Tuesday, October 12, 2010

Apigee and CloudFlare. A DNS-protected API solution

While I look for ways to optimize GSUser, I came across Apigee a few weeks ago to track and monitor the people using GSUser. Their site provides analytics on how the API is used and has been a great addition to the internal tools I have. I especially love their debugger, where you can watch and review requests in real-time. If you pay for Apigee you even get to have them manage your API passwords, OAuth and they will cache responses.

Starting last week, I started working on getting CloudFlare up on some domains, I moved GSUser over to their Free plan to see how it worked. CloudFlare protects your website by sitting between your site and the visitor. They provide caching and protection against an array of attacks. Already on GSUser, they managed to cache 50% of all requests and protect me from almost 400,000 malicious requests.

After testing each individually, I decided to move my largest client over to a subdomain that was protected by CloudFlare and yet still running through Apigee and this is where things got messy. I had originally routed this subdomain to gsuser.com on Apigee, which then caused Cloudflare to run into a DNS loop.

In order to properly setup Cloudflare and an Apigee CNAME, follow these simple steps below:

  1. Create a new subdomain (A Address) and point it to your server(s). Then turn off Cloudflare protection on the subdomain.
  2. Go to Apigee and setup your new api and point it at this the subdomain you just created.
  3. After creating your API on Apigee, take your API URL (found under Settings) and create a new DNS CNAME record on Cloudflare pointing to this API URL. You will want CloudFlare protection on this subdomain.
  4. Now go back to Apigee, go to your API's Settings and click "Change CNAME". Then your CNAME is the public subdomain you just created.
  5. Now you can direct all your API clients to your public subdomain (public.gsuser.com will be active to prove it works for today).
Enjoy your super protected and analytic-friendly API endpoint!

Thanks,
James Hartig

No comments: