Skip to content

Latest commit

 

History

History
474 lines (393 loc) · 22.7 KB

FEATURES.md

File metadata and controls

474 lines (393 loc) · 22.7 KB

Supported features

NGINX Control plane support

NGINX Declarative API has been tested with the following NGINX control plane releases:

Control plane API v5.0 API v5.1 API v5.2 Notes
NGINX Instance Manager 2.14+ 2.16+ 2.18+
NGINX One Console Early access General Availability General availability

NGINX http and stream servers

Feature API v5.0 API v5.1 API v5.2 Notes
Upstreams X X X
  • Snippets supported: static and from source of truth
  • HTTP servers X X X
  • Snippets supported (http, servers, locations): static and from source of truth
  • TCP/UDP servers X X X
  • Snippets supported (streams, servers): static and from source of truth
  • TLS X X X
  • Certificates and keys can be dynamically fetched from source of truth (currently supported for NGINX Instance Manager)
  • Client authentication X X X See client authentication
    Upstream authentication X X X See upstream and Source of truth authentication
    Rate limiting X X X
    Active healthchecks X X X
    Cookie-based stickiness X X X
    HTTP headers manipulation X X X
  • To server: set, delete
  • To client: add, delete, replace
  • Maps X X X
    NGINX Plus REST API access X X X
    NGINX App Protect WAF X X X NOTE: For NGINX Instance Manager only
  • Per-policy CRUD at server and location level
  • Support for dataplane-based bundle compilation
  • Security policies can be fetched from source of truth
  • HTTP Locations

    Locations .declaration.http.servers[].locations[].uri match modifiers in .declaration.http.servers[].locations[].urimatch can be:

    • prefix - prefix URI matching
    • exact - exact URI matching
    • regex - case sensitive regex matching
    • iregex - case insensitive regex matching
    • best - case sensitive regex matching that halts any other location matching once a match is made

    NGINX API Gateway use case

    Feature API v5.0 API v5.1 API v5.2 Notes
    Configuration generation from OpenAPI schema X X X OpenAPI 2.0, 3.0, 3.0.1
    HTTP methods enforcement X X X
    per-URI rate limiting X X X
    per-URI client authentication X
  • Static JWT key
  • JWT key fetched from URL
  • Bearer token
  • Static JWT key
  • JWT key fetched from URL
  • Bearer token
  • per-URI client authorization X
  • JWT claims
  • JWT claims
  • Developer portal
  • Redocly
  • Backstage
  • Redocly
  • Backstage
  • Redocly
  • Backstage
  • Supported through 3rd party integration
    API visibility
  • Moesif
  • Moesif
  • Supported through 3rd party integration

    Swagger files and OpenAPI schemas can be used to automatically configure NGINX as an API Gateway

    Declaration path .declaration.http.servers[].locations[].apigateway defines the API Gateway configuration:

    • openapi_schema - the base64-encoded schema, or the schema URL. YAML and JSON are supported
    • api_gateway.enabled - enable/disable API Gateway provisioning
    • api_gateway.strip_uri - removes the .declaration.http.servers[].locations[].uri part of the URI before forwarding requests to the upstream
    • api_gateway.server_url - the base URL of the upstream server
    • developer_portal.enabled - enable/disable Developer portal provisioning
    • developer_portal.type - developer portal type. redocly and backstage are currently supported
    • developer_portal.redocly.* - Redocly-based developer portal parameters. See the Postman collection
    • developer_portal.backstage.* - Backstage-based developer portal parameters. See the Postman collection
    • visibility[] - API Gateway visibility
      • visibility[].enabled - enable/disable API gateway visibility
      • visibility[].type - visibility integration type. moesif is currently supported
      • visibility[].moesif.* - Moesif visibility parameters. See the Postman collection
    • authentication - optional, used to enforce authentication at the API Gateway level
    • authentication.client[] - authentication profile names
    • authentication.enforceOnPaths - if set to true authentication is enforced on all API endpoints listed under authentication.paths. if set to false authentication is enforced on all API endpoints but those listed under authentication.paths
    • authentication.paths - paths to enforce authentication
    • authorization[] - optional, used to enforce authorization
    • authorization[].profile - authorization profile name
    • authorization[].enforceOnPaths - if set to true authorization is enforced on all API endpoints listed under authorization.paths. if set to false authorization is enforced on all API endpoints but those listed under authorization[].paths
    • authorization[].paths - paths to enforce authorization
    • rate_limit - optional, used to enforce rate limiting at the API Gateway level
    • rate_limit.enforceOnPaths - if set to true rate limiting is enforced on all API endpoints listed under rate_limit.paths. if set to false rate limiting is enforced on all API endpoints but those listed under rate_limit.paths

