Skip to main content

What is Hub API Gateway?

What is an API Gateway?

An API gateway serves as an intermediary between clients and backend services, streamlining request routing, enforcing security measures, managing APIs and microservices, and optimizing the communication flow within complex software architectures. It provides a centralized and unified way for developers to interact with the backend services that power your applications and infrastructure.

Routing

Traefik Hub API Gateway is built on top of Traefik Proxy. Its routing mechanisms are based on the same concepts of EntryPoints, Routers, Middlewares, and Services.

  • EntryPoints: EntryPoints are the network entry points into Traefik. They define the port that will receive the packets and whether to listen for HTTP, TCP, or UDP.
  • Routers: A router is in charge of connecting incoming requests to the services that can handle them.
  • Middlewares: Attached to the routers, middlewares can modify the requests or responses before they are sent to your service.
  • Services: Services are responsible for configuring how to reach the upstream services that will eventually handle the incoming requests.

Auto Service Discovery

Where traditionally API Gateways need a configuration file that contains every possible route to your APIs, Traefik Hub API Gateway gets them from the APIs themselves.

Deploying your APIs, you attach information that tells Traefik Hub API Gateway the characteristics of the requests the services can handle.

This means that when a (Kubernetes) service is deployed, Traefik Hub API Gateway detects it immediately and updates the routing rules in real time. Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.

You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.

Traefik Hub API Gateway can use your cluster's API to discover the services and read the attached information. In Traefik Hub API Gateway, these connectors are called providers because they provide the configuration to Traefik Hub API Gateway.

Certificate resolvers

Traefik Hub API Gateway allows you to generate your TLS certificate automatically with Let's Encrypt and HashiCorp Vault using the ACME protocol.

What is ACME?

ACME, which stands for "Automated Certificate Management Environment," is a protocol designed to automate the issuance and management of digital certificates for secure communication over the internet. Digital certificates play a crucial role in establishing the authenticity and security of online transactions and communications. They are primarily used to enable secure connections (such as HTTPS) between clients (like web browsers) and servers.

ACME simplifies and streamlines the process of obtaining and renewing digital certificates, which traditionally involves complex manual steps such as generating certificate signing requests (CSRs), submitting them to Certificate Authorities (CAs), and managing the renewal process periodically. By automating these tasks, ACME reduces human error, enhances security by ensuring certificates are regularly updated, and saves time and resources for organizations.

To verify that a server requesting a certificate actually controls the domain for which the certificate is requested, ACME uses challenges. ACME challenges are integral to the ACME protocol and address specific verification requirements to prove domain ownership during certificate issuance and renewal. These challenges are necessary because digital certificate authorities must verify that the entity requesting a certificate actually controls the domain for which the certificate is issued. This verification process helps prevent malicious people from obtaining certificates for domains they do not own.

Hub API Gateway supports several types of challenges:

  • HTTP-01 Challenge: This method requires placing a specific file on the server at a specified URL. The CA verifies the domain by checking this URL.
  • TLS-ALPN-01 Challenge: This method requires configuring the server to respond to a specific TLS handshake. The CA verifies the domain by performing this handshake.
  • DNS-01 Challenge: This method involves creating a DNS record with a specific value. The CA verifies the domain by checking this DNS record.

Each challenge has its own advantages and is suitable for different scenarios, depending on your internal policies and the level of control you have over DNS configurations.

info

Defining one ACME challenge is a requirement for a certificate resolver to be functional.

Let's Encrypt and Rate Limiting

Note that Let's Encrypt API has rate limiting. These last up to one week, and can not be overridden.

When using non-distributed ACME the storage file should be persisted across restarts. If Hub API Gateway requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's rate limits. To configure where certificates are stored, please take a look at the storage configuration.

Use Let's Encrypt staging server with the caServer configuration option when experimenting to avoid hitting this limit too fast.

Distributed and Non-Distributed ACME

Hub API Gateway requires you to define "Certificate Resolvers" in the static configuration, which are responsible for retrieving certificates from an ACME server.

Then, each "router" is configured to enable TLS, and is associated to a certificate resolver through the tls.certresolver configuration option.

Hub API Gateway supports two type of ACME Certificate Resolvers: distributed and non-distributed:

  • Non-Distributed ACME: Each Hub API Gateway instance independently handles the ACME process, obtaining and renewing its own certificates. This approach, while available in Hub API Gateway Proxy OSS has limitations. If you run multiple Hub API Gateway instances (for example, in a high-availability setup), each instance must separately pass the ACME challenges, which can lead to unnecessary duplication of certificates and increased load on the Certificate Authority.
  • Distributed ACME: Multiple Hub API Gateway instances share a single certificate store. The ACME process is handled by only one instance, and certificates are distributed to the others. This approach is more efficient for large-scale or high-availability setups, as it reduces duplication and ensures consistency across all instances.