Configure forward proxying

Forward proxies provide a single point through which multiple machines send requests to an external server. They can enforce security policies, log and analyze requests, and perform other actions so that requests adhere to your business rules. With Edge, a forward proxy typically intermediates your API proxies and an external TargetEndpoint (a backend target server).

To use an HTTP forward proxy between Edge and the TargetEndpoint, you must configure the outbound proxy settings on the Message Processors (MPs). These properties configure the MPs to route target requests from Edge to the HTTP forward proxy.

To configure an MP for forwarding proxying:

  1. On the MP, edit the following file:
    /opt/apigee/customer/application/message-processor.properties

    If the message-processor.properties file does not exist, create it.

  2. Edit the file to set the proxy-related properties described in the table below.
  3. Ensure that the properties file is owned by the 'apigee' user:
    chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
  4. Save your changes to the properties file.
  5. Restart the MP, as the following example shows:
    /opt/apigee/apigee-service/bin/apigee-service edge-message-processor restart

The following table describes the properties in the message-processor.properties file that you use to configure an MP for forward proxying to a backend server:

Property Description
conf_http_HTTPClient.use.proxy

Permits forward proxy use. The default value is true, which means that you can use a forward proxy at the API proxy layer by including the relevant XML in your bundle configuration.

If you set this value to false, then you cannot use a forward proxy.

conf_http_HTTPClient.use.tunneling

By default Edge uses tunneling for all traffic. To disable tunneling by default, set this property to "false".

conf/http.properties+HTTPClient.proxy.type

Specifies the type of the HTTP proxy as HTTP or HTTPS. By default, it uses "HTTP".

conf/http.properties+HTTPClient.proxy.host

Specifies the host name or IP address where the HTTP proxy is running.

conf/http.properties+HTTPClient.proxy.port

Specifies the port on which the HTTP proxy is running. If this property is omitted, by default it uses port 80 for HTTP and port 443 for HTTPS.

conf/http.properties+HTTPClient.proxy.user
conf/http.properties+HTTPClient.proxy.password

If the HTTP proxy requires basic authentication, then use these properties to provide authorization details.

For example:

conf_http_HTTPClient.use.proxy=true
conf_http_HTTPClient.use.tunneling=false
conf/http.properties+HTTPClient.proxy.type=HTTP
conf/http.properties+HTTPClient.proxy.host=my.host.com
conf/http.properties+HTTPClient.proxy.port=3128
conf/http.properties+HTTPClient.proxy.user=USERNAME
conf/http.properties+HTTPClient.proxy.password=PASSWORD

If forward proxying is configured for the MP, then all traffic going from API proxies to backend targets goes through the specified HTTP forward proxy. If the traffic for a specific target of an API proxy should go directly to the backend target, bypassing the forward proxy, then set the following property in the TargetEndpoint to override the HTTP forward proxy:

<Property name="use.proxy">false</Property>

For more information on setting the TargetEndpoint properties, including how to configure the connection to the target endpoint, see Endpoint properties reference.

To disable forward proxying for all targets by default, set the following property in your message-processor.properties file:

conf_http_HTTPClient.use.proxy=false

Then set use.proxy to "true" for any TargetEndpoint that you want to go through an HTTP forward proxy:

<Property name="use.proxy">true</Property>

By default Edge uses tunneling for the traffic to the proxy. To disable tunneling by default, set the following property in the message-processor.properties file:

conf_http_HTTPClient.use.tunneling=false

If you want to disable tunneling for a specific target, then set the use.proxy.tunneling property in the TargetEndpoint. If the target uses TLS/SSL, then this property is ignored, and the message is always sent via a tunnel:

<Property name="use.proxy.tunneling">false</Property>

For Edge itself to act as the forward proxy - receiving requests from the backend services and routing them to the internet outside of the enterprise - first set up an API proxy on Edge. The backend service can then make a request to the API proxy, which can then connect to external services.