Connectivity via reverse proxy
This guide shows you how to connect your Anapaya appliance to the Anapaya CONSOLE using a reverse proxy. The CONSOLE will use this connection to manage and monitor your appliance through its management API configuration.
The reverse proxy approach provides out-of-band connectivity to your appliances. Traffic between the CONSOLE and the reverse proxy is typically secured using a VPN (such as WireGuard or IPSec), ensuring that your proxy is not directly exposed to the public internet. This method gives you full control over which appliances are accessible and allows you to enforce your own access policies at the HTTP request level.
For alternative connectivity methods, see providing connectivity.
How it works
The reverse proxy acts as a central gateway that exposes the management APIs of your appliances to the Anapaya CONSOLE. Access to the reverse proxy is secured through a VPN connection, typically using WireGuard, which establishes an encrypted tunnel between Anapaya's infrastructure and your network. The reverse proxy usually uses URL path-based routing to direct requests to the appropriate appliance. Each appliance is accessible via a unique path under a common base URL. Alternatively, you can also work with sub-domains, if that is more desirable to you.
Prerequisites
Before you begin, verify that:
- You have administrative access to the appliance (via CLI or API).
- You have the operator role (or higher) in the CONSOLE organization where you will add the appliance.
- The appliance has management API authentication enabled.
- You have infrastructure available to run a reverse proxy server.
- The reverse proxy server can reach the appliance management APIs on your internal network.
Walkthrough
Step 1: Establish VPN connectivity
Set up a VPN tunnel between your reverse proxy infrastructure and Anapaya's CONSOLE infrastructure. This ensures that management traffic remains encrypted and isolated from the public internet. The most commonly used VPN technologies for this setup are WireGuard and IPSec, with WireGuard being the recommended choice due to its simplicity and performance.
Contact Anapaya support to coordinate VPN setup details, including IP addressing, authentication keys, and firewall rules.
It is technically possible to expose the reverse proxy directly to the public internet without a VPN. Only consider this option if you have carefully evaluated the security risks and determined they are acceptable for your deployment.
HTTP requests from the CONSOLE use one of the following source IP addresses: 34.65.137.1,
35.240.38.174. Use IP allowlisting to improve your security posture.
Step 2: Configure the reverse proxy
Set up your reverse proxy server to forward CONSOLE requests to the appropriate appliance management APIs. The reverse proxy should listen on the VPN tunnel interface and use path-based routing to direct traffic to different appliances.
Popular reverse proxy solutions include:
- Caddy - Modern reverse proxy with automatic HTTPS
- Nginx - High-performance reverse proxy
- HAProxy - Reliable load balancer and proxy
Each appliance should be accessible via a unique URL path. For example:
https://proxy.example.com/appliance1/*routes to appliance 1https://proxy.example.com/appliance2/*routes to appliance 2
For configuration examples, refer to the sub-pages for specific reverse proxy implementations.
The following table lists all management API endpoints that the CONSOLE uses to communicate with appliances:
Observer endpoints
The following endpoints are used by the CONSOLE to observe the appliance.
| Method | Path |
|---|---|
| GET | /api/v1/config |
| POST | /api/v1/debug/scion-tunneling/paths/search |
| GET | /api/v1/debug/scion-tunneling/paths |
| GET | /api/v1/debug/scion-tunneling/summary |
| GET | /api/v1/health |
| GET | /api/v1/secrets |
| GET | /api/v1/software/keys |
| GET | /api/v1/software/licenses/request |
| GET | /api/v1/software/scion/install/{id} |
| GET | /api/v1/software/scion/packages/local/{version} |
| GET | /api/v1/software/scion/packages/local |
| GET | /api/v1/software/signatures/{type}/{version} |
| GET | /api/v1/software/system/install/{id} |
| GET | /api/v1/software/system/packages/local/{version} |
| GET | /api/v1/software/system/packages/local |
| GET | /metrics |
Writer endpoints
The following additional endpoints are used by the CONSOLE to manage the appliance fully.
| Method | Path |
|---|---|
| PUT | /api/v1/config |
| DELETE | /api/v1/secrets/{id} |
| POST | /api/v1/secrets/batch |
| POST | /api/v1/secrets |
| POST | /api/v1/software/keys |
| POST | /api/v1/software/licenses |
| POST | /api/v1/software/scion/install |
| DELETE | /api/v1/software/scion/packages/local/{version} |
| POST | /api/v1/software/scion/packages/local |
| POST | /api/v1/software/signatures/{type}/{version} |
| POST | /api/v1/software/system/install |
| DELETE | /api/v1/software/system/packages/local/{version} |
| POST | /api/v1/software/system/packages/local |
Step 3: Onboard the appliance to the CONSOLE
With the reverse proxy configured and VPN connectivity established, you can now onboard your appliances to the CONSOLE. Follow the appliance onboarding guide.
When configuring access parameters:
- Endpoint: Enter the reverse proxy URL with the appliance-specific path (e.g.,
https://proxy.example.com/appliance1) - API path: Leave empty (unless required)
- Metrics URL: Leave empty (unless required)
Here are some examples of what requests will be spawned by the CONSOLE for such a configuration:
GET https://proxy.example.com/appliance1/api/v1/configGET https://proxy.example.com/appliance1/metricsPOST https://proxy.example.com/appliance1/api/v1/software/licenses
Troubleshooting
If the CONSOLE cannot connect to your appliance through the reverse proxy, verify the following:
-
VPN connectivity
Confirm that the VPN tunnel between Anapaya and your infrastructure is active.
-
Source filtering
Ensure the source IP addresses
34.65.137.1,35.240.38.174are allowed to access the reverse proxy. -
Reverse proxy configuration
Check that the reverse proxy is correctly forwarding requests to the appliance management API. Review reverse proxy logs for any connection errors or routing issues.
-
Appliance accessibility
Verify that the reverse proxy can reach the appliance management API on your internal network. Test by making a direct API request from the reverse proxy server to the appliance.
-
Management API credentials
Confirm that the credentials configured in the CONSOLE match those on the reverse proxy. Verify both the username and password hash (for basic authentication). Also verify that the credentials configured in the reverse proxy match those on the appliance. Verify both the username and password hash (for basic authentication).
-
Firewall rules
Ensure that firewall rules allow traffic between the reverse proxy and the appliance management API.