zuplo 6.67.32 → 6.68.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -0
- package/docs/_index.md +44 -0
- package/docs/ai-gateway/apps.mdx +28 -0
- package/docs/ai-gateway/custom-providers.mdx +54 -0
- package/docs/ai-gateway/getting-started.mdx +224 -0
- package/docs/ai-gateway/guardrails.mdx +65 -0
- package/docs/ai-gateway/integrations/ai-sdk.mdx +109 -0
- package/docs/ai-gateway/integrations/claude-code.mdx +49 -0
- package/docs/ai-gateway/integrations/codex.mdx +78 -0
- package/docs/ai-gateway/integrations/goose.mdx +104 -0
- package/docs/ai-gateway/integrations/langchain.mdx +66 -0
- package/docs/ai-gateway/integrations/openai.mdx +99 -0
- package/docs/ai-gateway/introduction.mdx +85 -0
- package/docs/ai-gateway/managing-apps.mdx +46 -0
- package/docs/ai-gateway/managing-providers.mdx +66 -0
- package/docs/ai-gateway/managing-teams.mdx +63 -0
- package/docs/ai-gateway/policies/akamai-ai-firewall.mdx +125 -0
- package/docs/ai-gateway/policies/comet-opik-tracing.mdx +139 -0
- package/docs/ai-gateway/policies/galileo-tracing.mdx +147 -0
- package/docs/ai-gateway/providers.mdx +32 -0
- package/docs/ai-gateway/teams.mdx +38 -0
- package/docs/ai-gateway/universal-api.mdx +43 -0
- package/docs/ai-gateway/usage-limits.mdx +89 -0
- package/docs/api-management/introduction.md +127 -0
- package/docs/articles/accounts/audit-logs.mdx +227 -0
- package/docs/articles/accounts/billing.mdx +25 -0
- package/docs/articles/accounts/default-api-key.mdx +30 -0
- package/docs/articles/accounts/delete-account.mdx +36 -0
- package/docs/articles/accounts/enterprise-sso.mdx +116 -0
- package/docs/articles/accounts/managing-account-members.mdx +45 -0
- package/docs/articles/accounts/managing-project-members.mdx +37 -0
- package/docs/articles/accounts/members-and-roles.mdx +21 -0
- package/docs/articles/accounts/roles-and-permissions.mdx +115 -0
- package/docs/articles/accounts/zuplo-api-keys.mdx +94 -0
- package/docs/articles/add-api-to-backstage.mdx +216 -0
- package/docs/articles/advanced-path-matching.mdx +139 -0
- package/docs/articles/api-key-administration.mdx +47 -0
- package/docs/articles/api-key-api.mdx +220 -0
- package/docs/articles/api-key-authentication.mdx +195 -0
- package/docs/articles/api-key-buckets.mdx +61 -0
- package/docs/articles/api-key-end-users.mdx +52 -0
- package/docs/articles/api-key-leak-detection.mdx +75 -0
- package/docs/articles/api-key-management.mdx +100 -0
- package/docs/articles/api-key-react-component.mdx +90 -0
- package/docs/articles/api-key-service-limits.mdx +14 -0
- package/docs/articles/archiving-requests-to-storage.mdx +119 -0
- package/docs/articles/branch-based-deployments.mdx +184 -0
- package/docs/articles/bypass-policy-for-testing.mdx +117 -0
- package/docs/articles/check-ip-address.mdx +17 -0
- package/docs/articles/ci-cd-azure/basic-deployment.mdx +49 -0
- package/docs/articles/ci-cd-azure/deploy-and-test.mdx +47 -0
- package/docs/articles/ci-cd-azure/local-testing.mdx +59 -0
- package/docs/articles/ci-cd-azure/multi-stage-deployment.mdx +88 -0
- package/docs/articles/ci-cd-azure/pr-preview-environments.mdx +50 -0
- package/docs/articles/ci-cd-azure/tag-based-releases.mdx +37 -0
- package/docs/articles/ci-cd-bitbucket/basic-deployment.mdx +27 -0
- package/docs/articles/ci-cd-bitbucket/deploy-and-test.mdx +41 -0
- package/docs/articles/ci-cd-bitbucket/local-testing.mdx +34 -0
- package/docs/articles/ci-cd-bitbucket/multi-stage-deployment.mdx +52 -0
- package/docs/articles/ci-cd-bitbucket/pr-preview-environments.mdx +46 -0
- package/docs/articles/ci-cd-bitbucket/tag-based-releases.mdx +27 -0
- package/docs/articles/ci-cd-circleci/basic-deployment.mdx +34 -0
- package/docs/articles/ci-cd-circleci/deploy-and-test.mdx +44 -0
- package/docs/articles/ci-cd-circleci/local-testing.mdx +50 -0
- package/docs/articles/ci-cd-circleci/multi-stage-deployment.mdx +82 -0
- package/docs/articles/ci-cd-circleci/pr-preview-environments.mdx +47 -0
