Version 5.0 supports:
- NGINX Instance Manager 2.14+
- NGINX One Cloud Console
- NGINX Plus R30+
- NGINX App Protect WAF 4.2.0+ with compiled policy bundles
The JSON schema is self explanatory. See also the sample Postman collection
.output.typedefines how NGINX configuration will be returned:- plaintext - plaintext format
- json - JSON-wrapped, base64-encoded
- configmap - Kubernetes Configmap in YAML format.
.output.configmap.namemust be set to the ConfigMap name.output.configmap.filenamemust be set to the NGINX configuration filename.output.configmap.namespacethe optional namespace for the ConfigMap
- http - NGINX configuration is POSTed to custom url
.output.http.urlthe URL to POST the configuration to
- nms - NGINX configuration is published as a Staged Config to NGINX Instance Manager
.output.nms.urlthe NGINX Instance Manager URL.output.nms.usernamethe NGINX Instance Manager authentication username.output.nms.passwordthe NGINX Instance Manager authentication password.output.nms.instancegroupthe NGINX Instance Manager instance group to publish the configuration to.output.nms.synctimeoptional, used for GitOps autosync. When specified and the declaration includes HTTP(S) references to NGINX App Protect policies, TLS certificates/keys/chains, the HTTP(S) endpoints will be checked everysynctimeseconds and if external contents have changed, the updated configuration will automatically be published to NGINX Instance Manager.output.nms.modulesan optional array of NGINX module names (ie. 'ngx_http_app_protect_module', 'ngx_http_js_module','ngx_stream_js_module').output.nms.certificatesan optional array of TLS certificates/keys/chains to be published.output.nms.certificates[].typethe item type ('certificate', 'key', 'chain').output.nms.certificates[].namethe certificate/key/chain name with no path/extension (ie. 'test-application').output.nms.certificates[].contentsthe content: this can be either base64-encoded or be a HTTP(S) URL that will be fetched dynamically from a source of truth
.output.nms.policies[]an optional array of NGINX App Protect security policies.output.nms.policies[].typethe policy type ('app_protect').output.nms.policies[].namethe policy name (ie. 'prod-policy').output.nms.policies[].active_tagthe policy tag to enable among all available versions (ie. 'v1').output.nms.policies[].versions[]array with all available policy versions.output.nms.policies[].versions[].tagthe policy version's tag name.output.nms.policies[].versions[].displayNamethe policy version's display name.output.nms.policies[].versions[].descriptionthe policy version's description.output.nms.policies[].versions[].contentsthis can be either base64-encoded or be a HTTP(S) URL that will be fetched dynamically from a source of truth
- nginxone - NGINX configuration is published to a NGINX One Cloud Console cluster
.output.nginxone.urlthe NGINX One Cloud Console URL.output.nginxone.namespacethe NGINX One Cloud Console namespace.output.nginxone.tokenthe authentication token.output.nginxone.clusterthe cluster name.output.nginxone.synctimeoptional, used for GitOps autosync. When specified and the declaration includes HTTP(S) references to NGINX App Protect policies, TLS certificates/keys/chains, the HTTP(S) endpoints will be checked everysynctimeseconds and if external contents have changed, the updated configuration will automatically be published to NGINX One Cloud Console.output.nginxone.modulesan optional array of NGINX module names (ie. 'ngx_http_app_protect_module', 'ngx_http_js_module','ngx_stream_js_module').output.nginxone.certificatesan optional array of TLS certificates/keys/chains to be published.output.nginxone.certificates[].typethe item type ('certificate', 'key', 'chain').output.nginxone.certificates[].namethe certificate/key/chain name with no path/extension (ie. 'test-application').output.nginxone.certificates[].contentsthe content: this can be either base64-encoded or be a HTTP(S) URL that will be fetched dynamically from a source of truth
.declarationdescribes the NGINX configuration to be created.
