KVM to validate the same.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes, in an API Proxy you can insert tests for "known" inbound URIs, and you can throw a fault (return an error) for any URIs that are not in the list. For example, configure your ProxyEndpoint like this: 

<ProxyEndpoint name="endpoint1">


  <HTTPProxyConnection>
    <BasePath>/allowlist-1</BasePath>
    <VirtualHost>secure</VirtualHost>
  </HTTPProxyConnection>


  <FaultRules>....


  <PreFlow name="PreFlow">...
  <PostFlow name="PostFlow">...

  <Flows>
    <Flow name="t0">
      <Request>
       ...
      </Request>
      <Response>
      </Response>
      <Condition>proxy.pathsuffix MatchesPath "/t0"</Condition>
    </Flow>


    <Flow name="t1">
      <Request>
       ...
      </Request>
      <Response>
        <Step>
          <Name>AM-ProxyFlow1</Name>
        </Step>
      </Response>
      <Condition>proxy.pathsuffix MatchesPath "/t1/*"</Condition>
    </Flow>


    <Flow name="t2">
      <Request>
      </Request>
      <Response>
      </Response>
      <Condition>proxy.pathsuffix MatchesPath "/groups/**/action"</Condition>
    </Flow>


    <Flow name="unknown request">
      <Request>
        <Step>
          <Name>RF-UnknownRequest</Name>
        </Step>
      </Request>
      <Response>
      </Response>
    </Flow>


  </Flows>


...

According to the conditions, Inbound requests (any verb) that arrive on

  • /allowlist-1/t0
  • /allowlist-1/t1/*
  • /allowlist-1/groups/**action

...will be allowed. (These URIs use patterns - check the documentation for MatchesPath for more information.) All other inbound requests will receive an "Unknown request" response via the RF-UnknownRequest policy (a RaiseFault).

If you don't want to hard-code the URIs in the ProxyEndpoint, you can insert them in a KVM and use JS to check the proxy.pathsuffix against the patterns.

0 Likes