Re: Question on reverse proxy's usage


Zeng, Tingyu <Tingyu.Zeng@...>
 

Hey Jihun,

IMO “reverse proxy” refers to an abstract layer, which will be running every single edge device. It might be sitting within each micro service or be part of the process for core data/command/metadata.  The decision hasn’t been finalized.

Nginx and Traefk are using the subdomain as the method to filter and forward to request for proxy. For EdgeX this is just one of the options. Another option is to hook up the http request and intercept the calls within the existing core services.

The reverse proxy needs a way to identify the source of the caller and do authentication/authorization, which needs to be implemented within an Authorization Service.  This was discussed in the current proposal as well.

 

Hope it help.

Tingyu

 

From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of ???
Sent: Tuesday, March 13, 2018 3:40 AM
To: edgex-tsc-security@...
Subject: [Edgex-tsc-security] Question on reverse proxy's usage

 

Hi. All,

 

As far as I know, there was a discussion on reverse proxy employment to EdgeX foundry for several security reasons. For that, it is hard for me to know how to apply the reverse proxy to a real edge device, so please let me know the details if anyone is looking on to this.

 

Questions

<Example topology>

Edge device (IP: 10.0.0.2)

 - core service (port: 48080)

 - export-distro service (port: 48070)

 

1. Is it the plan to run a reverse proxy service on every single Edge device? Or, a reverse proxy service is a single entity in a network and is responsible to receive and forward all requests destined to actual services of edge devices inside the network?

 

2. As Nginx and Traefik explained, I understand that services to be proxifed should have different domain names. For example, core.example.com and export.example.com domain names should be used for core service and export service, respectively. Then, should we force to define and use a domain name to a service rather than IP address?

  - Originally, if you want to get data from core service of edge device, you could use "10.0.0.2:48080" address.

  - Releated to Question 1, I think that if reverse proxy service is running on each edge device and we should use domain name to utilize reverse proxy, it sounds impratical. (because Every edge device has to have its own domain name unique in a network)

 

I'd appreciate if you can let me know how to employ a reverse proxy to the above edge device with core and export services?

 

Best Regards,

 

Jihun Ha (하지훈/河志薰, Ph.D.)

Edge Platform Development | IoT Lab

Software R&D Center | Samsung Electronics Co., Ltd

Mobile +82 10 2533 7947

jihun.ha at samsung.com | jhha85 at gmail.com

 

 

 

Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.