Send Docs Feedback

Allowing the Edge UI Access to Local IP Addresses

Edge for Private Cloud v. 4.17.01

There are several places where the Edge UI attempts to access a local IP address:

  • The Trace tool in the Edge UI has the ability to send and receive API request to any specified URL. In certain deployment scenarios where Edge components are co-hosted with other internal services, a malicious user may misuse the power of the Trace tool by making requests to private IP addresses. 
  • When creating an API proxy from an OpenAPI specification, the specification describes such elements of an API as its base path, paths and verbs, headers, and more. As part of the spec, you can specify a base path of the proxy that refers to a private IP address. 
  • When creating an API proxy from a WSDL file located on your local file system.

By default, the Edge UI is prevented from referencing private IP addresses. The list of private IP addresses includes:

  • Loopback address (127.0.0.1 or localhost)
  • Site-Local Addresses (For IPv4 - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Any Local Address (any address resolving to localhost).

If you want to enable the Edge UI to access private IP addresses, set the following tokens: 

  • For the Trace tool, the conf_apigee-base_apigee.feature.enabletraceforinternaladdresses property is disabled by default. Set it to true to enable the Trace tool access to private IP addresses.
  • For OpenAPI specs, the conf_apigee-base_apigee.feature.enableopenapiforinternaladdresses property is disabled by default. Set it to true to enable an OpenAPI access to private IP addresses. Requires Edge 4.16.09.01. See 4.16.09.01 - Edge for Private Cloud release notes for more. 
  • For WSDL files, the conf_apigee-base_apigee.feature.enablewsdlforinternaladdresses property is disabled by default. Set it to true to enable the upload of a WSDL file from private IP addresses. 

If the Apigee Routers are reachable only over the above private IP ranges, Apigee recommends that you set the conf_apigee-base_apigee.feature.enabletraceforinternaladdresses property to true.

To set these properties to true:

  1. Open the ui.properties file in an editor. If the file does not exist, create it.
    > vi /<inst_root>/apigee/customer/application/ui.properties
  2. Set the following properties to true:
    conf_apigee-base_apigee.feature.enabletraceforinternaladdresses="true"
    conf_apigee-base_apigee.feature.enableopenapiforinternaladdresses="true"
    conf_apigee-base_apigee.feature.enablewsdlforinternaladdresses="true"
  3. Save your changes to ui.properties.
  4. Restart the Edge UI:
    > /<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui restart

The Edge UI can now access local IP addresses.

 

Help or comments?