Reverse proxy configuration

Recall that the Security Proxy is essentially a reverse proxy so it serves content that is provided by other servers. It should however know where it can find these servers.

There are two kinds of back-ends defined in the Security Proxy that need to be configured so payload encryption can optionally be applied:

  • Token Server - Requests that are meant for the Onegini Token Server should be routed to the Onegini Token Server
  • Resource gateway - Data requests to transport (personalized) data to a mobile device must be handled by a resource gateway

Configure Onegini Token Server backend

The Security Proxy requires a Token Server instance to be configured.

For this configuration the following properties are available:

Property Default Description
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​CONTEXT_​ROOT /oauth The context root of the Token Server.
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​PROXY_​SCHEME http The protocol scheme used to communicate to the Token Server.
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​PROXY_​API_​ENABLED true Indicates whether the Token Server API should be exposed through the Security Proxy.
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​HOSTS 127.0.0.1:8080 Host including port of the Token Server.
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ALLOW 127.0.0.1 The allowed client ip address or address range.

A setup with a single Token Server back-end is the most common setup. This is also possible but you can not use the predefined Token Server config as described. Having multiple Token Servers is explained in more detail in the configuration section.

Configure Onegini Token Server admin backend

The Onegini Token Server admin can be configured as a proxy endpoint. Meaning all requests to the admin should be proxied transparent without payload encryption. The properties:

Property Default Description
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​CONTEXT_​ROOT /admin The context root of the Token Server admin.
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​PROXY_​SCHEME http The protocol scheme used to communicate to the Token Server admin.
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​PROXY_​API_​ENABLED true Indicates whether the Resource Gateway API should be exposed through the Security Proxy.
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​HOSTS 127.0.0.1:8080 Host including port of the Token Server admin.
SECURITY_​PROXY_​BACK_​END_​TOKEN_​SERVER_​ADMIN_​ALLOW 127.0.0.1 The allowed client ip address or address range.

Configure Resource gateway backend

The resource gateway back-ends serve APIs that you want to expose to mobile devices. A resource gateway can be an external resource gateway or the embedded resource gateway functionality of the Onegini Security Proxy. When using the embedded resource gateway functionality the configured host should be the resource server.

Currently the Security Proxy only supports transparent proxying. This means that the full URI (without the host) that is called by the client is also used to retrieve data from the back-end. E.g. https://security-proxy.example.com/product/123 is the URL that is retrieved by the client. This will result in the following call to the back-end: https://back-end.internal/product/123.

For the resource gateway backend the following properties can be applied:

Property Default Description
SECURITY_​PROXY_​BACK_​END_​RESOURCE_​GATEWAY_​CONTEXT_​ROOT /resource The context root of the Resource Gateway.
SECURITY_​PROXY_​BACK_​END_​RESOURCE_​GATEWAY_​PROXY_​SCHEME http The protocol scheme used to communicate to the Resource Gateway.
SECURITY_​PROXY_​BACK_​END_​RESOURCE_​GATEWAY_​PROXY_​API_​ENABLED true Indicates whether the Resource Gateway API should be exposed through the Security Proxy.
SECURITY_​PROXY_​BACK_​END_​RESOURCE_​GATEWAY_​HOSTS 127.0.0.1:8080 Host including port of the Token Server.
SECURITY_​PROXY_​BACK_​END_​RESOURCE_​GATEWAY_​ALLOW 127.0.0.1 The allowed client ip address or address range.

A setup with a single Resource Gateway back-end is the most common setup. This is also possible but you can not use the predefined Resource Gateway as described. Having multiple resource gateways is explained in more detail in the configuration section.

By default all reverse proxy endpoints are mapped based on the context root. For a resource gateway there is the option to map based on server name. To enable this functionaltiy for a resource gateway endpoint you need to set SECURITY_PROXY_SERVER_NAME_ROUTING to true. For each resource gateway the SECURITY\_PROXY\_BACK\_END\_<RGID>\_SERVER\_NAME has to be set with the hostname for example api.example.com. Please see the requirements for TLS/SSL related to the function in the configuration section.