Blog

Pull Akamai API Reports Through Corporate Proxies

December 3, 2020 · by Blaine Wilson and Les Waltman

It’s probably no surprise that many Akamai customers from just about every industry vertical are continually re-tooling to dynamically interact and integrate with our platform. Although the use cases, benefits, and requirements vary drastically by industry vertical or even customer, there is one striking similarity: You all want to move information between your applications and Akamai - and you want to do it on your own terms.

There are challenges that persist from customer to customer as well. If your employer has an enterprise-wide security program, you have probably run into one of several problems that hold you back from introducing automation.

The challenge?

Most enterprise clients have endpoint protection tools that restrict what software can be installed or loaded. You might also have insufficient local privileges to make the changes you’d like to make and are instead forced to make do with corporate-approved tools. 

Let’s say you manage to install and run client-side software that can make your API calls. You may still find it impossible to make API calls due to a corporate proxy. 

Here are a few common challenges you might face: 

  • Even though tools like Python or HTTPie contain support for proxies, basic authentication will require your network credentials, exposing your credentials in clear text within the script

  • Your script must be updated every time you update your password. You think you won't forget to update the script, but you will. 

  • You will likely spend time troubleshooting the failed script before realizing it is the password, and then realize your credentials are traveling over the corporate network in plain text. 

Even tools with proxy support aren’t acceptable solutions. It turns out the corporate proxies that are intended to block malware and other threats often also block your legitimate requests - and there is no easy way around it.

Blaine Wilson, Director of Cyber Threat Architecture at BMO Financial Group, ran into such a challenge. Blaine’s use case was simple - he wanted to use Akamai’s Reporting API to gather per CP code data, including traffic volume, offload, and error statistics. Although his use case was straight-forward and the API was easy to use, Blaine was unable to make simple and secure requests from his corporate API client - even using tools like HTTPie or Python.

Unfortunately, HTTPie and Python don’t understand how to bind and authenticate to a corporate web proxy in the same way that traditional browsers do. Even if you figure out how to get your API client authenticating through a corporate proxy (and that’s a big if!), you won’t want to expose your corporate credentials in a plain text script and you will run into issues when your credentials are rotated (like we said, you will forget. It’s happened to the best of us). 

The solution? 

Blaine discovered Microsoft Windows has built-in controls that allowed him to script web requests including API calls. The best part is that these controls automatically attach whatever authentication your corporate proxy needs. Blaine used this functionality to build Visual Basic macros that use internet explorer (IE) or Edge to connect with Microsoft XML Core Services (MSXML). These scripts understand corporate proxies and use Blaine’s corporate credentials to transparently traverse the corporate proxy and make successful outbound API calls.

Types of modules

Common modules are generic modules that don’t contain any business logic.  You should be able to export and import these to any Microsoft Office document. 

  • Common - This module contains a list of reusable functions and subroutines not related to a specific topic and are geared mainly towards Microsoft Excel.

  • CommonAkamaiAPI - This module contains the EdgeGrid Authentication logic required by the Akamai API and wraps the HTTP libraries to make Web API calls. You use the MakeAkamaiAPICall function to make calls to the Akamai API.  The interface currently only supports GET and POST requests (this interface will need to be updated to support additional HTTP verbs such as PUT).

    • Parameters: 

      • section:  This is the section of the .edgerc file configuration segment with the client secrets needed to authenticate the request.

      • scheme:  This is either http or https.

      • path:  This is the relative path of the API request.  You do not attach the domain name to the request since this is picked up from the .edgerc configuration file.

      • body:  This is an optional parameter used when sending a POST body to the API.

    • HTTP Libraries: 

      • On Mac, the module using the cURL command to make the web calls.

      • On Windows, the HTTP library is the MSXML2.xmlhttp ActiveX control.

  • CommonCmd - This module contains functions used for sending command-line commands to the machine making the HTTP requests.  For example, calling the cURL command on Macs.

  • CommonHashing - This module wraps the Microsoft .Net 3.5 cryptography functions on Windows machines needed to hash the HTTP request headers used for Akamai’s EdgeGrid authentication.

  • CommonJSON2 - This module maps JSON documents into a dictionary object, allowing scripts to walk through the JSON response from the Akamai API.

  • CommonWin32API - This module wraps the Win32/Win64 functions used for debugging and generating GMT timestamps.

Note: Throughout the modules, you will find private test subroutines.  These are there to help you troubleshoot problems when they arise.

Once you have the Common modules imported into your workbooks, you will need to create additional modules to contain your specific business logic; calling the Common modules when needed and moving the data between your spreadsheets and the Akamai API. The AkamaiExample module can show you how to do this.  The module contains 2 public macros; AkamaiGetNetworkLists and AkamaiProductionCpCodeReport.

  • AkamaiGetNetworkLists - This module starts by calling the API to list all network lists in your Akamai configuration.  We write the results in the "Akamai Network List" tab.  Next, we call the API to fetch your application security list to get the version number of each production configuration.  Finally, we get a copy of each production application security configuration file and mark each network list found in the file.

workflow

  • AkamaiProductionCpCodeReport - This module asks you for a start month/year and end month/year for the report (Akamai only keeps data for around 90 days, so keep that in mind when running the report).  We switch to the AkamaiCpCodes tab in the spreadsheet and load the CP codes for the reports and how we should group the CP codes into applications.  We run a performance report for each CP code, each application (a group of one or more CP codes), and an Akamai Total Report for all CP codes.workflow

     

Blaine has been gracious enough to contribute the scripts to our GitHub repository  for anyone to use.