The App Proxy is an**optional** component of therunner that ismainlyusedwhen thegit provider server is installed on-premises behind the firewall.The App Proxy provides the following features once installed:

The App Proxy is an**optional** component of theRunner, usedmainly when theGit provider server is installed on-premises, behind the firewall.

* Enables you to automatically create webhooksforGitin the Codefresh UI (same as the SAAS experience)

* Sends commit status information back to your Git provider (same as the SAAS experience)

* Makes all Git Operationsin the GUI work exactly like the SAAS installation of Codefresh

The requirementsfor the App proxy is a Kubernetes cluster that:

1. has already the Codefresh runner installed

1. has an active [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress/)

1. allows incoming connections from the VPC/VPN where users are browsing the Codefresh UI. The ingress connection**must** have a hostname assignedfor this route and**must** be configured to perform SSL termination

>Currently theApp-proxyworks onlyfor Github (SAAS and on-prem versions), Gitlab (SAAS and on-prem versions) and Bitbucket server.

Appproxyrequires a Kubernetes cluster that:

Here is the architecture of the app-proxy:

{% include image.html

lightbox="true"

file="/images/administration/runner/app-proxy-architecture.png"

url="/images/administration/runner/app-proxy-architecture.png"

alt="How App Proxy and the Codefresh runner work together"

caption="How App Proxy and the Codefresh runner work together"

max-width="80%"

%}

1. With the Codefresh runner installed<!--- is this correct? -->

1. Has an active [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress/){:target="\_blank"}

1. Allows incoming connections from the VPC/VPN where users are browsing the Codefresh UI.

The ingress connection**must** have a hostname assignedfor this route and**must** be configured to perform SSL termination

Basically when a Git GET operation takes place, the Codefresh UI will contact the app-proxy (if itispresent) and it will route the request to the backing Git provider. The confidential Git information never leaves the firewall premisesandthe connection between the browserandthe ingress is SSL/HTTPS.

>Currently, App-Proxyissupported onlyfor SaaS and on-prem versions of GitHubandGitLab,andBitbucket Server.

To install the app-proxy ona Kubernetes clusterthat already has aCodefreshrunner use the following command:

***Ona Kubernetes clusterwith existingCodefreshRunner**:

If you want to install theCodefresh runner and app-proxyin a singlecommand use the following:

***InstallCodefresh runner and app-proxy**:

***Define the ingress classfor app-proxy**:

If you have multiple ingress controllersin the Kubernetes cluster, use the`--app-proxy-ingress-class` parameter to define which ingress will be used.

For additional security, to further limit the web browsers that can access the ingress, you can also define an allowlistfor IPs/ranges. Check the documentation of your ingress controllerfor the exact details.

If you have multiple ingress controllersin the Kubernetes cluster you can use the`--app-proxy-ingress-class` parameter to define which ingress will be used. For additional security you can also define an allowlistfor IPs/ranges that are allowed to use the ingress (to further limit the web browsers that can access the Ingress). Check the documentation of your ingress controllerfor the exact details.

By default the app-proxy ingress will use the path`hostname/app-proxy`. You can change that default by using the values filein the installation with the flag`--values values.yaml`.

See the`AppProxy` sectionin the example [values.yaml](https://github.com/codefresh-io/venona/blob/release-1.0/venonactl/example/values-example.yaml#L231-L253).

By default, the app-proxy ingress uses the path`hostname/app-proxy`. You can change that default by using the values filein the installation with the flag`--values values.yaml`.

See the`AppProxy` sectionin the example [values.yaml](https://github.com/codefresh-io/venona/blob/release-1.0/venonactl/example/values-example.yaml#L231-L253){:target="\_blank"}.

Here is the architecture of the app-proxy:

{% include image.html

lightbox="true"

file="/images/administration/runner/app-proxy-architecture.png"

url="/images/administration/runner/app-proxy-architecture.png"

alt="How App Proxy and the Codefresh runner work together"

caption="How App Proxy and the Codefresh runner work together"

max-width="80%"

%}

The App-Proxy:

* Enables you to automatically create webhooksforGitin the Codefresh UI (same as the SAAS experience)

* Sends commit status information back to your Git provider (same as the SAAS experience)

* Makes all Git operationsin the GUI work exactly like the SAAS installation of Codefresh

For a Git GET operation, the Codefresh UI communicates with the App-Proxy to route the request to the backing Git provider. The confidential Git information never leaves the firewall premises and the connection between the browser and the ingress is SSL/HTTPS.

The App-Proxy has to work over HTTPS, and by default it uses the ingress controller to terminate the SSL. Therefore, the ingress controller must be configured to perform SSL termination. Check the documentation of your ingress controller (for example [nginx ingress](https://kubernetes.github.io/ingress-nginx/examples/tls-termination/){:target="\_blank"}). This means that the App-Proxy does not compromise securityin any way.

If you don't want to use thewizard, you can also install the components of the runner yourself.

If you don't want to use theWizard, you can also install the components of the runner yourself.