[DX-1008] Updated Internal Endpoint middleware (#4046)

* Updated Internal Endpoint ---------
TykTechnologies · Mar 22, 2024 · 09112c6 · 09112c6
1 parent 562ccde
commit 09112c6
Show file tree

Hide file tree

Showing 10 changed files with 254 additions and 10 deletions.
diff --git a/tyk-docs/assets/img/dashboard/api-designer/tyk-oas-internal.png b/tyk-docs/assets/img/dashboard/api-designer/tyk-oas-internal.png
diff --git a/tyk-docs/assets/img/dashboard/endpoint-designer/ignore-authentication.png b/tyk-docs/assets/img/dashboard/endpoint-designer/ignore-authentication.png
diff --git a/tyk-docs/assets/img/dashboard/endpoint-designer/internal-endpoint.png b/tyk-docs/assets/img/dashboard/endpoint-designer/internal-endpoint.png
diff --git a/tyk-docs/content/advanced-configuration/transform-traffic/endpoint-designer.md b/tyk-docs/content/advanced-configuration/transform-traffic/endpoint-designer.md
@@ -83,7 +83,7 @@ Adding the [Ignore Authentication]({{< ref "product-stack/tyk-gateway/middleware
 
 ### Internal
 
-This plugin allows an endpoint to not be listened to by the Tyk Gateway but can be called by other APIs using the `tyk://self/` prefix.
+The [Internal Endpoint]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-middleware" >}}) middleware instructs Tyk Gateway to ignore external requests to the endpoint (which is a combination of HTTP method and path). Internal requests from other APIs will be processed.
 
 ### Method Transforms
 

diff --git a/tyk-docs/content/product-stack/tyk-gateway/middleware/ignore-tyk-classic.md b/tyk-docs/content/product-stack/tyk-gateway/middleware/ignore-tyk-classic.md
@@ -57,6 +57,8 @@ You can use the API Designer in the Tyk Dashboard to configure the Ignore Authen
 #### Step 1: Add an endpoint for the path and select the plugin
 From the **Endpoint Designer** add an endpoint that matches the path for which you want to ignore authentication. Select the **Ignore** plugin.
 
+{{< img src="/img/dashboard/endpoint-designer/ignore-authentication.png" alt="Adding the ignore authentication middleware to a Tyk Classic API endpoint" >}}
+
 #### Step 2: Configure the middleware
 Once you have selected the Ignore middleware for the endpoint, the only additional feature that you need to configure is whether to make it case-insensitive by selecting **Ignore Case**.
 

diff --git a/tyk-docs/content/product-stack/tyk-gateway/middleware/ignore-tyk-oas.md b/tyk-docs/content/product-stack/tyk-gateway/middleware/ignore-tyk-oas.md
@@ -11,7 +11,7 @@ When working with Tyk OAS APIs the middleware is configured in the [Tyk OAS API
 
 If you're using the legacy Tyk Classic APIs, then check out the [Tyk Classic]({{< ref "product-stack/tyk-gateway/middleware/ignore-tyk-classic" >}}) page.
 
-## Configuring the middleware in the Tyk Classic API Definition
+## Configuring the middleware in the Tyk OAS API Definition
 The design of the Tyk OAS API Definition takes advantage of the `operationID` defined in the OpenAPI Document that declares both the path and method for which the middleware should be added.
 
 The ignore authentication middleware (`ignoreAuthentication`) can be added to the `operations` section of the Tyk OAS Extension (`x-tyk-api-gateway`) in your Tyk OAS API Definition for the appropriate `operationId` (as configured in the `paths` section of your OpenAPI Document).
@@ -120,16 +120,16 @@ Select **ADD MIDDLEWARE** and choose the **Ignore Authentication** middleware fr
 
 {{< img src="/img/dashboard/api-designer/tyk-oas-ignore.png" alt="Adding the Ignore Authentication middleware" >}}
 
-##### Step 2: Optionally configure case-insensitivity
- If you want to disable case-sensitivity for the path that you wish to skip authentication, then you must select **EDIT** on the Ignore Authentication icon.
+##### Step 3: Optionally configure case-insensitivity
+If you want to disable case-sensitivity for the path that you wish to skip authentication, then you must select **EDIT** on the Ignore Authentication icon.
 
