Skip to content

Commit

Permalink
Updated Internal Endpoint
Browse files Browse the repository at this point in the history
  • Loading branch information
@andyo-tyk
andyo-tyk committed Jan 29, 2024
1 parent 4732885 commit 001dd27
Show file tree
Hide file tree
Showing 5 changed files with 224 additions and 1 deletion.
2 changes: 1 addition & 1 deletion tyk-docs/content/advanced-configuration/transform-traffic/endpoint-designer.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ You can also set a global ignore case on the API level or across [the gateway]({

### Internal

This plugin allows an endpoint to not be listened to by the Tyk Gateway but can be called by other APIs using the `tyk://self/` prefix.
The [Internal Endpoint]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-middleware" >}}) middleware instructs Tyk Gateway not to process external requests to the endpoint (which is a combination of HTTP method and path). Internal requests from other APIs will be processed.

### Method Transforms

Expand Down
58 changes: 58 additions & 0 deletions ...cs/content/product-stack/tyk-gateway/middleware/internal-endpoint-middleware.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
title: Internal Endpoint middleware
date: 2024-01-26
description: "Detail of the Internal Endpoint middleware"
tags: ["internal endpoint", "internal", "middleware", "per-endpoint"]
---

The Internal Endpoint middleware instructs Tyk Gateway not to process external requests to the endpoint (which is a combination of HTTP method and path). Internal requests from other APIs will be processed.

## When to use the Internal Endpoint middleware
#### Internal routing decisions
Internal endpoints are frequently used to make complex routing decisions that cannot be handled by the standard routing features. A single externally published endpoint can receive requests and then, based on inspection of the requests, the [URL rewrite]({{< ref "transform-traffic/url-rewriting" >}}) middleware can route them to different internal endpoints and on to the appropriate upstream services.

## How internal endpoints work
When the Internal Endpoint middleware is configured for a specific endpoint, it instructs the gateway not to listen to requests originating outside Tyk that are made to that endpoint.

An internal endpoint can be targeted from another API deployed on Tyk using the `tyk://` prefix instead of `http://`.

For example, if `GET /status/200` is configured to be an Internal Endpoint on the listen path `http://my-tyk-install.org/my-api/` then external calls to this endpoint will be rejected with `HTTP 403 Forbidden`. Other APIs on Tyk will be able to direct traffic to this endpoint by setting their `target_url` to `tyk://my-api/status/200`.

#### Addressing an internal endpoint
An internal endpoint can be addressed using three different identifiers in using the format `tyk://{identifier}/{endpoint}`.

The options for the `identifier` are:
- `self` (only if the endpoint is in the same API)
- `api_id` (the unique API Identifier assigned to the API within Tyk)
- listen path (the listen path defined for the API)

For example, let's say you have two APIs:

| api_id | listen path | Endpoint 1 | Endpoint 2 (with internal endpoint middleware) |
|--------|-------------|--------------|------------------------------------------------|
| f1c63fa5177de2719 | `/api1` | `endpoint1_ext` | `endpoint1_int` |
| 2e90b33a879945918 | `/api2` | `endpoint2_ext` | `endpoint2_int` |

A direct call to `/api1/endpoint1_int` will be rejected with `HTTP 403 Forbidden` as this is an internal endpoint.

This endpoint could, however, be called from within either endpoint in `/api2` as either:
- `tyk://api1/endpoint1_int`
- `tyk://f1c63fa5177de2719/endpoint1_int`

Or from within `/api1/endpoint1_ext` as:
- `tyk://api1/endpoint1_int`
- `tyk://f1c63fa5177de2719/endpoint1_int`
- `tyk://self/endpoint1_int`

<hr>

If you're using Tyk OAS APIs, then you can find details and examples of how to configure the Internal Endpoint middleware [here]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas" >}}).

If you're using Tyk Classic APIs, then you can find details and examples of how to configure the Internal Endpoint middleware [here]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic" >}}).

<!-- proposed "summary box" to be shown graphically on each middleware page
## Internal Endpoint middleware summary
- The Internal Endpoint middleware is an optional stage in Tyk's API Request processing chain, sitting between the [TBC]() and [TBC]() middleware.
- The Internal Endpoint middleware can be configured at the per-endpoint level within the API Definition and is supported by the API Designer within the Tyk Dashboard.
-->

47 changes: 47 additions & 0 deletions ...s/content/product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
title: Using the Internal Endpoint middleware with Tyk Classic APIs
date: 2024-01-26
description: "Using the Internal Endpoint middleware with Tyk Classic APIs"
tags: ["internal endpoint", "internal", "middleware", "per-endpoint", "Tyk Classic"]
---

The [Internal Endpoint]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-middleware" >}}) middleware instructs Tyk Gateway not to process external requests to the endpoint (which is a combination of HTTP method and path). Internal requests from other APIs will be processed.

When working with Tyk Classic APIs the middleware is configured in the Tyk Classic API Definition either manually within the `.json` file or from the API Designer in the Tyk Dashboard.

If you're using the newer Tyk OAS APIs, then check out the [Tyk OAS]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas" >}}) page.

## Configuring the middleware in the Tyk Classic API Definition
To enable the middleware you must add a new `internal` object to the `extended_paths` section of your API definition.

