The EmpowerID Application Gateway is a dockerized KONG module that is a key component of any Zero Trust or microservices security architecture. As a component of the EmpowerID WAM System, the Application Gateway stands in front of protected Web applications and Docker containers, restricting access to the resources served by those applications by intercepting all HTTP traffic bound for those applications, evaluating and processing each request using EmpowerID's hybrid RBAC / ABAC / PBAC engines.
...
| Info |
|---|
For step-by-step guidance on creating WAM applications, see Creating WAM Applications. |
OAuth Application
As mentioned above, the Application Gateway makes API calls to EmpowerID to collect RBAC data on each person in your environment. In order to make the necessary API calls, the SAML connection for the WAM application must have an OAuth application with an owner who has the access to make those calls. When you create the application, EmpowerID generates an API Key, a Client ID (Key), and a Client Secret that you use when you configure the Application Gateway
EmpowerID Application Gateway Configuration Files
In addition to creating the above applications in EmpowerID, you need to configure the EmpowerID Application Gateway for your specific environment. To do this, you can do one of two things, you can create a directory on your linux machine and create the appropriate files with hard-coded values or you can pass those values at runtime, using environment variables (e.g. env CLIENT_ID). The below code shows what the default proxy.nginx file looks like with elements to enable the modsecurity module. The modsecurity module protects against such Layer 7 attacks as SQL injection (SQLi) and cross-site scripting (XSS).
A description of the settings follows the code.
| Code Block | ||||
|---|---|---|---|---|
| ||||
load_module modules/ngx_http_modsecurity_module.so;
worker_processes 1;
error_log logs/error.log debug;
events {
multi_accept on;
worker_connections 1024;
}
env CLIENT_ID;
env CLIENT_SECRET;
env EMPOWERID_API_KEY;
env CERTIFICATE_THUMBPRINT;
env CERT_FILE_PASSPHRASE;
env SERVICE_PROVIDERS_GUIDS;
env DISCOVERY;
env HASACCESSTOPAGE_ENDPOINT;
env GET_RESULTS_ENDPOINT;
env TOKEN_ENDPOINT;
env SCHEMA_HOST_PORT;
http {
tcp_nodelay off;
tcp_nopush on;
upstream backend_hosts {
server 35.153.255.7;
}
resolver 8.8.8.8 ipv6=off;
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;
lua_shared_dict sessions 10m;
lua_shared_dict empowerid_proxy_config 10m;
init_worker_by_lua_block {
local opts = {
redirect_uri_path = "/oauth2callback",
ssl_verify="no",
logout_path = "/logout",
cert_file="/usr/local/openresty/nginx/conf/file.pem",
oauth_grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer",
discovery = os.getenv("DISCOVERY),
client_id = os.getenv("CLIENT_ID),
client_secret = os.getenv("CLIENT_SECRET"),
service_providers_guids = os.getenv("SERVICE_PROVIDERS_GUIDS"),
hasaccesstopage_endpoint = os.getenv("HASACCESSTOPAGE_ENDPOINT"),
empowerid_api_key = os.getenv("EMPOWERID_API_KEY"),
get_results_endpoint = ("GET_RESULTS_ENDPOINT"),
token_endpoint = OS.GETENV("TOKEN_ENDPOINT"),
certificate_thumbprint=os.getenv("CERTIFICATE_THUMBPRINT"),
cert_file_passphrase=os.getenv("CERT_FILE_PASSPHRASE"),
schema_host_port=os.getenv("SCHEMA_HOST_PORT")
}
require"empowerid.proxy"(opts)
}
server {
server_name FQDN of your EmpowerID server
listen 443 ssl;
modsecurity on;
modsecurity_rules_file/usr/local/openresty/nginx/conf/main.conf
ssl_certificate/usr/local/openresty/nginx/conf/certificate.crt;
ssl_certificate_key/usr/local/openresty/nginx/conf/keyfileencrypted.key
ssl_password_file/usr/local/openresty/nginx/conf/global.pass;
location~\.(gif|png|js|css|ico|woff|woff2)${
expires 1y;
proxy_pass http:/backend_hosts;
location / {
set $session_storage shm;
access_by_lua_block {
require"empowerid.proxy"()
}
proxy_http_version 1.1;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Connection "";
proxy_pass http://backend_hosts;
}
}
}
|
...