- {{< img src="/img/dashboard/api-designer/tyk-oas-ignore-added.png" alt="Ignore Authentication middleware added to endpoint - click through to edit the config" >}}
+{{< img src="/img/dashboard/api-designer/tyk-oas-ignore-added.png" alt="Ignore Authentication middleware added to endpoint - click through to edit the config" >}}
 
- This takes you to the middleware configuration screen where you can alter the case sensitivity setting.
- {{< img src="/img/dashboard/api-designer/tyk-oas-ignore-config.png" alt="Configuring case sensitivity for the path for which to ignore authentication" >}}
+This takes you to the middleware configuration screen where you can alter the case sensitivity setting.
+{{< img src="/img/dashboard/api-designer/tyk-oas-ignore-config.png" alt="Configuring case sensitivity for the path for which to ignore authentication" >}}
 
- Select **UPDATE MIDDLEWARE** to apply the change to the middleware configuration.
+Select **UPDATE MIDDLEWARE** to apply the change to the middleware configuration.
 
- ##### Step 3: Save the API
- Select **SAVE API** to apply the changes to your API.
+##### Step 4: Save the API
+Select **SAVE API** to apply the changes to your API.
 
diff --git a/...cs/content/product-stack/tyk-gateway/middleware/internal-endpoint-middleware.md b/...cs/content/product-stack/tyk-gateway/middleware/internal-endpoint-middleware.md
@@ -0,0 +1,58 @@
+---
+title: Internal Endpoint middleware
+date: 2024-01-26
+description: "Detail of the Internal Endpoint middleware"
+tags: ["internal endpoint", "internal", "middleware", "per-endpoint"]
+---
+
+The Internal Endpoint middleware instructs Tyk Gateway to ignore external requests to the endpoint (which is a combination of HTTP method and path). Internal requests from other APIs will be processed.
+
+## When to use the Internal Endpoint middleware
+#### Internal routing decisions
+Internal endpoints are frequently used to make complex routing decisions that cannot be handled by the standard routing features. A single externally published endpoint can receive requests and then, based on inspection of the requests, the [URL rewrite]({{< ref "transform-traffic/url-rewriting" >}}) middleware can route them to different internal endpoints and on to the appropriate upstream services.
+
+## How internal endpoints work
+When the Internal Endpoint middleware is configured for a specific endpoint, it instructs the Gateway to ignore requests to the endpoint that originate from outside Tyk.
+
+An internal endpoint can be targeted from another API deployed on Tyk using the `tyk://` prefix instead of `http://`.
+
+For example, if `GET /status/200` is configured to be an Internal Endpoint on the listen path `http://my-tyk-install.org/my-api/` then external calls to this endpoint will be rejected with `HTTP 403 Forbidden`. Other APIs on Tyk will be able to direct traffic to this endpoint by setting their `target_url` to `tyk://my-api/status/200`.
+
+#### Addressing an internal endpoint
+An internal endpoint can be addressed using three different identifiers in the format `tyk://{identifier}/{endpoint}`.
+
+The options for the `identifier` are:
+ - `self` (only if the endpoint is in the same API)
+ - `api_id` (the unique API Identifier assigned to the API within Tyk)
+ - listen path (the listen path defined for the API)
+
+For example, let's say you have two APIs:
+
+| api_id | listen path | Endpoint 1   | Endpoint 2 (with internal endpoint middleware) |
+|--------|-------------|--------------|------------------------------------------------|
+| f1c63fa5177de2719  | `/api1`    | `endpoint1_ext` | `endpoint1_int`     |
+| 2e90b33a879945918  | `/api2`    | `endpoint2_ext` | `endpoint2_int`     |
+
+An external request directed at `/api1/endpoint1_int` will be rejected with `HTTP 403 Forbidden`, since this is an internal endpoint.
+
+This endpoint could, however, be called from within either endpoint in `/api2` as either:
+ - `tyk://api1/endpoint1_int`
+ - `tyk://f1c63fa5177de2719/endpoint1_int`
+
+Or from within `/api1/endpoint1_ext` as:
+ - `tyk://api1/endpoint1_int`
+ - `tyk://f1c63fa5177de2719/endpoint1_int`
+ - `tyk://self/endpoint1_int`
+
+<hr>
+
+If you're using Tyk OAS APIs, then you can find details and examples of how to configure the Internal Endpoint middleware [here]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas" >}}).
+
+If you're using Tyk Classic APIs, then you can find details and examples of how to configure the Internal Endpoint middleware [here]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic" >}}).
+
+<!-- proposed "summary box" to be shown graphically on each middleware page
+ ## Internal Endpoint middleware summary
