- Connector → BusinessProxy API: outbound TCP 443 for HTTPS, WebSocket upgrade and raw tunnel upgrade. Public copy describes production as HTTPS/TLS.
- Connector → internal upstream: internal TCP to each upstream URL configured for apps, normally 80/443 but it depends on the upstream.
- External user → alias: HTTPS 443 to the alias host.
- No inbound connector port: do not open a public port to the connector.
- DNS: the connector host must resolve both the BusinessProxy API domain and internal upstream hostnames.
Connector Beta
The outbound connector you run inside your network
The connector is a small Go runtime you run near the internal web app. It authenticates with a workspace-scoped runtime token, dials out to BusinessProxy over TLS, holds a persistent tunnel and relays alias requests to the real upstream. You do not open inbound ports for it.
Private App Access is in Beta. It is offered as sales-assisted early access while we finish production hardening and real-upstream evidence. We will not enable a pilot until connector, alias, diagnostics and revoke checks pass for your target app.
Runbook
Connector runbook at a glance
| Topic | Details |
|---|---|
| What you run | A single Go connector process, as a container or static binary, inside your network or VPC. |
| Network | Outbound HTTPS/TLS to the BusinessProxy API. No inbound listener required for the connector. The connector also needs internal DNS/TCP/TLS reachability to each upstream app it serves. |
| V1 app mapping | One primary connector is assigned to each private app. Reassignment is explicit and workspace-scoped. |
| Token model | Runtime token is shown once, stored server-side as a hash, and valid only for the exact workspace + connector pair. |
| Tunnel | Connector opens an outbound tunnel over WebSocket or raw upgrade. HTTP streams and WebSocket traffic use this tunnel when connected. |
| Fallback | If the tunnel is not required, ordinary HTTP can use the bounded relay fallback. Upgrade traffic still requires a live tunnel. |
| Health | Ready means status online and heartbeat fresh. Draining/offline/stale/missing fail closed. |
| Drain | Use draining before maintenance. Drain does not revoke active sessions unless you explicitly request session revoke. |
| Diagnostics | Cabinet Check queues a connector-side diagnostic for DNS, TCP, TLS and HTTP status. Output is sanitized. |
Environment
Required environment
Do not print real tokens in docs, screenshots or tickets. Use placeholders.
BUSINESSPROXY_API_URL=https://<businessproxy-site>/api CONNECTOR_WORKSPACE_ID=<workspace id> CONNECTOR_ID=<connector id> CONNECTOR_TOKEN=<one-time runtime token from cabinet> CONNECTOR_VERSION=0.1.0 CONNECTOR_STATUS=online CONNECTOR_HEARTBEAT_INTERVAL=30s CONNECTOR_DRAIN_ON_EXIT=true CONNECTOR_HTTP_TIMEOUT=5s CONNECTOR_RELAY_POLL_TIMEOUT=25s CONNECTOR_RELAY_MAX_BODY_BYTES=5242880 CONNECTOR_TUNNEL_ENABLED=true CONNECTOR_TUNNEL_CONNECTIONS=1 CONNECTOR_TUNNEL_PING_INTERVAL=30s CONNECTOR_TUNNEL_MAX_STREAMS=128 CONNECTOR_TUNNEL_MAX_CHUNK_BYTES=65536
Create or rotate the connector token in the workspace cabinet, store it immediately in your secret manager and restart the connector with the new value. The cabinet will not show the token again.
Network
Ports and network
Readiness
Health and drain states
Rotation
Rotation and maintenance
Rotate the token in the cabinet or API.
Store the new token in the connector host secret store.
Restart the connector with the new CONNECTOR_TOKEN.
Confirm readiness is Ready and the heartbeat is fresh.
If maintenance requires an access cutoff, enable revoke_active_sessions on connector status change or app update. Drain alone does not revoke active alias sessions.
Failure
When a connector fails
Do not bypass connector failures by exposing the internal upstream directly. Private App Access must remain fail-closed through the alias and connector path. If a failure blocks a pilot, collect sanitized connector status, readiness, diagnostic result and timestamp. Do not include runtime tokens, token hashes, internal upstreams, private IPs or custom CA material in tickets.