    See the Postman collection for usage examples

    NGINX API Gateway use case - Developer Portal

    Type API v5.0 API v5.1 API v5.2 Notes
    Redocly X X X Developer portal published by NGINX Plus
    Backstage.io X X X Backstage YAML manifest generated

    NGINX API Gateway use case - Visibility

    Type API v5.0 API v5.1 API v5.2 Notes
    Moesif X X Integration with Moesif - see https://www.moesif.com/docs/server-integration/nginx-openresty/

    Client authentication

    Type Description API v5.0 API v5.1 API v5.2 Notes
    jwt Java Web Token (JWT) X X X
    mtls Mutual TLS X X X
  • Supported for HTTP servers
  • Examples

    Client-side authentication profiles to be defined under .declaration.http.authentication.client[]

    • jwt client authentication profile
    {
       "name": "<PROFILE_NAME>",
       "type": "jwt",
       "jwt": {
           "realm": "<JWT_AUTHENTICATION_REALM>",
           "key": "<JWT_KEY>|<JWT_KEY_URL>",
           "cachetime": <OPTIONAL_JWT_KEY_CACHETIME_IN_SECONDS>,
           "token_location": "<OPTIONAL_TOKEN_LOCATION_AS_NGINX_VARIABLE>"
       }
    }
    • mTLS client authentication profile
    {
       "name": "<PROFILE_NAME>",
       "type": "mtls",
       "mtls": {
           "enabled": "<on|off|optional|optional_no_ca>",
           "client_certificates": "<CLIENT_CERTIFICATES_OBJECT_NAME>",
           "trusted_ca_certificates": "<TRUSTED_CERTIFICATES_OBJECT_NAME>",
           "ocsp": {
               "enabled": "<on|off|leaf>",
               "responder": "<OCSP_RESPONDER_URL>"
           },
           "stapling": {
               "enabled": <true|false>,
               "verify": <true|false>,
               "responder": "<OCSP_RESPONDER_URL>"
           }
       }
    }

    Client authorization

    Type Description API v5.0 API v5.1 API v5.2 Notes
    jwt Java Web Token (JWT) X X X Based on JWT claims. Supported under
  • .declaration.http.servers[]
  • .declaration.http.servers[].location[]
  • .declaration.http.servers[].location[].apigateway
  • Examples

    Client-side authorization profiles to be defined under .declaration.http.authorization

    • jwt client authorization profile
    {
     "name": "<PROFILE_NAME>",
     "type": "jwt",
     "jwt": {
       "claims": [
         {
           "name": "<CLAIM_NAME>",
           "value": [
             "<AUTHORIZED_VALUE_OR_REGEXP>"
           ],
           "errorcode": <OPTIONAL_ERROR_CODE_401_OR_403>
         }
       ]
     }
    }

    Upstream and Source of truth authentication

    Type Description API v5.0 API v5.1 API v5.2 Notes
    Bearer token Authentication token as Authorization Bearer X X X Bearer Authorization header is injected in requests to upstreams and source of truth
    Basic Auth Authentication token as Authorization Basic X X X Basic Authorization header is injected in requests to upstreams and source of truth
    HTTP header Authentication token in custom HTTP header X X X HTTP header is injected in requests to upstreams and source of truth
    mTLS Mutual TLS X X X Client certificate is sent to upstream / source of truth

    Examples

    Server-side authentication profiles to be defined under .declaration.http.authentication.client[]

    • Bearer token authentication profile
    {
       "name": "<PROFILE_NAME>",
       "type": "token",
       "token": {
           "type": "bearer",
           "token": "<AUTHENTICATION_TOKEN>"
       }
    }
    • Basic authentication profile
    {
       "name": "<PROFILE_NAME>",
       "type": "token",
       "token": {
           "type": "basic",
           "username": "<AUTHENTICATION_USERNAME>",
           "password": "<BASE64_ENCODED_PASSWORD>"
       }
    }
    • HTTP header authentication profile
    {
       "name": "<PROFILE_NAME>",
       "type": "token",
       "token": {
           "type": "header",
           "token": "<AUTHENTICATION_TOKEN>",
           "location": "<HTTP_HEADER_NAME>"
       }
    }
    • mTLS authentication profile
    "server": [
        {
            "name": "<PROFILE_NAME>",
            "type": "mtls",
            "mtls": {
                "certificate": "<CLIENT_CERTIFICATE>",
                "key": "<CLIENT_KEY>"
            }
        }

    HTTP Headers manipulation

    Type API v5.0 API v5.1 API v5.2 Notes
    Request (client to server) X X X
  • set - new header injection
  • delete - client header removal
  • Response (server to client) X X X
  • add - new header injection
  • delete - server header removal
  • replace - server header replacement
  • Examples

    To be defined under .declaration.http.servers[].headers and/or .declaration.http.servers[].location[]

