Reverse proxies
Last updated: October 28, 2024
iProov allows all traffic from the internet to iProov servers to use a reverse proxy in your network. This topic describes how to setup:
-
A reverse proxy
-
The client SDKs
-
X.509 certificate requirements
The fully qualified domain name (FQDN) iproov.customer.com is used as an example.
Native client SDKs
Please see the relevant Github documentation for each SDK to set the base URL.
Web SDK
To control the streaming location, set the base_url attribute on the <iproov-me> component:
<iproov-me token="***YOUR_TOKEN_HERE***"
base_url="https://iproov.customer.com"/>
In the Web SDK, additional assets are imported that cannot be part of the main bundle:
-
WebAssembly files
-
Web worker scripts
-
Face detection models
To make it easier for you to reverse proxy to a single domain, we mirror these on our own CDN at: https://cdn.iproov.app/assets
In addition to the base_url you can also set assets_url.
Assets CDN
The default CDN is: https://cdn.iproov.app/assets
To override the default, set assets_url, see the example below and the use of the /assets suffix:
<iproov-metoken="***YOUR_TOKEN_HERE***"
assets_url="https://iproov-assets.customer.com/assets"/>
Important
-
The host cdn.iproov.app must be set for routing to work.
-
The host cdn.iproov.app is backed by Microsoft Azure CDN with numerous worldwide POP locations.
-
The suffix
/assetsis not used by the main streaming platform. If the path suffix is maintained, the host name can be the same for bothassets_urlandbase_url.
Sample naming conventions
You can define the FQDN of a reverse proxy:
-
Customer reverse proxy: iproov.mydomain.com
-
iProov reverse proxy (depends on the iProov multi-tenant platform that you are using): eu.rp.secure.iproov.me
Firewall rules
| Source | Destination | Protocol | Ports | Justification |
|---|---|---|---|---|
| Internet | Customer reverse proxy (iproov.mydomain.com) | TCP | 443 | Handset connectivity (socket.io) |
| Customer reverse proxy (iproov.mydomain.com) | iProov reverse proxy (eu.rp.secure.iproov.me) | TCP | 443 | Socket.io |
Configure reverse proxies
-
All traffic sent to iproov.customer.com should reverse proxy to eu.rp.secure.iproov.me (for claims being processed in the EU region).
-
You must maintain the URI parameters.
-
No further modifications or load distributions are required as the FQDN eu.rp.secure.iproov.me will resolve to multiple iProov reverse proxies to provide resilience. These handle load distribution across the available iProov infrastructure.
Responsibilities
| Implementation item | Owner |
|---|---|
| Provision of public IP address or SNI configuration foriproov.customer.com. | Customer |
| Provisioning of TLS certificate foriproov.customer.com. | Customer |
| DNS configuration foriproov.customer.com. | Customer |
| Configuration ofiproov.customer.comto reverse proxy all traffic toeu.rp.secure.iproov.me. | Customer |
| Provision of public IP address or SNI configuration foreu.rp.secure.iproov.me. | iProov |
| Provision ofeu.rp.secure.iproov.me. | iProov |
| Provisioning of TLS certificate foreu.rp.secure.iproov.me. | iProov |
| Configuration ofeu.rp.secure.iproov.meto reverse proxy all traffic to available iProov edge servers based on the hash or ‘token’ parameter from the URI. | iProov |
| Test reverse proxy solution end-to-end. | Customer |
Example flow
| From | To | URL | Comments |
|---|---|---|---|
| Handset | Customer reverse proxy | https://iproov.customer.com/socket.io/v2/? \ token=43367a4e5a7247644d577934674735634958414677716b4c372b5469584c5950&EIO=3&transport=polling&t=LuFKb5_ |
Socket.ioconnection from the handset. |
| Customer reverse proxy | iProov reverse proxy | https://eu.rp.secure.iproov.me/socket.io/v2/?\ token=43367a4e5a7247644d577934674735634958414677716b4c372b5469584c5950&EIO=3&transport=polling&t=LuFKb5_ |
Next step
