Understanding Edge support for Node.js modules

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation. info

Private Cloud Deprecation Notice:

Support for Node.js proxies and secure vaults

Since 2013, Apigee has supported the use of Node.js proxies within Apigee Edge through the use of Trireme, which enables you to run your Node.js code within Apigee Edge for Private Cloud and expose it as an API.

Apigee recommends Private Cloud customers take the following steps:

Migrate data in secure vaults to Encrypted Key Value Maps (KVM) to access sensitive data from an API proxy.
Migrate Trireme (Node.js) based API proxies to a native Node.js environment outside of Apigee.

What version of Node.js is supported on Apigee Edge?

Edge currently supports Node.js 0.10.32.

Which standard Node.js modules are supported on Edge?

Use the following table to determine which standard Node.js modules are included on Edge. In some cases, included modules are only partially supported. These are modules that are built-in to Node.js.

Module	Status	Notes
`assert`	Supported
`buffer`	Supported
`child_process`	Restricted	An exception will be thrown if an attempt is made to spawn a sub-process. However, "fork" is supported for spawning sub-scripts.
`cluster`	Disabled	The method cluster.isMaster always returns true, and other methods are not implemented. One copy of each Node.js script is deployed to each Edge message processor.
`crypto`	Supported
`dns`	Supported
`domain`	Supported
`dgram`	Restricted	Node.js applications in the Apigee environment will not be able to access services on the Internet via UDP due to our network architecture.
`events`	Supported
`fs`	Restricted	Filesystem access is restricted to the directory where the script was launched: the `/resources/node` directory. Node.js scripts may read and write files within this directory, for instance as a temporary scratch area, but there are no guarantees as to how long the files will persist.
`http`	Supported	The virtual host and path for incoming requests is specified in the API Proxy, not by the HTTP module. See "Understanding support for the http and https modules" for more information.
`https`	Supported	Creating an "https" server behaves identically to an "http" server. See "Understanding support for the http and https modules" for more information.
`module`	Supported
`net`	Restricted	Attempts to listen for incoming TCP connections will generate an exception.
`path`	Supported
`module`	Supported
`process`	Partial support	Functionality to manipulate user ID, group membership, and working directory is not supported.
`punycode`	Supported
`querystring`	Supported
`readline`	Disabled	There is no standard input for scripts running on Apigee Edge.
`repl`	Disabled	There is no standard input for scripts running on Apigee Edge.
`module`	Included
`STDIO`	Supported	Standard output and error are routed to a log file within the Apigee Edge infrastructure. You can view these logs by clicking the Node.js Logs button in and Apigee Edge management UI for your API proxy. There is no standard input for scripts running on Apigee Edge. However, you can pass arguments using the ScriptTarget element of TargetEndpoint. See Advanced ScriptTarget configuration for more information.
`stream`	Supported
`string_decoder`	Supported
`timers`	Included
`tls`	Supported	Transport Layer Security (TLS) parameters work basically the same way they work in regular Node.js. See Using the TLS (SSL) Node.js module on Apigee Edge for details.
`tty`	Disabled	There is no standard input for scripts running on Apigee Edge.
`url`	Supported
`util`	Supported
`vm`	Supported
`zlib`	Supported

Additional supported modules

This section lists additional modules that are not supported in standard Node.js, but are supported by Trireme and Trireme running on Apigee Edge. Trireme is the open-source Node.js container that runs on Apigee Edge. It is designed to run Node.js scripts inside a Java Virtual Machine (JVM). All of these modules are available on NPM.

Module	Description
apigee-access	Allows Node.js applications running on the Apigee Edge platform a way to access Apigee-specific functionality. You can use this module to: access and modify flow variables, retrieve data from the secure store, and use Edge cache, quota, and OAuth services. See also Using the apigee-access module.
trireme-support	Lets Node.js applications take advantage of features specific to Trireme. Currently there is only one feature supported -- loading Node.js modules built in Java. Note: loadJars is not supported in Edge Cloud.
trireme-xslt	Presents an abstraction of XLST processing. It is specifically designed for the Trireme platform to allow efficient processing of XSLT when Node.js applications are run on Java.
trireme-jdbc	Provides access to JDBC from Node.js. Note: Unsupported in Edge Cloud. For Edge Private Cloud, you can put JDPC JAR files in the class path and use this module.