+  - The Internal Endpoint middleware is an optional stage in Tyk's API Request processing chain, sitting between the [TBC]() and [TBC]() middleware.
+  - The Internal Endpoint middleware can be configured at the per-endpoint level within the API Definition and is supported by the API Designer within the Tyk Dashboard. 
+ -->
+
diff --git a/...s/content/product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic.md b/...s/content/product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic.md
@@ -0,0 +1,49 @@
+---
+title: Using the Internal Endpoint middleware with Tyk Classic APIs
+date: 2024-01-26
+description: "Using the Internal Endpoint middleware with Tyk Classic APIs"
+tags: ["internal endpoint", "internal", "middleware", "per-endpoint", "Tyk Classic"]
+---
+
+The [Internal Endpoint]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-middleware" >}}) middleware instructs Tyk Gateway not to process external requests to the endpoint (which is a combination of HTTP method and path). Internal requests from other APIs will be processed.
+
+When working with Tyk Classic APIs, the middleware is configured in the Tyk Classic API Definition. You can do this via the Tyk Dashboard API or in the API Designer.
+
+If you're using the newer Tyk OAS APIs, then check out the [Tyk OAS]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas" >}}) page.
+
+## Configuring the middleware in the Tyk Classic API Definition
+
+To enable the middleware you must add a new `internal` object to the `extended_paths` section of your API definition.
+
+The `internal` object has the following configuration:
+ - `path`: the path to match on
+ - `method`: this method to match on
+
+For example:
+```.json  {linenos=true, linenostart=1}
+{
+    "extended_paths": {
+        "internal": [
+            {
+                "disabled": false,
+                "path": "/status/200",
+                "method": "GET"
+            }
+        ]
+    }
+}
+```
+
+In this example the internal endpoint middleware has been configured for HTTP `GET` requests to the `/status/200` endpoint. Any requests made to this endpoint that originate externally to Tyk will be rejected with `HTTP 403 Forbidden`. Conversely, the endpoint can be reached internally by another API at `tyk://<listen_path>/status/200`.
+
+## Configuring the middleware in the API Designer
+
+You can use the API Designer in the Tyk Dashboard to configure the internal endpoint middleware for your Tyk Classic API by following these steps.
+
+#### Step 1: Add an endpoint for the path and select the plugin
+From the **Endpoint Designer** add an endpoint that matches the path for which you want to allow access. Select the **Internal** plugin.
+
+{{< img src="/img/dashboard/endpoint-designer/internal-endpoint.png" alt="Adding the internal endpoint middleware to a Tyk Classic API endpoint" >}}
+
+#### Step 2: Save the API
+Use the *save* or *create* buttons to save the changes and activate the middleware.
diff --git a/tyk-docs/content/product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas.md b/tyk-docs/content/product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas.md
@@ -0,0 +1,119 @@
+---
+title: Using the Internal Endpoint middleware with Tyk OAS APIs
+date: 2024-01-26
+description: "Using the Internal Endpoint middleware with Tyk OAS APIs"
+tags: ["internal endpoint", "internal", "middleware", "per-endpoint", "Tyk OAS"]
+---
+
+The [Internal Endpoint]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-middleware" >}}) middleware instructs Tyk Gateway not to process external requests to the endpoint (which is a combination of HTTP method and path). Internal requests from other APIs will be processed.
+
+When working with Tyk OAS APIs, the middleware is configured in the [Tyk OAS API Definition]({{< ref "tyk-apis/tyk-gateway-api/oas/x-tyk-oas-doc#operation" >}}). You can do this via the Tyk Dashboard API or in the API Designer.
+
+If you're using the legacy Tyk Classic APIs, then check out the [Tyk Classic]({{< ref "product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic" >}}) page.
+
+## Configuring the middleware in the Tyk OAS API Definition
+
+The design of the Tyk OAS API Definition takes advantage of the `operationID` defined in the OpenAPI Document that declares both the path and method for which the middleware should be added.
+
+The internal endpoint middleware (`internal`) can be added to the `operations` section of the Tyk OAS Extension (`x-tyk-api-gateway`) in your Tyk OAS API Definition for the appropriate `operationId` (as configured in the `paths` section of your OpenAPI Document).
+
+The `internal` object has the following configuration:
+- `enabled`: enable the middleware for the endpoint
+
+For example:
+```.json {hl_lines=["49-50"],linenos=true, linenostart=1}
