Home/ Questions/Q 8641811
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T11:37:34+00:00

We are writing an application which provides a RESTful API. The application needs to

  • 0

We are writing an application which provides a RESTful API. The application needs to be secured, but I don’t want my Authentication/Encryption mechanism to pollute the interfaced program nor the API.

I was wondering if a Proxy could be helping in our case, but since I’m not an expert in web development, I need to know if my picture makes sense. The structure of the system should be the following:

  1. The server program simply exports the API on a TCP port, which however can be accessed only from a local process (bound to 127.0.0.1);

  2. A proxy server manages SSL and Authentication:

    • The URI and methods are exported as they are, but…
    • Only authenticated users, having the required capabilities, can actually call them, and…
    • The communication must be running on an encrypted channel

So, my questions are:

  1. Is this a reasonable scenario?

  2. What is a good proxy server which I could be running for this job?

  3. Is there any drawback in doing this?

Thanks for your help!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It seems that the general scenario you have could be achieved by using an HTTPS reverse proxy. There are multiple implementations out there.

    A popular one is Apache Httpd: it can handle incoming HTTPS connections, authentication (using a variety of mechanisms) and reverse proxy.

    A typical scenario, where you would have a “plain” HTTP application listening on localhost would be to have Apache Httpd in front of it and handling external connections, where:

    • mod_ssl handles the SSL/TLS configuration of your server.
    • One of the various mod_auth* modules handles the authentication (depending on how you want to perform authentication); these should be able to export an authenticated user name (e.g. REMOTE_USER) to the back-end for authorisation.
    • mod_proxy handles the connection to the back-end application (e.g. via mod_proxy_http when the application server is using HTTP itself).

    Letting only the users that have the required capabilities to perform certain actions is the authorisation part. This one is harder to separate from your main API, simply because the front-end can’t guess how you define “having the required capabilities”. That’s not to say you have to tangle it with the rest of your logic, but the authorisation system will need to know how your API works (i.e. what the possible actions are), hence it’s usually best implemented within the main application.

    • 0