Edge for Private Cloud v4.18.05
There are several places where the Edge UI might attempt to access a local IP address. These local IP address might correspond to private or otherwise protected resources that should not be exposed to external users:
- The Trace tool in the Edge UI has the ability to send and receive API request to any specified URL. In certain deployment scenarios where Edge components are co-hosted with other internal services, a malicious user may misuse the power of the Trace tool by making requests to private IP addresses.
- When creating an API proxy from an OpenAPI specification, the specification describes such elements of an API as its base path, paths and verbs, headers, and more. As part of the spec, a malicious user can specify a base path of the proxy that refers to a private IP address.
- When creating an API proxy from a WSDL file located on your local file system.
For security reasons, by default, the Edge UI is prevented from referencing private IP addresses. The list of private IP addresses includes:
- Loopback address (127.0.0.1 or localhost)
- Site-Local Addresses (For IPv4 - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Any Local Address (any address resolving to localhost).
If you want to enable the Edge UI to access private IP addresses, set the following tokens:
- For the Trace tool, the
conf_apigee-base_apigee.feature.enabletraceforinternaladdressesproperty is disabled by default. Set it to true to enable the Trace tool access to private IP addresses.
- For OpenAPI specs, the
conf_apigee-base_apigee.feature.enableopenapiforinternaladdressesproperty is disabled by default. Set it to true to enable an OpenAPI access to private IP addresses.
- For WSDL files, the
conf_apigee-base_apigee.feature.enablewsdlforinternaladdressesproperty is disabled by default. Set it to true to enable the upload of a WSDL file from private IP addresses.
To set these properties to true:
- Open the
ui.propertiesfile in an editor. If the file does not exist, create it.
- Set the following properties to true:
conf_apigee-base_apigee.feature.enabletraceforinternaladdresses="true" conf_apigee-base_apigee.feature.enableopenapiforinternaladdresses="true" conf_apigee-base_apigee.feature.enablewsdlforinternaladdresses="true"
- Save your changes to
- Make sure the properties file is owned by the 'apigee' user:
chown apigee:apigee /opt/apigee/customer/application/ui.properties
- Restart the Edge UI:
/opt/apigee/apigee-service/bin/apigee-service edge-ui restart
The Edge UI can now access local IP addresses.