Edit in GitHubLog an issue

Configuring a Secure Proxy

Runtime does not expose egress IPs due to security reasons. If a customer needs a way to secure the communication with their downstream services using IP whitelisting, they can use a proxy in between their backend service and I/O Runtime.

This can be done by the addition of a proxy component (in this example, an AWS EC2 instance running nginx). The proxy component will have a fixed IP address, therefore enabling the use of an IP allowlist to secure your backend service. The communication between I/O Runtime and the proxy component will be secured via mutual TLS (mTLS) communication.

configure proxy

The following steps outline how to:

  • Configure the NGINX proxy component to support mutual TLS (mTLS)
  • Configure an AppBuilder action to use mTLS to securely communicate with the proxy component

Prerequisite: An EC2 instance with NGINX installed. The official NGINX documentation has more information.

  1. Verify SSH connectivity to the EC2 instance. (screenshot of terminal/template cmd)

    Copied to your clipboard
    ssh -i <your-key.pem> ec2-user@<EC2-IPAddress>

  2. Generate certificates needed for mTLS (link out to example-mtls project for generating secrets)

    • Generate mtls_server.key/.crt
      Copied to your clipboard
      openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout mtls_server.key -out mtls_server.crt
    • Generate mtls_client.key/.crt
      Copied to your clipboard
      openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout mtls_client.key -out mtls_client.crt

  3. Use the referenced file mtls.conf.example and replace DESTINATION_HOST with the final destination you would like to proxy to. For example, if your target host is api.myhost.com you would search for the following line

    Copied to your clipboard
    proxy_pass https://DESTINATION_HOST

    and replace it such that it looks like 

    Copied to your clipboard
    proxy_pass https://api.myhost.com

    Save the resulting file locally as mtls.conf (in the same folder as your certificates).

  4. Copy sample NGINX configuration to EC2 instance with updated placeholder details. (terminal screenshots for scp cmds)

    1. First copy files to home folder
      Copied to your clipboard
      scp -i <your-key.pem> mtls_server.key mtls_server.crt mtls_client.key mtls_client.crt mtls.conf ec2-user@<EC2-IPAddress>:~/
    2. Then move them into place (while connected via SSH to the ec2 instance)
      Copied to your clipboard
      sudo mv ~/mtls* /etc/nginx/conf.d/

  5. Restart nginx

  6. Verify you can connect via curl locally from the ec2 instance

    Copied to your clipboard
    $ curl -ki --cert /etc/nginx/conf.d/mtls_client.crt --key /etc/nginx/conf.d/mtls_client.key https://localhost/
    • (Optional) Create an AMI from your running AWS instance in order to preserve your changes.

  7. In your AppBuilder app, you will need to make changes to wire the mTLS client key and certificate

    • .env: Add the following lines with paths to your mtls client certificate files.
      Copied to your clipboard
      ## Support mTLS
      __AIO_MTLS_CERT=(cat /path/to/mtls_client.crt)
      __AIO_MTLS_KEY=(cat /path/to/mtls_client.key)
    • app.config.yaml: Add the following default parameters pointing to the environment variables.
      Copied to your clipboard
      inputs:
          __AIO_MTLS_CERT: $__AIO_MTLS_CERT
          __AIO_MTLS_KEY: $__AIO_MTLS_KEY

  8. In your action code, you can reference these environment variables when making an HTTP request to the proxy component (replace the PROXY_ENDPOINT with your AWS EC2 hostname/IP)

    Copied to your clipboard
    // configure the client side of mTLS
    const options = {
        cert: params.__AIO_MTLS_CERT,
        key:  params.__AIO_MTLS_KEY,
        rejectUnauthorized: false, // in test, if you're working with self-signed certificates
        keepAlive: false, // switch to true if you're making a lot of calls from this client
    };
    

    const sslConfiguredAgent = new https.Agent(options);
    

    try {
        // Replace the `PROXY_ENDPOINT` with your AWS EC2 hostname/IP
        const url = "https://PROXY_ENDPOINT/path/to/resource?param=value"
    

        console.log(`Making call to: [${url}]`);
        // make the request just as you would normally ...
        const response = await fetch(url, {
        agent: sslConfiguredAgent, // ... but add the agent we initialised
        });
    

        const responseBody = await response.text();
    

        // handle the response as you would see fit
        console.log(responseBody);
        return { statusCode: 200, body: { resp: responseBody }};
    } catch (error) {
        // return the error
        console.log(error);
        return { statusCode: 418, body: { error: error }};
    }

  9. Deploy your application to I/O Runtime via aio app deploy and test out the setup by invoking your action.

Kanika Gera
Last updated 4/21/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.