On 22.09.2016 13:32, Timothy Ward wrote:
On 22 Sep 2016, at 12:16, Christian Schneider <ch...@die-schneider.net> wrote:
There is one thing I am missing in your description. How do you configure the
proxy server that provides the secure endpoint? I think the typical production
approach will be to use an existing HTTP proxy server that has an API to
configure the forwarding. Would that happen in the REST provider? I am not sure
if that would be a good idea as we will likely have to support different proxy
APIs and I would rather avoid putting all that into the REST provider. Another
thing is that we might need the same or very similar functionality for SOAP
endpoints.
My understanding of what happens here is that the proxy server has a static
mapping from URI path /foo/bar/* to back end server X. Therefore the back end
server can work our the proxy URI by prepending
https://proxy.server:1234/foo/bar/ to “some/service/path”. This proxy is
configured by the system operator, and the RSA implementation is notified of
the path prefix using config admin.
A fixed URL per server is a valid case. Especially for small deployments
this can be the easiest solution.
I had something more dynamic in mind though like
https://www.nginx.com/products/on-the-fly-reconfiguration/
The idea would be to be able to use this for cloud environments. Such a
proxy might also do the load balancing of a service that runs on several
instances. The dynamic configuration would then allow to add and remove
servers on the fly. In that case the frontend client might only see one
endpoint that represents several endpoints in the backend.
Potentially such a proxy could then also be used completely without
Remote Service Admin on the client side by providing one fixed URL. In
the current state it would be difficult to achieve this with Aries RSA.
Unfortunately at least in the case of nginx the on the fly configuration
is only available in the commercial version but maybe there are other
proxies that provide such a thing in the open source version too. It
also seems nginx only allows to set a ip and port to forward to while I
was rather looking for something that works per service.
I will do some more research.
Christian
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com