Google Callout Enforcer

This guide describes how to install and configure self-hosted Google Callout Enforcer.

General information

Google Callout Enforcer is a service running on client premises, which communicates with the client's Envoy's "ext_proc" (External Processing) filter. For every request Envoy sends Request Headers to Callout Enforcer and waits for the Status Response. Status Response could be either "pass" or "block and display Captcha page".

callout.drawio 3.png

Details about Google Callout Enforcer

  1. By default it uses configuration file named pxconf.json, located in /etc folder
  2. By default it listens on 50051 port
  3. perimeterx/px_callout_enforcer:latest docker image contains Google Callout Enforcer application

Configure steps for Envoy and Google Callout Enforcer

  1. Configure Envoy's ext_proc filter Details
  2. Add a new "callout" cluster to Envoy configuration Details
  3. Configure Google Callout Enforcer (pxconf.json file) Details
  4. Pull and run perimeterx/px_callout_enforcer:latest docker image (mount pxconf.json to /etc/pxconf.json file in the container and expose 50051 port) Details

Optional steps

  1. Enable SSL/TLS certificate Details

Testing

Complete example of both Envoy and Google Callout Enforcer configuration and commands could be found here: Complete Example