Re: [Discuss] Support zones for Aries RSA. Also related to cloud support

Thu, 22 Sep 2016 05:18:31 -0700 

On 22.09.2016 13:32, Timothy Ward wrote:

On 22 Sep 2016, at 12:16, Christian Schneider <ch...@die-schneider.net> wrote:


There is one thing I am missing in your description. How do you configure the 
proxy server that provides the secure endpoint? I think the typical production 
approach will be to use an existing HTTP proxy server that has an API to 
configure the forwarding. Would that happen in the REST provider? I am not sure 
if that would be a good idea as we will likely have to support different proxy 
APIs and I would rather avoid putting all that into the REST provider. Another 
thing is that we might need the same or very similar functionality for SOAP 
endpoints.

My understanding of what happens here is that the proxy server has a static 
mapping from URI path /foo/bar/* to back end server X. Therefore the back end 
server can work our the proxy URI by prepending 
https://proxy.server:1234/foo/bar/ to “some/service/path”. This proxy is 
configured by the system operator, and the RSA implementation is notified of 
the path prefix using config admin.
A fixed URL per server is a valid case. Especially for small deployments this can be the easiest solution. 

I had something more dynamic in mind though like
https://www.nginx.com/products/on-the-fly-reconfiguration/
The idea would be to be able to use this for cloud environments. Such a proxy might also do the load balancing of a service that runs on several instances. The dynamic configuration would then allow to add and remove servers on the fly. In that case the frontend client might only see one endpoint that represents several endpoints in the backend.
Potentially such a proxy could then also be used completely without Remote Service Admin on the client side by providing one fixed URL. In the current state it would be difficult to achieve this with Aries RSA.
Unfortunately at least in the case of nginx the on the fly configuration is only available in the commercial version but maybe there are other proxies that provide such a thing in the open source version too. It also seems nginx only allows to set a ip and port to forward to while I was rather looking for something that works per service. 

I will do some more research.

Christian

--
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
http://www.talend.com

Reply via email to