Google Callout Enforcer
This guide describes how to install and configure self-hosted Google Callout Enforcer.
General information
Google Callout Enforcer is a service running on client premises, which communicates with the client's Envoy's "ext_proc" (External Processing) filter. For every request Envoy sends Request Headers to Callout Enforcer and waits for the Status Response. Status Response could be either "pass" or "block and display Captcha page".

Details about Google Callout Enforcer
- By default it uses configuration file named
pxconf.json
, located in/etc
folder - By default it listens on
50051
port perimeterx/px_callout_enforcer:latest
docker image contains Google Callout Enforcer application
Configure steps for Envoy and Google Callout Enforcer
- Configure Envoy's ext_proc filter Details
- Add a new "callout" cluster to Envoy configuration Details
- Configure Google Callout Enforcer (
pxconf.json
file) Details - Pull and run
perimeterx/px_callout_enforcer:latest
docker image (mountpxconf.json
to/etc/pxconf.json
file in the container and expose 50051 port) Details
Optional steps
- Enable SSL/TLS certificate Details
Testing
Complete example of both Envoy and Google Callout Enforcer configuration and commands could be found here: Complete Example
Updated 21 days ago