A reverse proxy is a server that intercepts and forwards incoming requests from clients to backend servers. It functions like a proxy server but operates in reverse. To the external client, the reverse proxy often appears as the sole server, masking the internal architecture. A reverse proxy sits between the local building systems and KODE OS, receiving incoming requests from the systems and forwarding them to the appropriate destination.
Server with Internet connectivity: You will need a server that is connected to the Internet. This server will act as the reverse proxy and, handle incoming requests from the Internet and forward them to the appropriate local network resources. To run the Cloudflare Agent, the host server should meet the following minimum requirements:
The Agents responsible for exposing APIs must run continuously to ensure constant accessibility. Therefore, the jumping server hosting the agent should be operational at all times. Failure of the jumping server will result in the failure of the exposed APIs hosted by the agent. While there is no built-in high availability (HA) solution, running two different Agents on separate jumping servers within the same network can provide a degree of redundancy.
The reverse proxy solution allows the creation of an unlimited number of tunnels based on specific needs. Typically, one Agent can run per site (building) and expose several APIs of IoT devices. Each exposed API will be associated with a separate tunnel. For security purposes, all communication between the KODE OS Infrastructure and Building's IoT Jace/Niagara, or other IoT devices, is encrypted using SSL.
The solution provides options to apply restrictions and limit access permissions to exposed APIs. Implementation of policies, such as a policy for KODE OS Office IPs and another for another infrastructure IP, allows APIs to be reachable only from specific environments while restricting access from other sites. However, other policies can also be applied to allow or block access to exposed APIs. These policies can be applied per tunnel or at the Agent level, thereby limiting the reachability of all tunnels/endpoints running from a specific Agent to defined IP sources.
One notable feature of the reverse proxy solution is the ability to use custom domain names. For instance, if KODE OS uses the domain kodelabs.com, all services or APIs exposed can be associated with their respective custom domains. In the example given in Table 2, if a building with 4 Jaces is exposed, each API will have its own domain associated with kodelabs.com
Table 2. Example of APIs exposed using official custom domains:
KODE Labs uses CloudFlare as a Zero Trust tunneling solution. This is a highly secure network connectivity approach which we leverage for the following reasons:
Enhanced Security: Cloudflare Zero Trust tunneling enforces a "never trust, always verify" approach, which means that every access request is authenticated and authorized before granting access to applications or resources. This significantly reduces the attack surface and minimizes the risk of unauthorized access.
Simplified Access Management: Cloudflare's Zero Trust platform provides a centralized management console, allowing you to define and enforce access policies across your entire organization easily. This simplifies the process of managing access for remote employees, third-party vendors, and other users.
Setting up a Cloudflare reverse proxy involves a few general steps regardless of the operating system you are using. Below, it is provided an overview of the process for setting up the reverse proxy on different OS environments.
Please note that the valid tokens will be shared along with this documentation.
Remotely managed tunnels require that you install cloudflared 2022.03.04 or later. Ensure you store your token securely, as this command contains a sensitive token that grants access to run the connector. Anyone possessing this token will have the ability to execute the tunnel.
To connect your tunnel to Cloudflare, run one of the following commands into a terminal window.
Download the most recent Cloudflare version for Windows
Run the installer.
The files will be extracted to either C:\Program Files(x86)\cloudflared (for x86 setup) or C:\ProgramFiles\cloudflared (for x64 setup).
Open Command Prompt as Administrator.
After the below steps are completed run the following command:
cloudflared.exe service install
TOKEN which will be provided e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNjg…
Install Homebrew
Run the following command in the Terminal to install Cloudflare:
To install cloudflared on your machine run the following command:
brew install cloudflare/cloudflare/cloudflared &&
sudo cloudflared service install
TOKEN which will be provided e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNjg…
If you already have cloudflared installed on your machine, then run the following command:
sudo cloudflared service install
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwjg…)
utunnel to Cloudflare, run the following command into a terminal window.
docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNjg…)
To connect your tunnel to Cloudflare, copy-paste one of the following commands into a terminal window.
Run the following command into the terminal window:
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb &&
sudo dpkg -i cloudflared.deb &&
sudo cloudflared service install
TOKEN which will be provided e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNjg…
If you already have cloudflared installed on your machine:
sudo cloudflared service install
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNj…)
To connect your tunnel to Cloudflare, run one of the following commands into a terminal window.
Run the following command into the terminal window:
curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm &&
sudo yum localinstall -y cloudflared.rpm &&
sudo cloudflared service install
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNj…)
If you already have cloudflared installed on your machine:
sudo cloudflared service install
TOKEN which will be provided (e.g eyJhIjoiOWNlMDVjNjM3MGM2MzYwNg…)