Reverse proxy configuration
Recall that the Security Proxy is essentially a reverse proxy so it serves content that is provided by other servers. It should however know where it can find these servers.
There are two kinds of back-ends defined in the Security Proxy that need to be configured so payload encryption can optionally be applied:
- Token Server - Requests that are meant for the Onegini Token Server should be routed to the Onegini Token Server
- Resource gateway - Data requests to transport (personalized) data to a mobile device must be handled by a resource gateway
Configure Onegini Token Server backend
The Security Proxy requires a Token Server instance to be configured.
For this configuration the following properties are available:
Property | Default | Description |
---|---|---|
SECURITY_PROXY_BACK_END_TOKEN_SERVER_CONTEXT_ROOT | /oauth | The context root of the Token Server. |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_PROXY_SCHEME | http | The protocol scheme used to communicate to the Token Server. |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_PROXY_API_ENABLED | true | Indicates whether the Token Server API should be exposed through the Security Proxy. |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_HOSTS | 127.0.0.1:8080 | Host including port of the Token Server. |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ALLOW | 127.0.0.1 | The allowed client ip address or address range. |
A setup with a single Token Server back-end is the most common setup. This is also possible but you can not use the predefined Token Server config as described. Having multiple Token Servers is explained in more detail in the configuration section.
Configure Onegini Token Server admin backend
The Onegini Token Server admin can be configured as a proxy endpoint. Meaning all requests to the admin should be proxied transparent without payload encryption. The properties:
Property | Default | Description |
---|---|---|
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_CONTEXT_ROOT | /admin | The context root of the Token Server admin. |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_PROXY_SCHEME | http | The protocol scheme used to communicate to the Token Server admin. |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_PROXY_API_ENABLED | true | Indicates whether the Resource Gateway API should be exposed through the Security Proxy. |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_HOSTS | 127.0.0.1:8080 | Host including port of the Token Server admin. |
SECURITY_PROXY_BACK_END_TOKEN_SERVER_ADMIN_ALLOW | 127.0.0.1 | The allowed client ip address or address range. |
Configure Resource gateway backend
The resource gateway back-ends serve APIs that you want to expose to mobile devices. A resource gateway can be an external resource gateway or the embedded resource gateway functionality of the Onegini Security Proxy. When using the embedded resource gateway functionality the configured host should be the resource server.
Currently the Security Proxy only supports transparent proxying. This means that the full URI (without the host) that is called by the client is also used to retrieve data from the back-end. E.g. https://security-proxy.example.com/product/123 is the URL that is retrieved by the client. This will result in the following call to the back-end: https://back-end.internal/product/123.
For the resource gateway backend the following properties can be applied:
Property | Default | Description |
---|---|---|
SECURITY_PROXY_BACK_END_RESOURCE_GATEWAY_CONTEXT_ROOT | /resource | The context root of the Resource Gateway. |
SECURITY_PROXY_BACK_END_RESOURCE_GATEWAY_PROXY_SCHEME | http | The protocol scheme used to communicate to the Resource Gateway. |
SECURITY_PROXY_BACK_END_RESOURCE_GATEWAY_PROXY_API_ENABLED | true | Indicates whether the Resource Gateway API should be exposed through the Security Proxy. |
SECURITY_PROXY_BACK_END_RESOURCE_GATEWAY_HOSTS | 127.0.0.1:8080 | Host including port of the Token Server. |
SECURITY_PROXY_BACK_END_RESOURCE_GATEWAY_ALLOW | 127.0.0.1 | The allowed client ip address or address range. |
A setup with a single Resource Gateway back-end is the most common setup. This is also possible but you can not use the predefined Resource Gateway as described. Having multiple resource gateways is explained in more detail in the configuration section.
By default all reverse proxy endpoints are mapped based on the context root. For a resource gateway there is the option to map based on server name. To enable
this functionaltiy for a resource gateway endpoint you need to set SECURITY_PROXY_SERVER_NAME_ROUTING
to true
. For each resource gateway the
SECURITY\_PROXY\_BACK\_END\_<RGID>\_SERVER\_NAME
has to be set with the hostname for example api.example.com
. Please see the requirements for TLS/SSL
related to the function in the configuration section.