Configuring a Transparent Proxy


On Linux systems with the TPROXY kernel option enabled, you can configure the API Gateway as a transparent proxy. This enables the API Gateway to present itself as having the server's IP address from the point of view of the client, and/or having the client's IP address from the point of view of the server. This can be useful for administrative or network infrastructure purposes (for example, to keep using existing client/server IP addresses, and for load-balancing).

You can configure transparent proxy mode both for inbound and outbound API Gateway connections:

  • Incoming interfaces can listen on IP addresses that are not assigned to any interface on the local host.

  • Outbound calls can present the originating client's IP address to the destination server.

Both of these options act independently of each other.

Configuring Transparent Proxy Mode for Incoming Interfaces

To enable transparent proxy mode on an incoming interface, perform the following steps:

  1. In the Policy Studio tree view, expand the Listeners -> Oracle API Gateway nodes.

  2. Right-click your service, and select Add Interface -> HTTP or HTTPS to display the appropriate dialog (for example, Configure HTTP Interface).

  3. Select the checkbox labeled Transparent Proxy (allow bind to foreign address). When selected, the value in the Address field can specify any IP address, and incoming traffic for the configured address/port combinations is handled by the API Gateway.

For more details on configuring interfaces, see Configuring HTTP Services.

Configuring Transparent Proxy Mode for Outgoing Calls

Transparent proxy mode for outgoing calls must be enabled at the level of a connection filter in a policy. To enable transparent proxy mode for outbound calls, perform the following steps:

  1. Ensure that your policy contains a connection filter (for example, Connect to URL or Connection, available from the Routing category in the filter palette).

  2. In your connection filter, select the Advanced tab.

  3. Select the checkbox labeled Transparent Proxy (present client's IP address to server). When selected, the IP address of the original client connection that caused the policy to be invoked is used as the local address of the TCP connection to the destination server.

For more details on configuring connection filters, see Connection and Connect to URL .

Configuration Example

A typical configuration example of transparent proxy mode is shown as follows:

Transparent Proxy Example

In this example, the remote client’s address is, and it is attempting to connect to the server at, port 80. The front-facing firewall is configured to route traffic for through the API Gateway at address The server is configured to use the API Gateway at address as its default IP router.

The API Gateway is multi-homed, and sits on both the and networks. It is configured with a listening interface at address, with transparent proxy mode switched on, as shown in the following Configure HTTP Interface dialog:

Configure HTTP Interface

The API Gateway accepts the incoming call from the client, and processes it locally. However, there is no communication with the server yet. The API Gateway can process the call to completion and respond to the client—it is masquerading as the server.

If the API Gateway invokes a connection filter when processing this call (with transparent proxying enabled), the connection filter consults the originating address of the client, and binds the local address of the new outbound connection to that address before connecting. The server then sees the incoming call on the API Gateway originating from the client (, rather than either of the API Gateway's IP addresses. The following dialog shows the example configuration for the Connect to URL filter:

Configure Connection

The result is a transparent proxy, where the client sees itself as connecting directly to the server, and the server sees an incoming call directly from the client. The API Gateway processes two separate TCP connections, one to the client, one to the server, with both masquerading as the other on each connection.

[Note] Note

Either side of the transparent proxy is optional. By configuring the appropriate settings for the incoming interface or the connection filter, you can masquerade only to the server, or only to the client.