Support for commonly used Node.js modules

Restrictions on Node.js scripts

Note, however, that Edge imposes certain restrictions on Node.js scripts, such as the following:

Node.js applications in the Apigee Edge environment cannot access services on the Internet via UDP because of the Edge network architecture.

Filesystem access is restricted to the directory where the Node.js script was launched: the /resources/node directory. Node.js scripts can read and write files within this directory, for instance as a temporary scratch area, but there are no guarantees as to how long the files will persist.

Attempts to listen for incoming TCP connections generate an exception.

Functionality to manipulate user ID, group membership, and working directory is not supported.

For standard input, you are limited to passing arguments using the ScriptTarget element of TargetEndpoint. See Advanced ScriptTarget configuration for more information.
For standard output, you are limited to using the Node.js Logs button in the Edge management UI for your proxy. You can also use the "apigeetool getlogs" command. For more information, see Deploying a standalone Node.js app.
Modules that depend on native code are not supported.
Modules that depend on EcmaScript 6 features, such as Promises and Generators, are not supported.
The Node.js runtime flags such as "harmony-proxies" are not supported.

Setting IP connection restrictions on Edge for Private Cloud

Edge for Private Cloud can restrict Node.js code from accessing IP addresses starting with “10.", "192.168", and localhost. If you attempt to access these IP addresses, you will see an error in the form:

{ [Error: connect EINVAL] message: 'connect EINVAL', code: 'EINVAL', errno: 'EINVAL', syscall: 'connect' }

You can modify these restrictions by setting the conf_nodejs_connect.ranges.denied property in the message-processors.properties file for each Message Processor. By default, this property has the value:

Edge 4.17.05 and earlier: conf_nodejs_connect.ranges.denied=10.0.0.0/8,192.168.0.0/16,127.0.0.1/32
Edge 4.17.09 and later: conf_nodejs_connect.ranges.denied= (meaning no restrictions)

To set this property:

Open the message-processor.properties file in an editor. If the file does not exist, create it:
> vi /<inst_root>/apigee/customer/application/message-processor.properties
Set the property as desired. For example, to deny access to only localhost:
conf_nodejs_connect.ranges.denied=127.0.0.1/32
Save your changes.
Make sure the properties file is owned by the 'apigee' user:
> chown apigee:apigee /<inst_root>/apigee/customer/application/message-processor.properties
Restart the Message Processor:
> /<inst_root>/apigee/apigee-service/bin/apigee-service edge-message-processor restart

Understanding support for the http and https modules

All Node.js applications running in Apigee Edge must use the http or https module to listen for incoming requests. If you were to deploy a script that doesn't listen for incoming requests, it would simply execute and exit.

The listen method of the http and https modules in Node.js takes a port number as a parameter. For example:

svr.listen(process.env.PORT || 9000, function() {
   console.log('The server is running.');
});

This "port" argument is required in Node.js, but Apigee Edge ignores this parameter. Instead, the API proxy in which the Node.js script runs specifies the "virtual host" that it listens on, and the Node.js application uses those same virtual hosts, just like any other Apigee Edge proxy.

Every environment in Apigee has at least one virtual host. The virtual host defines the HTTP settings for connection with the Apigee organization. All API proxies in an environment share the same virtual hosts. By default, two virtual hosts are available for each environment: default and secure. For more information, see Get Virtual Host and API development lifecycle.

The apigeetool deploynodeapp command generates an Apigee Edge proxy wrapper around the Node.js application. When deployed, the Node.js application listens on the default virtual host defined for the environment. The URL for a Node.js application will always be http://{org_name}-{env_name}.apigee.net.

