Hi Team,
I am trying to test the RUM functionality of Elastic. As per the documentation, the javascript agent would run on the client browser and send the information to the APM host which means the APM server should be exposed to the internet. Is my understanding correct? Is there another way to use RUM without putting APM nodes on a DMZ network and exposing it to the internet?
Hello Ankita,
Yes, your assumption is correct - that is the reason for the APM server to have mitigation options against attacks.
We are forwarding the RUM data over our application backend:
- the Elastic RUM agent is not configured to use the APM server url, but a special url in our backend, e.g.
https://myhost/apm
- this endpoint only accepts authenticated requests. This way, we reduce the attack surface although we cannot get APM data for unauthenticated requests.
- correct requests will then be forwarded to the APM server with a set of whitelisted parameters and HTTP headers from the request
- we have an additional safeguard that can be used to disable RUM monitoring on demand which does not forward the data to APM but returns HTTP202 (ACCEPTED) directly
Best regards
Wolfram
Hello Wolfram,
Thanks for your response. I just have a few follow up queries.
- You have mentioned that your endpoint only accepts authenticated requests, can you please point out the part of the documentation which talks about it. Based on whatever I have read, the javascript agent running in a browser would only send anonymous events.
- How are you disabling RUM on the fly? Is it via the fleet server?
It doesn't. What we have done is that our application itself requires authentication so we use the existing mechanism to secure the APM endpoint too. To be more specific, our application requires authentication with an SSO provider (like EntraID or Github) and the token is sent to the backend. The same is automatically done for the Elastic RUM agent as the calls go to the same backend system and only if a valid token is received, the backend will forward the RUM agent calls to the APM server.
There may be support from Elastic in the future, but the ticket is still open: Provide integration with external authentication systems for the RUM endpoint · Issue #1718 · elastic/apm-server · GitHub
No, we are also using the infrastructure of our own application: As we do not have a Single-Page-Application we just use the active
flag when initialising the agent to either enable or disable the agent.
Hi @Wolfram_Haussig,
Thanks for your support for the provided information.