     "headers": {
        "to_server": {
            "set": [
                {
                    "name": "<HTTP_HEADER_NAME>",
                    "value": "<VALUE_OR_NGINX_VARIABLE>"
                },
                ...
            ],
            "delete": [
              "<HTTP_HEADER_NAME>",
              ...
            ]
        },
        "to_client": {
            "add": [
                {
                    "name": "<HTTP_HEADER_NAME>",
                    "value": "<VALUE_OR_NGINX_VARIABLE>"
                },
                ...
            ],
            "delete": [
                "<HTTP_HEADER_NAME>",
                ...
            ],
            "replace": [
                {
                    "name": "<HTTP_HEADER_NAME>",
                    "value": "<VALUE_OR_NGINX_VARIABLE>"
                },
                ...
            ]
        }
    }

    NGINX Javascript

    Hook type API v5.0 API v5.1 API v5.2 Notes
    js_body_filter X X X Available in
  • declaration.http.servers[].location[]
  • js_content X X X Available in
  • declaration.http.servers[].location[]
  • js_header_filter X X X Available in
  • declaration.http.servers[].location[]
  • js_periodic X X X Available in
  • declaration.http.servers[].location[]
  • js_preload_object X X X Available in
  • .declaration.http
  • declaration.http.servers[]
  • declaration.http.servers[].location[]
  • js_set X X X Available in
  • .declaration.http
  • declaration.http.servers[]
  • declaration.http.servers[].location[]
  • Note: njs profiles can be included in base64-encoded format under .declaration.http.njs[] of fetched from an external source of truth For detailed examples see the Postman collection

    Examples

    njs profile example:

    {
      ...
      "declaration": {
        "http": {
          ...
          "njs_profiles": [
            {
              "name": "<NJS_PROFILE_NAME>",
              "file": {
                "content": "<BASE64_ENCODED_JAVASCRIPT_CODE|JAVASCRIPT_FILE_URL>",
                "authentication": [
                  {
                    "profile": "<SERVER_AUTHENTICATION_PROFILE>"
                  }
                ]
              }
            }
          ]
        }
      }
    }
    

    njs hook examples (under .declaration.http, .declaration.http.servers[], .declaration.http.servers[].location[]):

    "njs": [
        {
            "hook": {
                "type": "<HOOK_TYPE>"
            },
            "profile": "<NJS_PROFILE_NAME>",
            "function": "<JAVASCRIPT_FUNCTION>"
        }
    ]

    Example hooks:

    "njs": [
        {
            "hook": {
                "type": "js_body_filter",
                "js_body_filter": {
                  "buffer_type": "<STRING_OR_BUFFER>"
                }
            },
            "profile": "<NJS_PROFILE_NAME>",
            "function": "<JAVASCRIPT_FUNCTION>"
        }
    ]
    "njs": [
        {
            "hook": {
                "type": "js_content"
            },
            "profile": "<NJS_PROFILE_NAME>",
            "function": "<JAVASCRIPT_FUNCTION>"
        }
    ]
    "njs": [
        {
            "hook": {
                "type": "js_header_filter"
            },
            "profile": "<NJS_PROFILE_NAME>",
            "function": "<JAVASCRIPT_FUNCTION>"
        }
    ]
    "njs": [
        {
            "hook": {
                "type": "js_periodic",
                "js_periodic": {
                    "interval": "<INTERVAL_TIME>",
                    "jitter": "<NUMBER>",
                    "worker_affinity": "<MASK>"
                }       
            },
            "profile": "<NJS_PROFILE_NAME>",
            "function": "<JAVASCRIPT_FUNCTION>"
        }
    ]
    "njs": [
        {
            "hook": {
                "type": "js_preload_object"
            },
            "profile": "<NJS_PROFILE_NAME>",
            "function": "<JAVASCRIPT_FUNCTION>"
        }
    ]
    "njs": [
        {
            "hook": {
                "type": "js_set",
                "js_set": {
                  "variable": "<VARIABLE_NAME>"
                }
            },
            "profile": "<NJS_PROFILE_NAME>",
            "function": "<JAVASCRIPT_FUNCTION>"
        }
    ]

    DNS resolvers

    API v5.0 API v5.1 API v5.2 Notes
    DNS resolver profiles X X Available in
  • declaration.http.servers[]
  • declaration.http.upstreams[]
  • declaration.layer4.upstreams[]
  • Examples

    DNS resolver profiles to be defined under .declaration.http.resolvers[]

    • DNS resolver profile:
    {
       "name": "Google",
       "address": "8.8.8.8",
       "valid": "5s",
       "ipv4": true,
       "ipv6": false,
       "timeout": "30s"
    }

    Maps

    Map entries .declaration.maps[].entries.keymatch can be:

    • exact - exact variable matching
    • regex - case sensitive regex matching
    • iregex - case insensitive regex matching