Mulesoft :- Force Implementation url to listen to proxy only (or) Secure Implementation url

Question

How to force implementation url to listen from proxy only in Mulesoft?

Right now proxy can be secured using client_id, client_secret etc. However implementation url is not secure. By chance if anyone knows the implementation url then its potential risky affair.

Is there any way we can force implementation url to listen to proxy only.

(or) Can we add policies to Implementation url.

Answer 1

Mulesoft documentation suggests adding VPC . When we tested http was working in VPC but not https.

Since https was a mandatory requirement and we were unable to do it via VPC , we fixed it in a different way.

We added a custom header at proxy code and we validate for that header in implementation .

This was the fix rolled out

Answer 2

Mulesoft documentation setting-up-an-api-proxy states that the proxy application is nothing but a mule application mocking the contractual behavior of the actual service implementation and making service calls to the actual API for fulfilling requests. So instead of HTTP, it is recommended to use HTTPS for enhanced security and data integrity. Since Mulesoft suggests using HTTPS protocol for the connection between mule proxy and service implementation, so leveraging the HTTPS protocol, one option would be to try enforcing two way SSL between your proxy and the implementation which will help you accept requests only from legitimate clients.

Check the topic enable-two-way-ssl-in-mule for further implementation details

The second option would be to enable policies on the actual service implementation i.e. enable api-auto-discovery on your service. Although you can do it but it would be an overhead due to below reasons :

1. As you would be enforcing policies at two layers and doubling the calls to API Manager for sync up of policies as the service implementation would poll the API manager every fixed interval of time to check/fetch the policies.
2. To enable the policy application on the service implementation, the service needs to run on either api-gateway runtime or mule 3.8 onwards runtime as older mule versions do not support policies.

The implementation can be done by having below XML snippet in the API xml.

<api-platform-gw:api apiName="app-${env}" version="${api.version}" flowRef="api-main" create="true" apikitRef="api-config" doc:name="API Autodiscovery" />

• apiName would be the API definition created in API Manager from where you can view and manage the API
• version would be same major version of the API
• flowRef would map it to the main flow reference
• create flag to signify if the definition needs to be created in API Manager in case it does not exist

Conclusion:

1. Enforce 2 way SSL to enforce client-server certificate based authentication
2. Add Auto Discovery to service implementation so to apply policies on implementation layer as well