Skip to main content
Version: 1.14

Web Application Firewall

Microservices

If you have a Web Application Firewall between REGARDS and the Internet, you can use the following table to set up a whitelist or a blacklist to restrict access to microservices that are not used by users while they browse the User app.

REGARDS MicroServicesReachable by browsing on User appShould be blocked by firewallNot proxyfied
rs-configYes
rs-registryYes
rs-gatewayYes
rs-admin-instancePartiallyYes
rs-adminPartiallyYes
rs-authenticationYes
rs-damPartiallyYes
rs-notifierYes
rs-femYes
rs-catalogYes
rs-access-instanceYes
rs-access-projectYes
rs-storageYes
rs-orderYes
rs-ingestYes
rs-dataproviderYes
rs-worker-managerYes
rs-deliveryYes
rs-lta-managerYes
rs-processingYes
rs-file-catalogYes
rs-file-accessYes
rs-file-packagerYes

If a microservice should be blocked by the Web Application Firewall, you can add /<microservice name>/ to your blacklist, which will block any call to https://host.com/api/v1/<microservice name>/some/path.

Microservices marked as reachable by browsing on User app means they expose an alternative microservice name /<microservice name>-public/, which means users on the User app side will reach https://host.com/api/v1/<microservice name>-public/some/path and not https://host.com/api/v1/<microservice name>/some/path (notice the -public postfix).
You can safely blacklist /<microservice name>/ as users on User app are hitting /<microservice name>-public/.

Unproxyfied services

Microservices CONFIG and REGISTRY are not available through the gateway as only REGARDS microservices needs to contact them.

Endpoints

You should block the following path in your Web Application Firewall:

Endpoint pathDescription
/actuator/Provides prometheus statistics, healthiness
/swagger-ui/Provides endpoints descriptor
/admin/REGARDS Admin HMI