Developers
Reverse Proxies
iProov allows all traffic from the internet to iProov servers to use a reverse proxy in your network. This topic describes how to setup:
- A reverse proxy
- The client SDKs
The fully qualified domain name (FQDN) iproov.customer.com is used as an example.
Native SDKs
Please refernece the corresponding sections regarding base_url configuration in the Android and iOS Github readmes.
Web SDKs
To control the streaming location, set the base_url attribute on the <iproov-me> component:
<iproov-me token="***YOUR_TOKEN_HERE***"
base_url="https://iproov.customer.com"/>
In the Web SDK, additional assets are imported that cannot be part of the main bundle:
- WebAssembly files
- Web worker scripts
- Face detection models
To make it easier for you to reverse proxy to a single domain, we mirror these on our own CDN at: (https://cdn.iproov.app/assets)
In addition to the base_url you can also set assets_url.
Assets CDN
The default CDN is: https://cdn.iproov.app/assets
To override the default, set assets_url, see the example below and the use of the /assets suffix:
<iproov-metoken="***YOUR_TOKEN_HERE***"
assets_url="https://iproov-assets.customer.com/assets"/>
Important:
- The host cdn.iproov.app must be set for routing to work.
- The suffix /assets is not used by the main streaming platform. If the path suffix is maintained, the host name can be the same for both assets_url and base_url.
Firewall rules
| Source | Destination | Protocol | Ports | Justification |
|---|---|---|---|---|
| Internet | Customer reverse proxy (iproov.mydomain.com) | TCP | 443 | Handset connectivity (websocket) |
| Customer reverse proxy (iproov.mydomain.com) | iProov reverse proxy (eu.rp.secure.iproov.me) | TCP | 443 | Websocket |
Configure reverse proxies
- All traffic sent to iproov.customer.com should reverse proxy to eu.rp.secure.iproov.me (for claims being processed in the EU region).
- You must maintain the URI parameters.
- No further modifications or load distributions are required as the FQDN eu.rp.secure.iproov.me will resolve to multiple iProov reverse proxies to provide resilience. These handle load distribution across the available iProov infrastructure.
Responsibilities
| implementationn item | Owner |
|---|---|
| Provision of public IP address or SNI configuration foriproov.customer.com. | Customer |
| Provisioning of TLS certificate foriproov.customer.com. | Customer |
| DNS configuration foriproov.customer.com. | Customer |
| Configuration ofiproov.customer.comto reverse proxy all traffic toeu.rp.secure.iproov.me. | Customer |
| Provision of public IP address or SNI configuration foreu.rp.secure.iproov.me. | iProov |
| Provision ofeu.rp.secure.iproov.me. | iProov |
| Provisioning of TLS certificate foreu.rp.secure.iproov.me. | iProov |
| Configuration ofeu.rp.secure.iproov.meto reverse proxy all traffic to available iProov edge servers based on the hash or ‘token’ parameter from the URI. | iProov |
| Test reverse proxy solution end-to-end. | Customer |
Example flow
| From | To | URL | Comments |
|---|---|---|---|
| Handset | Customer reverse proxy | https://iproov.customer.com/socket.io/v2/?\token=43367a4e5a7247644d577934674735634958414677716b4c372b5469584c5950&EIO=3&transport=polling&t=LuFKb5_ |
Socket.ioconnection from the handset. |
| Customer reverse proxy | iProov reverse proxy | https://eu.rp.secure.iproov.me/socket.io/v2/?\token=43367a4e5a7247644d577934674735634958414677716b4c372b5469584c5950&EIO=3&transport=polling&t=LuFKb5_ |