EFPF API Security Gateway Admin Guide
API Security Gateway Admin Guide
Local Installation and Deployment
The API Security Gateway is packaged and deployed as a Docker container. To deploy the API Security Gateway download the docker-compose.yml file and execute in a terminal the following command:
Docker-compose up -d
| Resource | source |
|---|---|
| docker-compose.yml | https://gitlab.fit.fraunhofer.de/efpf-pilots/efpf-security-components/efpf_efs_srfg_components/-/blob/master/api-security-gateway/docker-compose.yml |
Once the docker-compose has been executed, open a browser and access the following URL:
https://localhost:9080/apisix/admin/routes
Current Deployment in EFPF-Security Portal
Currently, the dev instance of API Security Gateway (APISIX) is deployed in EFPF-Security-Portal. Registered routes can be found in the below path.
https://efpf-security-portal.salzburgresearch.at/apisix/admin/routes
Note : The admin path of the APISIX is secured with an API-Key. Please contact the EFPF admin to request the API-Key if you need access to the APISIX admin path.
Detailed Discussion on implmentation
The implementation details regarding the route persisting methodology extensively discussed in the below issue.
https://gitlab.fit.fraunhofer.de/efpf-pilots/t31-architecture/-/issues/31
Sync Service Registry registered APIs to API Security Gateway
The ASG importer service runs on a cronjob basis and scans the service registry. Based on the services registered in the Service Registry, the ASG importer will create routes in the API Security Gateway. In addition to the routes, the ASG Importer will also configure the necessary security plugins (eg: OpenID-Connect, AuthZ-Keycloak plugins).
- Token Introspection Plugin
This plugin implements token verification with the identity server. The token introspected via providing the introspection endpoint of the Identity Server or the public key of the token can be used.
- Proxy rewrite Plugin
The proxy rewrite plugin performs two duties. Rewrite the prefix path: The API routes have prefixes based on the dataspine’s service registry. Therefore, the proxy rewrite plugin rewrites the paths when the request hits the gateway. In this manner, the request can be routed to the appropriate service. HTTPs proxy: APISIX by default proxies the upstream requested via the HTTP protocol. Hence if the upstream is hosted in an HTTPs environment the proxy rewrite plugin transforms the request to an SSL based connection.
- HTTP logger plugin
The HTTP logger will export the access logs of the API Security Gateway for further security analysis.