Locations .declaration.http.servers[].locations[].uri match modifiers in .declaration.http.servers[].locations[].urimatch can be:
- prefix - prefix URI matching
- exact - exact URI matching
- regex - case sensitive regex matching
- iregex - case insensitive regex matching
- best - case sensitive regex matching that halts any other location matching once a match is made
NGINX Javascript profiles are defined in .declaration.http.njs[]:
name- the NJS profile namefile.content- the base64-encoded njs source code or thehttp(s)://URL of the filefile.authentication.server[0].profile- authentication profile name iffile.contentis a URL and the request must be authenticated
NGINX Javascript hooks can be used in:
.declaration.http.njs- Supported hooks:
- `js_preload_object'
- 'js_set`
- Supported hooks:
.declaration.http.server[].njs- Supported hooks:
- `js_preload_object'
- 'js_set`
- Supported hooks:
.declaration.http.server[].location[].njs- Supported hooks:
- `js_body_filter'
- 'js_content'
- 'js_header_filter'
- 'js_periodic'
- 'js_preload_object'
- 'js_set`
- Supported hooks:
Hooks invocation is:
"njs": [
{
"hook": {
"name": "<HOOK_NAME>",
"parameters": [
{
"name": "<HOOK_PARAMETER_NAME>",
"value": "<HOOK_PARAMETER_VALUE>"
}
]
},
"profile": "<NGINX_JAVASCRIPT_PROFILE>",
"function": "<JAVASCRIPT_FUNCTION_NAME>"
}
]
For detailed examples see the Postman collection
Swagger files and OpenAPI schemas can be used to automatically configure NGINX as an API Gateway. Developer portal creation is supported through Redocly
Declaration path .declaration.http.servers[].locations[].apigateway defines the API Gateway configuration:
openapi_schema- the base64-encoded schema, or the schema URL. YAML and JSON are supportedapi_gateway.enabled- enable/disable API Gateway provisioningapi_gateway.strip_uri- removes the.declaration.http.servers[].locations[].uripart of the URI before forwarding requests to the upstreamapi_gateway.server_url- the base URL of the upstream serverdeveloper_portal.enabled- enable/disable Developer portal provisioningdeveloper_portal.type- developer portal type. Currently supported are:redocly,backstagedeveloper_portal.redocly.*- Redocly-based developer portal parameters. See the Postman collectiondeveloper_portal.backstage.*- Backstage-based developer portal parameters. See the Postman collectionauthentication- optional, used to enforce authentication at the API Gateway levelauthentication.client[]- authentication profile namesauthentication.enforceOnPaths- if set totrueauthentication is enforced on all API endpoints listed underauthentication.paths. if set tofalseauthentication is enforced on all API endpoints but those listed underauthentication.pathsauthentication.paths- paths to enforce authenticationauthorization[]- optional, used to enforce authorizationauthorization[].profile- authorization profile nameauthorization[].enforceOnPaths- if set totrueauthorization is enforced on all API endpoints listed underauthorization.paths. if set tofalseauthorization is enforced on all API endpoints but those listed underauthorization[].pathsauthorization[].paths- paths to enforce authorizationrate_limit- optional, used to enforce rate limiting at the API Gateway levelrate_limit.enforceOnPaths- if set totruerate limiting is enforced on all API endpoints listed underrate_limit.paths. if set tofalserate limiting is enforced on all API endpoints but those listed underrate_limit.paths
A sample API Gateway declaration to publish the https://petstore.swagger.io REST API using:
- REST API endpoint URIs
- HTTP Methods
- Rate limiting on
/user/login,/usr/logoutand/pet/{petId}/uploadImage - JWT authentication on
/user/login,/usr/logoutand/pet/{petId}/uploadImage - JWT claim-based authorization on
/user/login,/usr/logoutand/pet/{petId}/uploadImage - Redocly-based developer portal
- NGINX App Protect WAF security
can be found in the Postman collection
Map entries .declaration.maps[].entries.keymatch can be:
- exact - exact variable matching
- regex - case sensitive regex matching
- iregex - case insensitive regex matching
Snippets for http, upstream, server and location can be specified as:
- base64-encoded content
- HTTP(S) URL of a source of truth to fetch snippet content from. Content on the source of truth must be plaintext
- source of truth authentication is supported through authentication profiles
Client and Server authentication profiles can be defined in the declarative json at .declaration.http.authentication
"authentication": {
"client": [
{
"name": "<PROFILE_NAME>",
"type": "<PROFILE_TYPE>",
"<PROFILE_TYPE>": {
"<PROFILE_KEY>": "<VALUE>",
[...]
}
},
[...]
],
"server": [
{
"name": "<PROFILE_NAME>",
"type": "<PROFILE_TYPE>",
"<PROFILE_TYPE>": {
"<PROFILE_KEY>": "<VALUE>",
[...]
}
},
[...]
]
For a list of all supported authentication profile types see the feature matrix
POST /v5.0/config/- Publish a new declarationPATCH /v5.0/config/{config_uid}- Update an existing declaration- Per-HTTP server CRUD
- Per-HTTP upstream CRUD
- Per-Stream server CRUD
- Per-Stream upstream CRUD
- Per-NGINX App Protect WAF policy CRUD
GET /v5.0/config/{config_uid}- Retrieve an existing declarationDELETE /v5.0/config/{config_uid}- Delete an existing declaration
A sample Postman collection is available here