Skip to content

Latest commit

 

History

History
181 lines (121 loc) · 13.4 KB

general-proxy-settings.md

File metadata and controls

181 lines (121 loc) · 13.4 KB
description
This article describes how to configure v2 API proxy settings

Proxy Settings

Introduction

To configure the Proxy settings for a v2 API:

  1. Log in to your APIM Console
  2. Select APIs from the left nav
  3. Select your API
  4. Under the Proxy section of the inner left nav, select from the following:

Entrypoints

To configure the API entrypoints:

  1. Select Entrypoints from the inner left nav

    Configure v2 API entrypoints

    • Edit your Context-path or create a new one via Add context-path
    • Toggle Enable virtual hosts ON or OFF

  2. Click Save

CORS

CORS is a mechanism that allows resources on a web page to be requested from another domain. To configure CORS for your API:

  1. Select CORS from the inner left nav

    Configure CORS

  2. Set the following parameters:

    • Enable CORS: Toggle to ON to enable CORS.
    • Access-Control-Allow-Origin: Define a URI that can access the resource. Enter * to allow all requests, regardless of origin.

    {% hint style="danger" %} A value of * is not recommended for production environments. By allowing cross-origin requests, a server may inadvertently expose sensitive information to unauthorized parties. For example, if a server includes sensitive data in a response that is accessible via CORS, an attacker could use a malicious website to extract that data. {% endhint %}

    • Access-Control-Allow-Methods: Select the method(s) allowed when accessing the resource, which is used in response to a preflight request: GET, DELETE, PATCH, POST, PUT, OPTIONS, TRACE, and/or HEAD.
    • Access-Control-Allow-Headers: Select the HTTP header(s) that can be used when making the actual request, in response to a preflight request. Typically, your request header will include Access-Control-Request-Headers, which relies on the CORS configuration to allow its values.
    • Access-Control-Allow-Credentials: Toggle ON or OFF to indicate whether the response to the request can be exposed when the credentials flag is true.
    • Max Age: Specify how long (in seconds) the results of a preflight request can be cached. This is optional, and a value of -1 indicates it is disabled.
    • Access-Control-Expose-Headers: Define a list of headers that browsers are allowed to access.
    • Run policies for preflight requests: Toggle ON for the API Gateway to execute policies for preflight-requests. By default, this is not enabled.

  3. Click Save

{% hint style="info" %} Troubleshooting CORS

All requests rejected because of CORS issues will generate logs that you can view in the Analytics section of your API logs.

{% endhint %}

Deployments

Deployments is where you can choose to use sharding tags sharding tags to control where your API is deployed. To configure sharding tags for your API:

  1. Select Deployments from the inner left nav

    Configure sharding tags

  2. From the Sharding tags drop-down menu, choose one or more sharding tags

  3. Click Save

Response templates

Response templates are used to override the default values sent in response to consumer calls to an API. Response template overrides are triggered by error keys, which are specific to policies. Responses can be templatized if the errors raised during the request/response phase(s) are associated with overridable policy keys. Each response template defines the new values to be returned for one or more status codes when the template is triggered.

Prerequisites

Prior to defining a response template, verify:

  • Which policies have been applied to the API. This can be viewed in the API's plan.
  • Which error keys can be overridden per policy associated with your API.

Below are the policy error keys that you can override by configuring response templates:

KeyPolicy
API_KEY_MISSINGAPI key
API_KEY_INVALIDAPI key
QUOTA_TOO_MANY_REQUESTSRate limiting
RATE_LIMIT_TOO_MANY_REQUESTSRate limiting
REQUEST_CONTENT_LIMIT_TOO_LARGERequest content limit
REQUEST_CONTENT_LIMIT_LENGTH_REQUIREDRequest content limit
REQUEST_TIMEOUTMock, Callout HTTP, Request validation
REQUEST_VALIDATION_INVALIDRequest validation
RESOURCE_FILTERING_METHOD_NOT_ALLOWEDResource filtering
RBAC_INVALID_USER_ROLESRole-based access control
RESOURCE_FILTERING_FORBIDDENResource filtering
RBAC_FORBIDDENRole-based access control
RBAC_NO_USER_ROLERole-based access control
OAUTH2_MISSING_SERVEROAuth2
OAUTH2_MISSING_HEADEROAuth2
OAUTH2_MISSING_ACCESS_TOKENOAuth2
OAUTH2_INVALID_ACCESS_TOKENOAuth2
OAUTH2_INSUFFICIENT_SCOPEOAuth2
OAUTH2_INVALID_SERVER_RESPONSEOAuth2
OAUTH2_SERVER_UNAVAILABLEOAuth2
HTTP_SIGNATURE_INVALID_SIGNATUREHTTP Signature
JWT_MISSING_TOKENJWT
JWT_INVALID_TOKENJWT
JSON_INVALID_PAYLOADJSON validation
JSON_INVALID_FORMATJSON validation
JSON_INVALID_RESPONSE_PAYLOADJSON validation
JSON_INVALID_RESPONSE_FORMATJSON validation
GATEWAY_INVALID_REQUESTAll
GATEWAY_INVALID_RESPONSEAll
GATEWAY_OAUTH2_ACCESS_DENIEDAll
GATEWAY_OAUTH2_SERVER_ERRORAll
GATEWAY_OAUTH2_INVALID_CLIENTAll
GATEWAY_MISSING_SECURITY_PROVIDERAll
GATEWAY_PLAN_UNRESOLVABLEAll
GATEWAY_POLICY_INTERNAL_ERRORAll

