Reverse Proxy Solution
1. Reverse Proxy as a Solution
A reverse proxy is a server that intercepts and forwards incoming requests from clients to backend servers. It functions like a proxy server but operates in reverse. To the external client, the reverse proxy often appears as the sole server, masking the internal architecture. A reverse proxy sits between the local building systems and KODE OS, receiving incoming requests from the systems and forwarding them to the appropriate destination.
Why add this extra middleman?
- Connectivity and Interoperability: The reverse proxy enables seamless connectivity between the local building systems and KODE OS, regardless of the protocols or communication standards they use. It can translate different protocols into a common standard that KODE OS understands, facilitating interoperability among diverse systems.
- Scalability and Flexibility: The reverse proxy setup allows for easy scalability and flexibility. New building systems can be added or removed without directly impacting KODE OS. It also enables easy configuration changes, such as adding custom headers, caching, or load balancing, to optimize performance and adapt to evolving requirements.
1.2 Implementation Requirements
Server with Internet connectivity: You will need a server that is connected to the Internet. This server will act as the reverse proxy and, handle incoming requests from the Internet and forward them to the appropriate local network resources. To run the Cloudflare Agent, the host server should meet the following minimum requirements:
The actual resource requirements for the Cloudflare Agent may vary depending on the number of endpoints being protected, the amount of traffic being processed, and the specific features being used. Consult the Cloudflare documentation for additional information on agent deployment and best practices for server configuration and management.1.3 Agent Considerations
The Agents responsible for exposing APIs must run continuously to ensure constant accessibility. Therefore, the jumping server hosting the agent should be operational at all times. Failure of the jumping server will result in the failure of the exposed APIs hosted by the agent. While there is no built-in high availability (HA) solution, running two different Agents on separate jumping servers within the same network can provide a degree of redundancy.
1.4 Establishing Tunnels
The reverse proxy solution allows the creation of an unlimited number of tunnels based on specific needs. Typically, one Agent can run per site (building) and expose several APIs of IoT devices. Each exposed API will be associated with a separate tunnel. For security purposes, all communication between the KODE OS Infrastructure and Building's IoT Jace/Niagara, or other IoT devices, is encrypted using SSL.
1.5 Access Lists and IP Restrictions
The solution provides options to apply restrictions and limit access permissions to exposed APIs. Implementation of policies, such as a policy for KODE OS Office IPs and another for another infrastructure IP, allows APIs to be reachable only from specific environments while restricting access from other sites. However, other policies can also be applied to allow or block access to exposed APIs. These policies can be applied per tunnel or at the Agent level, thereby limiting the reachability of all tunnels/endpoints running from a specific Agent to defined IP sources.
1.6 Utilizing Custom Domains
One notable feature of the reverse proxy solution is the ability to use custom domain names. For instance, if KODE OS uses the domain kodelabs.com, all services or APIs exposed can be associated with their respective custom domains. In the example given in Table 2, if a building with 4 Jaces is exposed, each API will have its own domain associated with kodelabs.com
Table 2. Example of APIs exposed using official custom domains:
2. Cloudflare Zero Trust
KODE Labs uses CloudFlare as a Zero Trust tunneling solution. This is a highly secure network connectivity approach which we leverage for the following reasons:
Enhanced Security: Cloudflare Zero Trust tunneling enforces a "never trust, always verify" approach, which means that every access request is authenticated and authorized before granting access to applications or resources. This significantly reduces the attack surface and minimizes the risk of unauthorized access.
Simplified Access Management: Cloudflare's Zero Trust platform provides a centralized management console, allowing you to define and enforce access policies across your entire organization easily. This simplifies the process of managing access for remote employees, third-party vendors, and other users.
2.1 Cloudflare Installation
Setting up a Cloudflare reverse proxy involves a few general steps regardless of the operating system you are using. Below, it is provided an overview of the process for setting up the reverse proxy on different OS environments.
Please note that the valid tokens will be shared along with this documentation.
Remotely managed tunnels require that you install cloudflared 2022.03.04 or later. Ensure you store your token securely, as this command contains a sensitive token that grants access to run the connector. Anyone possessing this token will have the ability to execute the tunnel.
2.1.1 Windows
To connect your tunnel to Cloudflare, run one of the following commands into a terminal window.
Download the most recent Cloudflare version for Windows
Run the installer.
The files will be extracted to either C:\Program Files(x86)\cloudflared (for x86 setup) or C:\ProgramFiles\cloudflared (for x64 setup).
Open Command Prompt as Administrator.
After the below steps are completed run the following command:
cloudflared.exe service install
TOKEN which will be provided e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNjg…
2.1.2 macOS
Install Homebrew
Run the following command in the Terminal to install Cloudflare:
To install cloudflared on your machine run the following command:
brew install cloudflare/cloudflare/cloudflared &&
sudo cloudflared service install
TOKEN which will be provided e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNjg…
If you already have cloudflared installed on your machine, then run the following command:
sudo cloudflared service install
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwjg…)
2.1.3. Docker
utunnel to Cloudflare, run the following command into a terminal window.
docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNjg…)
2.1.4 Debian
To connect your tunnel to Cloudflare, copy-paste one of the following commands into a terminal window.
Run the following command into the terminal window:
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb &&
sudo dpkg -i cloudflared.deb &&
sudo cloudflared service install
TOKEN which will be provided e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNjg…
If you already have cloudflared installed on your machine:
sudo cloudflared service install
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNj…)
2.1.5 Red Hat
To connect your tunnel to Cloudflare, run one of the following commands into a terminal window.
Run the following command into the terminal window:
curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm &&
sudo yum localinstall -y cloudflared.rpm &&
sudo cloudflared service install
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNj…)
If you already have cloudflared installed on your machine:
sudo cloudflared service install
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNg…)
To finalize the setup on both ends, once the agent installation is completed, the next step will be to provide the server's local IP address and Port to the KODE team (e.g., 192.168.x.x). When considering the establishment of a reverse proxy tunnel, it is generally beneficial to schedule a meeting with the KODE DevOps team to facilitate the token exchange during the call. This approach allows us to promptly verify the connection and optimize our time.Related Articles
Client Connectivity Solution
KODE Labs offers two primary methods for initiating platform integration: IPSec and Reverse Proxy. Each option comes with its own set of requirements and benefits tailored to suit diverse client environments. IPSec Connectivity The IPSec Solution ...IPSec VPN Solution
Introduction The main objective of this document is to describe the IPSec VPN Connectivity that KODE Labs should implement for enabling secure data transmission between KODE OS Cloud Environment and Client’s network using VPN tunnels. IPSec ...Navigating and Customizing Portfolio Dashboards
The second highlighted feature of the KODE OS platform is Dashboards. This functionality empowers users to personalize portfolio dashboards based on specific requirements and the type of data you wish to display. To manage this page, the main button ...Building BI
Building BI tool is a feature within our platform that allows you to view data on a dashboard and chart form. This data can provide valuable insights into the performance of your building management solution, helping you make informed decisions about ...Device Graphic
Device Graphic is a powerful tool for visualizing your building's HVAC system in real time. It allows you to monitor and control your AHU, VAV, and HVAC devices and their components, all from a single interface. Overall, Device Graphic is an ...