Handling incoming requests

Like other Apigee Edge applications, if the proxy application is set up to listen on the secure virtual host, then it will accept incoming requests using HTTPS.

Handling outgoing requests

In addition to receiving incoming traffic, Node.js applications inside Apigee Edge may use the http and https modules to make outbound requests like any other Node.js application. These modules work just as they always do inside Node.js.

Understanding support for the tls module

Apigee Edge supports the Node.js tls module. This module uses OpenSSL to provide Transport Layer Security (TLS) and/or Secure Socket Layer (SSL) encrypted stream communication. You can use the tls module to create secure connections to backend services from Node.js applications running on Edge.

To understand how the tls module works on Apigee Edge, it's important to understand how virtual hosts are used on Apigee Edge. Every environment in Apigee has at least one virtual host. The virtual host defines the HTTP settings for connection with the Apigee organization. All API proxies in an environment share the same virtual hosts. By default, two virtual hosts are available for each environment: default and secure. For more information on virtual hosts, see Get Virtual Host and API development lifecycle.

Now, let's look at how Apigee Edge handles TLS (SSL) communication for incoming and outgoing requests on Node.js applications:

Handling incoming requests

Depending on how virtual hosts are configured for your organization, Edge provides these options:

If the API proxy is configured to listen on the default virtual host, then it accepts requests over HTTP.
If the API proxy is configured to listen on the secure virtual host, then it accepts requests over HTTPS. The URL will be under the apigee.net domain, and a wildcard SSL certificate for *.apigee.net will be used. As long as apps make requests to the apigee.net domain, then the SSL certificate will validate normally.

Handling outgoing requests

You can make outgoing requests with the tls module the same way you would normally in Node.js. Basically, you need to add client-side keys and certificates (.pem files) to the resources/node directory and load them inside your script. For information on using the tls module and its methods, see the Node.js tls module documentation.

Advanced ScriptTarget Configuration

In the <TargetEndpoint> definition, the <ScriptTarget> element takes additional optional parameters besides <ResourceURL>. You can also pass command-line arguments and environment variables to a Node.js script using the <EnvironmentVariables> and <Arguments> parameters:

<TargetEndpoint name="default">
  <ScriptTarget>
     <ResourceURL>node://hello.js</ResourceURL>
     <EnvironmentVariables>
         <EnvironmentVariable name="NAME">VALUE</EnvironmentVariable> 
     </EnvironmentVariables>
     <Arguments>
         <Argument>ARG</Argument>
     </Arguments>
  </ScriptTarget>
</TargetEndpoint>

Tip: You can get a listing of all environment variables that are set when a Node.js app starts up on Edge by executing this line of code in your Node.js server:
console.log('environment variables: ' + JSON.stringify(process.env));

Variables set include APIGEE_ORGANIZATION and APIGEE_ENVIRONMENT. For example (actual values are omitted):

{
  "TERM": "",
  "JAVA_HOME": "",
  "SHLVL": "",
  "XFILESEARCHPATH": "",
  "APIGEE_HOME": "",
  "microkernel_overrideTokenFolder": "",
  "working_dir": "",
  "microkernel_host": "",
  "PWD": "",
  "microkernel_overrideTokenDirs": "",
  "LOGNAME": "",
  "_APIGEE_APP_ID": "",
  "_": "",
  "microkernel_defaultTokenFolder": "",
  "NLSPATH": "",
  "microkernel_timeout": "",
  "SHELL": "",
  "TMPDIR": ""
  "microkernel_hasMonetization": "",
  "USE_TOKENIZED_CONFIG": "",
  "microkernel_org": "",
  "PATH": "",
  "microkernel_application": "",
  "microkernel_installType": "",
  "microkernel_instanceType": "",
  "USER": "",
  "HOME": "",
  "APIGEE_ORGANIZATION": "",
  "CONFIG_UTIL_HOME": "",
  "microkernel_pod": "",
  "APIGEE_ENVIRONMENT": "",
  "microkernel_defaultTokenDirs": "",
  "microkernel_region": "",
  "LANG": ""
}