Create a response template

When creating response templates, you can define:

  • Multiple templates for one API (for multiple policies and/or multiple error keys sent by the same policy)
  • Multiple template definitions for the same error key in a single template (for different content types or status codes)

To configure a response template:

  1. Select Response Templates from the inner left nav

  2. Click on the Add new Response Template button

  3. Customize the Create a new Response Template form

    Configure a new response template

    • Template key: Choose the template key via the Template key drop-down.
    • Accept header to match: Specify the requests header that should trigger use of the response template. The default value is */*. To send the template override values only for JSON or XML requests, specify JSON or XML.
    • Status code: Specify the status code that to send to the API consumer via the Status code drop-down.
    • Specify the override values to send to the API consumer. These can either be:
      • One or more HTTP headers to include in the response
      • A response template body

  4. Click Create

Properties

Properties are read-only during the Gateway's execution of an API transaction. They can be accessed from within flows using Gravitee's Expression Language (EL) and the #api.properties statement. To configure properties:

To configure API properties:

  1. Select Properties from the inner left nav

    Add API properties

  2. To add hardcoded properties, either:

    • Click Add property and enter property definitions one at a time as a key-value pair
    • Click Import and enter property definitions as a list in <key>=<value> format

Encryption

{% hint style="warning" %} Encrypted values can be used by API policies, but encrypted data should be used with care. APIM Gateway will automatically decrypt these values. {% endhint %}

To encrypt a hardcoded API property value:

  1. Reset the default secret key in gravitee.yml. The secret must be 32 bytes in length. 

    # Encrypt API properties using this secret:
api:
  properties:
    encryption:
         secret: vvLJ4Q8Khvv9tm2tIPdkGEdmgKUruAL6
 to provide the best security available.

  2. Enable the Encrypt toggle when adding a property via Add property. Once you click Save, you can no longer edit, modify, or view the value.

Dynamic properties

To configure dynamic properties:

  1. Click the Manage dynamically button and define the configuration

    Configure dynamic properties

    • Toggle Enabled to ON
    • Schedule: A cron expression to schedule the health check
    • HTTP Method: The HTTP method that invokes the endpoint
    • URL: The target from which to fetch dynamic properties
    • Request Headers: The HTTP headers to add to the request fetching properties
    • Request body: The HTTP body content to add to the request fetching properties
    • (Optional) Transformation (JOLT specification): If the HTTP service doesn’t return the expected output, edit the JOLT transformation accordingly
    • Toggle Use system proxy ON to use the system proxy configured in APIM installation

  2. Click Save

After the first call, the resultant property is added to the list of global properties, where its value is continuously updated according to the cron schedule specified.

{% hint style="info" %} Key-value pairs can also be maintained using a dictionary, e.g., if this information is stored independently of the API creation process or applies to multiple APIs. {% endhint %}

Resources

Some policies support the addition of resources, which can be used for actions such as authentication and schema registry validation. After you create resources, you will be able to reference them when designing policies. Policies that support resources include:

Basic AuthenticationSpecify an LDAP Authentication Provider resource and/or an Inline Authentication Provider resource to authenticate users in memory
CacheSpecify a cache resource via the Cache or Cache Redis resources
HTTP Signature
Generate HTTP Signature		Specify your HTTP Authentication Provider resource
OAuth2Specify a Generic OAuth2 Authorization Server resource or a Gravitee AM Authorization Server resource
OpenID Connect UserinfoSpecify a Keycloak Adapter resource to use Keycloack as your OpenID Connect resource
AVRO to JSON
AVRO to Protobuf
Protobuf to JSON		Specify your Confluent Schema Registry to retrieve serialization and deserialization schemas from a Confluent Schema registry

{% hint style="info" %} Global resources are available to all flows associated with the Gateway API, but are not available to other Gateway APIs. {% endhint %}