The `internal` object has the following configuration:
- `path`: the path to match on
- `method`: this method to match on

For example:
```.json {linenos=true, linenostart=1}
{
"extended_paths": {
"internal": [
{
"disabled": false,
"path": "/status/200",
"method": "GET"
}
]
}
}
```

In this example the internal endpoint middleware has been configured for HTTP `GET` requests to the `/status/200` endpoint. Any calls made to this endpoint that originate outside Tyk (i.e. externally) will be rejected with `HTTP 403 Forbidden`, however it can be reached internally by another API at `tyk://<listen_path>/status/200`.

## Configuring the middleware in the API Designer
You can use the API Designer in the Tyk Dashboard to configure the internal endpoint middleware for your Tyk Classic API by following these steps.

#### Step 1: Add an endpoint for the path and select the plugin
From the **Endpoint Designer** add an endpoint that matches the path for which you want to allow access. Select the **Internal** plugin.

< placeholder for image >

#### Step 2: Save the API
Use the *save* or *create* buttons to save the changes and make the middleware active.
102 changes: 102 additions & 0 deletions tyk-docs/content/product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
---
title: Using the Internal Endpoint middleware with Tyk OAS APIs
date: 2024-01-26
description: "Using the Internal Endpoint middleware with Tyk OAS APIs"
tags: ["internal endpoint", "internal", "middleware", "per-endpoint", "Tyk OAS"]
---

The [Internal Endpoint]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-middleware" >}}) middleware instructs Tyk Gateway not to process external requests to the endpoint (which is a combination of HTTP method and path). Internal requests from other APIs will be processed.

When working with Tyk OAS APIs the middleware is configured in the [Tyk OAS API Definition]({{< ref "tyk-apis/tyk-gateway-api/oas/x-tyk-oas-doc#operation" >}}) either manually within the `.json` file or from the API Designer in the Tyk Dashboard.

If you're using the legacy Tyk Classic APIs, then check out the [Tyk Classic]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic" >}}) page.

## Configuring the middleware in the Tyk Classic API Definition
The design of the Tyk OAS API Definition takes advantage of the `operationID` defined in the OpenAPI Document that declares both the path and method for which the middleware should be added.

The internal endpoint middleware (`internal`) can be added to the `operations` section of the Tyk OAS Extension (`x-tyk-api-gateway`) in your Tyk OAS API Definition for the appropriate `operationId` (as configured in the `paths` section of your OpenAPI Document).

The `internal` object has the following configuration:
- `enabled`: enable the middleware for the endpoint

For example:
```.json {hl_lines=["49-50"],linenos=true, linenostart=1}
{
"components": {},
"info": {
"title": "example-internal-endpoint",
"version": "1.0.0"
},
"openapi": "3.0.3",
"paths": {
"/anything": {
"get": {
"operationId": "anythingget",
"responses": {
"200": {
"description": ""
}
}
}
},
"/redirect": {
"get": {
"operationId": "redirectget",
"responses": {
"200": {
"description": ""
}
}
}
}
},
"x-tyk-api-gateway": {
"info": {
"name": "example-internal-endpoint",
"state": {
"active": true
}
},
"upstream": {
"url": "http://httpbin.org/"
},
"server": {
"listenPath": {
"value": "/example-internal-endpoint/",
"strip": true
}
},
"middleware": {
"operations": {
"anythingget": {
"internal": {
"enabled": true
}
},
"redirectget": {
"urlRewrite": {
"enabled": true,
"pattern": ".*",
"rewriteTo": "tyk://self/anything"
}
}
}
}
}
}
```

In this example, two endpoints have been defined:
- the internal endpoint middleware has been configured for HTTP `GET` requests to the `/anything` endpoint
- the [URL rewrite]({{< ref "transform-traffic/url-rewriting" >}}) middleware has been configured for HTTP `GET` requests to the `/redirect` endpoint

Any calls made directly to `GET /example-internal-endpoint/anything` will be rejected, with Tyk returning `HTTP 403 Forbidden`.

Any calls made to `GET /example-internal-endpoint/redirect` will be redirected to `/example-internal-endpoint/anything`. These will be proxied to the upstream because they originate from within Tyk Gateway (i.e. they are internal requests) - so the response from `GET http://httpbin.org/anything` will be returned.

The configuration above is a complete and valid Tyk OAS API Definition that you can import into Tyk to try out the API-level response header transform.

## Configuring the middleware in the API Designer
Adding the Internal Endpoint middleware to your API endpoints is easy when using the API Designer in the Tyk Dashboard, simply follow the steps taken in this short video:

< placeholder for video >
16 changes: 16 additions & 0 deletions tyk-docs/data/menu.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1532,6 +1532,22 @@ menu:
path: /advanced-configuration/transform-traffic/endpoint-designer
category: Page
show: True
- title: "Internal Endpoint"
category: Directory
show: True
menu:
- title: "Overview"
path: /product-stack/tyk-gateway/middleware/internal-endpoint-middleware
category: Page
show: True
- title: "Tyk OAS configuration"
path: /product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas
category: Page
show: True
- title: "Tyk Classic configuration"
path: /product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic
category: Page
show: True
- title: "Request Method Transform"
path: /advanced-configuration/transform-traffic/request-method-transform
category: Page
Expand Down

0 comments on commit 001dd27

Please sign in to comment.