authentication API Gateway Apache APISIX Keycloak Spring Security

System architecture: move authentication to the API Gateway

When exposing an application to the outside world, consider a Reverse-Proxy or an API Gateway to protect it from attacks. Rate Limiting comes to mind first, but it shouldn’t stop there. We can factor many features in the API Gateway and should be bold in moving them from our apps. In this post, I’ll show how to implement authentication at the Gateway API stage. Overall authentication flow The API Gateway doesn’t authenticate but delegates authentication to an authentication

data location data residency API Gateway Apache APISIX Apache ShardingSphere

Managing Data Residency - the demo

I explained the concepts and theory behind Data Residency in a previous post. It’s time to get our hands dirty and implement it in a simple demo. The sample architecture In the last section of the previous post, I proposed a sample architecture where location-based routing happened at two different stages: The API Gateway checks for an existing X-Country header. Depending on its value, it forwards the request to the computed upstream; If no value is found or no value matches, it forwar

data location data residency API Gateway Apache APISIX Apache ShardingSphere

Managing Data Residency - concepts and theory

Cloud computing has opened a Pandora’s Box of many original issues compared to sound old on-premise systems. I believe that chief among them is Data Residency, or Data Location: Data localization or data residency law requires data about a nation’s citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally. Such data is usually transferred only after meeting local privacy or data protection laws, such as givin

API PostgreSQL PostgREST API Gateway Apache APISIX no code MVP

A poor man's API

Creating a full-fledged API requires resources, both time and money. You need to think about the model, the design, the REST principles, etc., without writing a single line of code. Most of the time, you don’t know whether it’s worth it: you’d like to offer a Minimum Viable Product and iterate from there. I want to show how you can achieve it without writing a single line of code. The solution The main requirement of the solution is to use the PostgreSQL database. It’s

Rust WebAssembly API Gateway Apache APISIX

Rewriting the Apache APISIX response-rewrite plugin in Rust

Last week, I described the basics on how to develop and deploy a Rust plugin for Apache APISIX. The plugin just logged a message when it received the request. Today, I want to leverage what we learned to create something more valuable: write part of the response-rewrite plugin with Rust. Adding a hard-coded header Let’s start small and add a hard-coded response header. Last week, we used the on_http_request_headers() function. The proxy_wasm specification defines several function hooks

Rust WebAssembly API Gateway Apache APISIX

Apache APISIX loves Rust! (and me too)

Apache APISIX is built upon the shoulders of two giants: NGINX, a widespread Open Source reverse-proxyOpenResty, a platform that allows scripting NGINX with the Lua programming language via LuaJIT This approach allows APISIX to provide out-of-the-box Lua plugins that should fit most business requirements. But it always comes a time when generic plugins don’t fit your requirements. In this case, you can write your own Lua plugin. However, if Lua is not part of your tech stack, diving int

security webapp API Gateway Apache APISIX

Secure your web apps with an API Gateway

API management solutions, also known as API gateways, are a must in the day and age of APIs. However, once you’ve set up such a gateway, you can use it for different purposes unrelated to APIs. Today, I want to show you how to improve the security of web apps. Prevent sniffing Browsers are fantastic pieces of technology that try to make the life of users as comfortable as possible. However, the balance between ease of use and security may sometimes tip on the former to the latter’