EFPF API Security Gateway Admin Guide

API Security Gateway Admin Guide

Local Installation and Deployment

The API Security Gateway is packaged and deployed as a Docker container. To deploy the API Security Gateway download the docker-compose.yml file and execute in a terminal the following command:

Docker-compose up -d
Resource source
docker-compose.yml https://gitlab.fit.fraunhofer.de/efpf-pilots/efpf-security-components/efpf_efs_srfg_components/-/blob/master/api-security-gateway/docker-compose.yml

Once the docker-compose has been executed, open a browser and access the following URL:

https://localhost:9080/apisix/admin/routes

Current Deployment in EFPF-Security Portal

Currently, the dev instance of API Security Gateway (APISIX) is deployed in EFPF-Security-Portal. Registered routes can be found in the below path.

https://efpf-security-portal.salzburgresearch.at/apisix/admin/routes

Note : The admin path of the APISIX is secured with an API-Key. Please contact the EFPF admin to request the API-Key if you need access to the APISIX admin path.

Detailed Discussion on implmentation

The implementation details regarding the route persisting methodology extensively discussed in the below issue.

https://gitlab.fit.fraunhofer.de/efpf-pilots/t31-architecture/-/issues/31

Sync Service Registry registered APIs to API Security Gateway

The ​ ASG importer service runs on a cronjob basis and scans the service registry. Based on the services registered in the Service Registry, the ASG importer will create routes in the API Security Gateway. In addition to the routes, the ASG Importer will also configure the necessary security plugins (eg: OpenID-Connect, AuthZ-Keycloak plugins).

  1. Token Introspection Plugin

This plugin implements token verification with the identity server. The token introspected via providing the introspection endpoint of the Identity Server or the public key of the token can be used.

  1. Proxy rewrite Plugin

The proxy rewrite plugin performs two duties. Rewrite the prefix path: The API routes have prefixes based on the dataspine’s service registry. Therefore, the proxy rewrite plugin rewrites the paths when the request hits the gateway. In this manner, the request can be routed to the appropriate service. HTTPs proxy: APISIX by default proxies the upstream requested via the HTTP protocol. Hence if the upstream is hosted in an HTTPs environment the proxy rewrite plugin transforms the request to an SSL based connection.

  1. HTTP logger plugin

The HTTP logger will export the access logs of the API Security Gateway for further security analysis.

Next