HTTP 304 response in trace session

Symptom

In Edge for the Private Cloud, when tracing an API in the Edge UI, you see an HTTP 304 response in the Status column of the trace window:

Error messages

There are no error messages - the API proxy call actually returns a success response, such as an HTTP 200. However, the trace window in the Edge UI displays an HTTP 304 response and no trace data is collected.

Possible causes

In Edge for the Private Cloud, the Edge UI is attempting to trace an API proxy accessed by a private IP address.

The trace tool in the Edge UI has the ability to send API request to any URL. In a deployment scenario where the Edge UI is co-hosted with other internal services, a malicious user might misuse the trace tool to make requests to services through a private IP address, such as localhost or 127.0.0.1.

In a production environment, you typically leave the default as is to prevent users from being able to trace a private IP address. For example, that is how the public version of the Edge UI is deployed.

However, for an internal development or testing environment, you can override this default to allow your API developers to trace any IP address. Typically, a development/testing environment is behind a firewall that does not allow public access.

Note: As a best practice, you should leave the default as is to prevent trace access to private IP addresses, even in a development/testing environment, unless you run into a situation where you have to enable it.

Cause: Attempting to access an API proxy through a private IP address

By default, the Edge UI for Edge for the Private Cloud prevents users from tracing API calls made through private IP addresses. The list of private IP addresses includes:

  • Loopback address (127.0.0.1 or localhost)
  • Site-local addresses (For IPv4 - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Any local address (any address resolving to localhost)

For example, the following curl command makes a call to an API proxy by using an IP address of 127.0.0.1, which is considered to be a private IP address:

curl http://127.0.0.1:9001/myapiproxy

In the trace window for this call, you see an HTTP 304 response even if the curl command returned success.

Resolution

To enable the Edge UI to trace private IP addresses for Edge for the Private Cloud, set the following token in ui.properties:

conf_apigee-base_apigee.feature.enabletraceforinternaladdresses="true"

To set this property:

  1. Open the ui.properties file in an editor. If the file does not exist, create it.
    vi /opt/apigee/customer/application/ui.properties
  2. Set the following properties to true:
    conf_apigee-base_apigee.feature.enabletraceforinternaladdresses="true"
  3. Save your changes to ui.properties.
  4. Make sure the properties file is owned by the 'apigee' user:
    chown apigee:apigee /opt/apigee/customer/application/ui.properties
  5. Restart the Edge UI:
    /opt/apigee/apigee-service/bin/apigee-service edge-ui restart

The Edge UI can now access private IP addresses in the trace tool.

To later disable the UI from tracing requests through private IP addresses, edit ui.properties to set the property to false and then restart the Edge UI.

Related documents (Optional)

For more, see Allowing the Edge UI Access to Local IP Addresses.