Forward proxies provide a single point through which multiple machines send requests to an external server. They can enforce security policies, log and analyze requests, and perform other actions so that requests adhere to your business rules. With Edge, a forward proxy typically intermediates your API proxies and an external TargetEndpoint (a backend target server).
To use an HTTP forward proxy between Edge and the TargetEndpoint, you must configure the outbound proxy settings on the Message Processors (MPs). These properties configure the MPs to route target requests from Edge to the HTTP forward proxy.
To configure an MP for forwarding proxying:
- On the MP, edit the following file:
/opt/apigee/customer/application/message-processor.properties
If the
message-processor.properties
file does not exist, create it. - Edit the file to set the proxy-related properties described in the table below.
- Ensure that the properties file is owned by the 'apigee' user:
chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
- Save your changes to the properties file.
- Restart the MP, as the following example shows:
/opt/apigee/apigee-service/bin/apigee-service edge-message-processor restart
The following table describes the properties in the message-processor.properties
file that you use to configure an MP for forward proxying to a backend server:
Property | Description |
---|---|
conf_http_HTTPClient.use.proxy |
Permits forward proxy use. The default value is If you set this value to |
conf_http_HTTPClient.use.tunneling |
By default Edge uses tunneling for all traffic. To disable tunneling by default, set this property to "false". |
conf/http.properties+HTTPClient.proxy.type |
Specifies the type of the HTTP proxy as HTTP or HTTPS. By default, it uses "HTTP". |
conf/http.properties+HTTPClient.proxy.host |
Specifies the host name or IP address where the HTTP proxy is running. |
conf/http.properties+HTTPClient.proxy.port |
Specifies the port on which the HTTP proxy is running. If this property is omitted, by default it uses port 80 for HTTP and port 443 for HTTPS. |
conf/http.properties+HTTPClient.proxy.user conf/http.properties+HTTPClient.proxy.password |
If the HTTP proxy requires basic authentication, then use these properties to provide authorization details. |
For example:
conf_http_HTTPClient.use.proxy=true conf_http_HTTPClient.use.tunneling=false conf/http.properties+HTTPClient.proxy.type=HTTP conf/http.properties+HTTPClient.proxy.host=my.host.com conf/http.properties+HTTPClient.proxy.port=3128 conf/http.properties+HTTPClient.proxy.user=USERNAME conf/http.properties+HTTPClient.proxy.password=PASSWORD
If forward proxying is configured for the MP, then all traffic going from API proxies to backend targets goes through the specified HTTP forward proxy. If the traffic for a specific target of an API proxy should go directly to the backend target, bypassing the forward proxy, then set the following property in the TargetEndpoint to override the HTTP forward proxy:
<Property name="use.proxy">false</Property>
For more information on setting the TargetEndpoint properties, including how to configure the connection to the target endpoint, see Endpoint properties reference.
To disable forward proxying for all targets by default, set the following property in your
message-processor.properties
file:
conf_http_HTTPClient.use.proxy=false
Then set use.proxy
to "true" for any TargetEndpoint that you want to go through
an HTTP forward proxy:
<Property name="use.proxy">true</Property>
By default Edge uses tunneling for the traffic to the proxy. To disable tunneling by default,
set the following property in the message-processor.properties
file:
conf_http_HTTPClient.use.tunneling=false
If you want to disable tunneling for a specific target, then set the
use.proxy.tunneling
property in the TargetEndpoint. If the target uses TLS/SSL,
then this property is ignored, and the message is always sent via a tunnel:
<Property name="use.proxy.tunneling">false</Property>
For Edge itself to act as the forward proxy - receiving requests from the backend services and routing them to the internet outside of the enterprise - first set up an API proxy on Edge. The backend service can then make a request to the API proxy, which can then connect to external services.