+{
+    "components": {},
+    "info": {
+        "title": "example-internal-endpoint",
+        "version": "1.0.0"
+    },
+    "openapi": "3.0.3",
+    "paths": {
+        "/anything": {
+            "get": {
+                "operationId": "anythingget",
+                "responses": {
+                    "200": {
+                        "description": ""
+                    }
+                }
+            }
+        },
+        "/redirect": {
+            "get": {
+                "operationId": "redirectget",
+                "responses": {
+                    "200": {
+                        "description": ""
+                    }
+                }
+            }
+        }
+    },
+    "x-tyk-api-gateway": {
+        "info": {
+            "name": "example-internal-endpoint",
+            "state": {
+                "active": true
+            }
+        },
+        "upstream": {
+            "url": "http://httpbin.org/"
+        },
+        "server": {
+            "listenPath": {
+                "value": "/example-internal-endpoint/",
+                "strip": true
+            }
+        },
+        "middleware": {
+            "operations": {
+                "anythingget": {
+                    "internal": {
+                        "enabled": true
+                    }
+                },
+                "redirectget": {
+                    "urlRewrite": {
+                        "enabled": true,
+                        "pattern": ".*",
+                        "rewriteTo": "tyk://self/anything"
+                    }
+                }
+            }
+        }
+    }
+}
+```
+
+In this example, two endpoints have been defined:
+- the internal endpoint middleware has been configured for requests to the `GET /anything` endpoint
+- the [URL rewrite]({{< ref "transform-traffic/url-rewriting" >}}) middleware has been configured for requests to the `GET /redirect` endpoint
+
+Any calls made directly to `GET /example-internal-endpoint/anything` will be rejected, with Tyk returning `HTTP 403 Forbidden`, since the `/anything` endpoint is internal.
+
+Any calls made to `GET /example-internal-endpoint/redirect` will be redirected to `GET /example-internal-endpoint/anything`. These will be proxied to the upstream because they originate from within Tyk Gateway (i.e. they are internal requests) - so the response from `GET http://httpbin.org/anything` will be returned.
+
+The configuration above is a complete and valid Tyk OAS API Definition that you can import into Tyk to try out the internal endpoint middleware.
+
+## Configuring the middleware in the API Designer
+
+Adding the Internal Endpoint middleware to your API endpoints is easy when using the API Designer in the Tyk Dashboard, simply follow the following steps:
+
+#### Step 1: Add an endpoint for the path
+From the **API Designer** add an endpoint that matches the path you want to rewrite.
+
+{{< img src="/img/dashboard/api-designer/tyk-oas-no-endpoints.png" alt="Tyk OAS API Designer showing no endpoints created" >}}
+
+{{< img src="/img/dashboard/api-designer/tyk-oas-add-endpoint.png" alt="Adding an endpoint to an API using the Tyk OAS API Designer" >}}
+
+{{< img src="/img/dashboard/api-designer/tyk-oas-no-middleware.png" alt="Tyk OAS API Designer showing no middleware enabled on endpoint" >}}
+
+#### Step 2: Select the Internal Endpoint middleware
+Select **ADD MIDDLEWARE** and choose the **Internal** middleware from the *Add Middleware* screen.
+
+{{< img src="/img/dashboard/api-designer/tyk-oas-internal.png" alt="Adding the Internal Endpoint middleware" >}}
+
+#### Step 3: Save the API
+Select **SAVE API** to apply the changes to your API.
diff --git a/tyk-docs/data/menu.yaml b/tyk-docs/data/menu.yaml
@@ -1571,6 +1571,22 @@ menu:
               path: /product-stack/tyk-gateway/middleware/ignore-tyk-classic
               category: Page
               show: True
+          - title: "Internal Endpoint"
+            category: Directory
+            show: True
+            menu:
+            - title: "Overview"
+              path: /product-stack/tyk-gateway/middleware/internal-endpoint-middleware
+              category: Page
+              show: True
+            - title: "Tyk OAS configuration"
+              path: /product-stack/tyk-gateway/middleware/internal-endpoint-tyk-oas
+              category: Page
+              show: True
+            - title: "Tyk Classic configuration"
+              path: /product-stack/tyk-gateway/middleware/internal-endpoint-tyk-classic
+              category: Page
+              show: True
           - title: "Request Method Transform"
             path: /advanced-configuration/transform-traffic/request-method-transform
             category: Page