RUM support in Elastic

Ankita_Pachauri · September 17, 2024, 12:20pm

Hi Team,

I am trying to test the RUM functionality of Elastic. As per the documentation, the javascript agent would run on the client browser and send the information to the APM host which means the APM server should be exposed to the internet. Is my understanding correct? Is there another way to use RUM without putting APM nodes on a DMZ network and exposing it to the internet?

Wolfram_Haussig · September 18, 2024, 4:32am

Hello Ankita,

Yes, your assumption is correct - that is the reason for the APM server to have mitigation options against attacks.

We are forwarding the RUM data over our application backend:

the Elastic RUM agent is not configured to use the APM server url, but a special url in our backend, e.g. https://myhost/apm
this endpoint only accepts authenticated requests. This way, we reduce the attack surface although we cannot get APM data for unauthenticated requests.
correct requests will then be forwarded to the APM server with a set of whitelisted parameters and HTTP headers from the request
we have an additional safeguard that can be used to disable RUM monitoring on demand which does not forward the data to APM but returns HTTP202 (ACCEPTED) directly

Best regards
Wolfram

Ankita_Pachauri · September 18, 2024, 3:48pm

Hello Wolfram,

Thanks for your response. I just have a few follow up queries.

You have mentioned that your endpoint only accepts authenticated requests, can you please point out the part of the documentation which talks about it. Based on whatever I have read, the javascript agent running in a browser would only send anonymous events.
How are you disabling RUM on the fly? Is it via the fleet server?

Wolfram_Haussig · September 19, 2024, 4:46am

It doesn't. What we have done is that our application itself requires authentication so we use the existing mechanism to secure the APM endpoint too. To be more specific, our application requires authentication with an SSO provider (like EntraID or Github) and the token is sent to the backend. The same is automatically done for the Elastic RUM agent as the calls go to the same backend system and only if a valid token is received, the backend will forward the RUM agent calls to the APM server.

There may be support from Elastic in the future, but the ticket is still open: Provide integration with external authentication systems for the RUM endpoint · Issue #1718 · elastic/apm-server · GitHub

No, we are also using the infrastructure of our own application: As we do not have a Single-Page-Application we just use the active flag when initialising the agent to either enable or disable the agent.

Ankita_Pachauri · September 19, 2024, 8:06am

Hi @Wolfram_Haussig,
Thanks for your support for the provided information.

Topic		Replies	Views
Authentication of RUM event post from browser APM rum , server	4	652	September 23, 2019
ELK APM Security (RUM agents) APM rum	5	405	April 11, 2023
Can't send data to RUM Endpoint despite having it enabled Elastic Observability	0	14	September 6, 2024
Elastic APM RUM architecture APM rum , server	3	726	December 9, 2020
RUM Agent - APM Server location only known after page load APM rum	2	338	May 26, 2023

RUM support in Elastic

Related Topics