Reverse proxy selection and configuration for digital channel interactions
Minimum and additional requirements
Minimum requirements
Contact Center administrators must select an appropriate reverse proxy. Any reverse proxy that meets the following minimum requirements can be used:
-
Supports HTTP2/TLS 1.2.
-
Has proper logging mechanism for easy debugging of issues and includes Tracking ID to easily track the task requests.
-
Supports failover between the Cloud Connect nodes with health check.
-
Supports X-Forwarded headers. The solution uses these headers to decide how to handle a request when front-ended with load balancer.
Additional Requirements
Some desirable requirements in a reverse-proxy are as follows:
-
Consider deploying proxies that are built on non-blocking IO-based technology instead of the traditional thread-per-request architecture, to scale better.
-
Apply rate limiting and configure allowed list of Webex Connect or Load balancer IPs.
Performance and hardware recommendation
For details, see Performance and Hardware Recommendations.
Configure custom reverse proxy
Install the host OS and reverse-proxy of your choice. Consider the following points while configuring the reverse-proxy:
-
Configure SSL certificates as required.
-
Configure the Mutual Transport Layer Security (mTLS) authentication between reverse proxy and Cloud Connect.
-
Add the list of trusted reverse proxy IP addresses and the corresponding hostnames on the publisher and subscriber nodes of Cloud Connect. For details, see Add Proxy IP.
-
Configure SSL certificate verification to establish communication between the reverse proxy host and the Digital Routing service. For details, see Configure reverse proxy host verification.
-
-
Configure both nodes (publisher and subscriber) of Cloud Connect for task requests. Implement HTTP health check and failover to the subscriber node. The health check API that the Digital Routing service supports is /drapi/v1/ping.
-
The DataConn callback requests are routed through the reverse proxy. Configure the DataConn requests to the upstream Cloud Connect publisher node. The DataConn service runs only on the publisher node of CloudConnect.
Host header configuration
The following are the mandatory HTTP headers that reverse-proxy has to set along with the actual headers set by the client before forwarding the headers to the Finesse server.
Header |
Description |
---|---|
X-Client-IP X-Real-IP |
The reverse-proxy must populate this custom header as the client's IP address before forwarding it to Cloud Connect. |
Host |
The Host request header specifies the host and port number of the server to which the request is being sent. If no port is included, the default port for the service requested (for example, 443 for an HTTPS URL and 80 for an HTTP URL) is used. An HTTP/1.1 proxy ensures that any request message it forwards contains an appropriate Host header field to identify the service being requested by the proxy. This value is used by Cloud Connect to find if the request is sent via the allowed list of proxies configured in Cloud Connect. |
X-Forwarded-For |
The The IP of the reverse-proxy has to be appended or set. Cloud Connect uses this header to find if the request is from the allowed list of reverse-proxies. When the request is forwarded through multiple reverse-proxies or load balancer, the values of all reverse-proxies are appended to the rightmost value of this header. |
X-Forwarded-Port |
The reverse-proxy should set the listening port on this header. Cloud Connect server receives all the requests internally via 8445 port. |
Connection |
Any Connection value in the HTTP header that is set by the client must be cleared and forwarded to the Cloud Connect server so that the server decides the connection management and not the client. This prevents security outages. |