Gravatar for wvuong@captechconsulting.com

Question by wvuong, Apr 20, 2016 12:12 PM

Securing the Search API Analytics Endpoint

Currently I am logging analytics through an on premise endpoint: https://onlinehelp.coveo.com/en/cloud/settingupcloudusageanalyticsloggingbythejavascriptsearchwithanon-premises_index.htm

The endpoint is exposed through http not https which in our production environment where the site is served through https the browser blocks the call to the endpoint. Based on this it seems like we can enable the endpoint to be https, but is there a way to set the certificate without having the password in plain text in the config.yml?

1 Reply
Gravatar for mlaporte@coveo.com

Answer by Martin Laporte, Apr 20, 2016 12:15 PM

Right now if you want to use the SSL from the endpoint directly there is no way to specify the password other than in the config.yml file, sorry.

Another option that is pretty common especially when dealing with "external" web sites is to setup a reverse proxy inside the main site (running IIS in your case I guess). In short you arrange for all requests under a path of your choosing (say /coveoanalytics) to be forwarded to the backend using HTTP. Then you change your search page to use this endpoint instead.

Gravatar for mlaporte@coveo.com

Comment by Martin Laporte, Apr 20, 2016 12:15 PM

Note that this might be problematic if you're using Windows authentication, although I've seen it work if both IIS and the Search API run on the same server.

Gravatar for wvuong@captechconsulting.com

Comment by wvuong, Apr 20, 2016 3:08 PM

I am trying the reverse proxy method and have been able to replicate this https://developers.coveo.com/display/public/SearchREST/Configuring+HTTPS+Reverse+Proxy+in+IIS but with the analytics endpoint, but i would like to put the rule in the IIS site containing my sitecore instance, though creating the same rule does not seem to work. Sitecore tries to resolve the url instead of letting IIS handle the reverse proxy.

Have any of you tried doing something like this?

Gravatar for mlaporte@coveo.com

Comment by Martin Laporte, Apr 21, 2016 6:25 AM

Hmm on my side I've never setup this along with Sitecore (I'm no Sitecore expert in any way). I will summon someone more knowledgeable to help.

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Apr 21, 2016 4:23 PM

The next release (June 2016) of Coveo for Sitecore 3.0, and the upcoming 4.0 version of Coveo for Sitecore will route Coveo Analytics calls in the "Coveo Search REST endpoint" inside Sitecore just like the queries are routed. This is to avoid having the Analytics API token in the HTML page and insert it in the Analytics call on the server side before forwarding the call to the Cloud Usage Analytics endpoint. Those releases will solve your problem and I think you won't even need to route the Analytics calls to your local Coveo Search API service.

For the moment, you're right that Sitecore tries to handle the calls. For the queries, Coveo have processors to avoid this behavior:

<httpRequestBegin>
  <!-- This processor is required to ensure that requests targeting the REST endpoint are not handled by Sitecore. -->
  <processor patch:before="processor[@type = 'Sitecore.Pipelines.HttpRequest.ItemResolver, Sitecore.Kernel']" type="Coveo.SearchProvider.Rest.Processors.HttpRequestBegin.TransferCoveoRestSearchRequest, Coveo.SearchProvider.Rest" />
</httpRequestBegin>

You can create a similar processor for your Analytics reverse proxy path.

Ask a question