Configure forward proxying

Forward proxies provide a single point through which multiple machines send requests to an external server. They can enforce security policies, log and analyze requests, and perform other actions so that requests adhere to your business rules. With Edge, a forward proxy typically intermediates your API proxies and an external TargetEndpoint (a backend target server).

To use an HTTP forward proxy between Edge and the TargetEndpoint, you must configure the outbound proxy settings on the Message Processors (MPs). These properties configure the MPs to route target requests from Edge to the HTTP forward proxy.

To configure an MP for forwarding proxying:

1. On the MP, edit the following file:

   /opt/apigee/customer/application/message-processor.properties

   If the message-processor.properties file does not exist, create it.

2. Edit the file to set the proxy-related properties described in the table below.
3. Ensure that the properties file is owned by the 'apigee' user:

   chown apigee:apigee /opt/apigee/customer/application/message-processor.properties

4. Save your changes to the properties file.
5. Restart the MP, as the following example shows:

   /opt/apigee/apigee-service/bin/apigee-service edge-message-processor restart

The following table describes the properties in the message-processor.properties file that you use to configure an MP for forward proxying to a backend server:

conf_http_HTTPClient.use.proxy

conf_http_HTTPClient.use.tunneling

use.proxy.host.header.with.target.uri

<HTTPTargetConnection>
    <Properties>
        <Property name="use.proxy.host.
         header.with.target.uri">true
        </Property>
    </Properties>
    <URL>https://mocktarget.apigee.net/
     my-target</URL>
</HTTPTargetConnection>

conf/http.properties+HTTPClient.proxy.type

conf/http.properties+HTTPClient.proxy.host

conf/http.properties+HTTPClient.proxy.port

conf/http.properties+HTTPClient.proxy.user
conf/http.properties+HTTPClient.proxy.password

For example:

conf_http_HTTPClient.use.proxy=true
conf_http_HTTPClient.use.tunneling=false
conf/http.properties+HTTPClient.proxy.type=HTTP
conf/http.properties+HTTPClient.proxy.host=my.host.com
conf/http.properties+HTTPClient.proxy.port=3128
conf/http.properties+HTTPClient.proxy.user=USERNAME
conf/http.properties+HTTPClient.proxy.password=PASSWORD

If forward proxying is configured for the MP, then all traffic going from API proxies to backend targets goes through the specified HTTP forward proxy. If the traffic for a specific target of an API proxy should go directly to the backend target, bypassing the forward proxy, then set the following property in the TargetEndpoint to override the HTTP forward proxy:

<Property name="use.proxy">false</Property>

For more information on setting the TargetEndpoint properties, including how to configure the connection to the target endpoint, see Endpoint properties reference.

To disable forward proxying for all targets by default, set the following property in your message-processor.properties file:

conf_http_HTTPClient.use.proxy=false

Then set use.proxy to "true" for any TargetEndpoint that you want to go through an HTTP forward proxy:

<Property name="use.proxy">true</Property>

By default Edge uses tunneling for the traffic to the proxy. To disable tunneling by default, set the following property in the message-processor.properties file:

conf_http_HTTPClient.use.tunneling=false

If you want to disable tunneling for a specific target, then set the use.proxy.tunneling property in the TargetEndpoint. If the target uses TLS/SSL, then this property is ignored, and the message is always sent via a tunnel:

<Property name="use.proxy.tunneling">false</Property>

For Edge itself to act as the forward proxy - receiving requests from the backend services and routing them to the internet outside of the enterprise - first set up an API proxy on Edge. The backend service can then make a request to the API proxy, which can then connect to external services.