- package/docs/articles/ci-cd-circleci/tag-based-releases.mdx +38 -0
- package/docs/articles/ci-cd-github/basic-deployment.mdx +48 -0
- package/docs/articles/ci-cd-github/cleanup-on-branch-delete.mdx +123 -0
- package/docs/articles/ci-cd-github/deploy-and-test.mdx +82 -0
- package/docs/articles/ci-cd-github/local-testing.mdx +102 -0
- package/docs/articles/ci-cd-github/multi-stage-deployment.mdx +136 -0
- package/docs/articles/ci-cd-github/pr-preview-environments.mdx +106 -0
- package/docs/articles/ci-cd-github/tag-based-releases.mdx +99 -0
- package/docs/articles/ci-cd-gitlab/basic-deployment.mdx +28 -0
- package/docs/articles/ci-cd-gitlab/deploy-and-test.mdx +44 -0
- package/docs/articles/ci-cd-gitlab/local-testing.mdx +39 -0
- package/docs/articles/ci-cd-gitlab/mr-preview-environments.mdx +52 -0
- package/docs/articles/ci-cd-gitlab/multi-stage-deployment.mdx +64 -0
- package/docs/articles/ci-cd-gitlab/tag-based-releases.mdx +28 -0
- package/docs/articles/composite-policy-reference.mdx +284 -0
- package/docs/articles/configuring-auth0-for-mcp-auth.mdx +186 -0
- package/docs/articles/configuring-okta-for-mcp-auth.mdx +208 -0
- package/docs/articles/convert-urls-to-openapi.mdx +62 -0
- package/docs/articles/cors.mdx +447 -0
- package/docs/articles/custom-audit-log-policy.mdx +95 -0
- package/docs/articles/custom-ci-cd-azure.mdx +81 -0
- package/docs/articles/custom-ci-cd-bitbucket.mdx +80 -0
- package/docs/articles/custom-ci-cd-circleci.mdx +78 -0
- package/docs/articles/custom-ci-cd-github.mdx +99 -0
- package/docs/articles/custom-ci-cd-gitlab.mdx +79 -0
- package/docs/articles/custom-ci-cd.mdx +82 -0
- package/docs/articles/custom-code-patterns.md +418 -0
- package/docs/articles/custom-domains.mdx +258 -0
- package/docs/articles/custom-logging-example.mdx +139 -0
- package/docs/articles/ddos-protection.mdx +138 -0
- package/docs/articles/development-options.mdx +49 -0
- package/docs/articles/environment-variables.mdx +134 -0
- package/docs/articles/environments.mdx +143 -0
- package/docs/articles/fastly-zuplo-host-setup.mdx +41 -0
- package/docs/articles/github-deployment-testing.mdx +101 -0
- package/docs/articles/gke-with-upstream-auth-policy.mdx +192 -0
- package/docs/articles/graphql-security.mdx +180 -0
- package/docs/articles/handling-form-data.mdx +61 -0
- package/docs/articles/health-checks.mdx +109 -0
- package/docs/articles/hosting-options.mdx +70 -0
- package/docs/articles/lazy-load-configuration-into-cache.mdx +92 -0
- package/docs/articles/limits.mdx +98 -0
- package/docs/articles/local-development-debugging.mdx +44 -0
- package/docs/articles/local-development-env-variables.mdx +23 -0
- package/docs/articles/local-development-installing-packages.mdx +23 -0
- package/docs/articles/local-development-routes-designer.mdx +27 -0
- package/docs/articles/local-development-services.mdx +40 -0
- package/docs/articles/local-development-troubleshooting.mdx +56 -0
- package/docs/articles/local-development.mdx +81 -0
- package/docs/articles/log-plugin-aws-cloudwatch.mdx +83 -0
- package/docs/articles/log-plugin-datadog.mdx +84 -0
- package/docs/articles/log-plugin-dynatrace.mdx +75 -0
- package/docs/articles/log-plugin-gcp.mdx +75 -0
- package/docs/articles/log-plugin-loki.mdx +136 -0
- package/docs/articles/log-plugin-new-relic.mdx +84 -0
- package/docs/articles/log-plugin-splunk.mdx +104 -0
- package/docs/articles/log-plugin-sumo.mdx +73 -0
- package/docs/articles/log-plugin-vmware-log-insight.mdx +154 -0
- package/docs/articles/log-request-response-data.mdx +398 -0
- package/docs/articles/logging.mdx +115 -0
- package/docs/articles/manual-mcp-oauth-testing.mdx +193 -0
- package/docs/articles/mcp-quickstart.mdx +135 -0
- package/docs/articles/metrics-plugins.mdx +371 -0
- package/docs/articles/migrate-from-apigee.md +408 -0
- package/docs/articles/migrate-from-aws-api-gateway.md +248 -0
- package/docs/articles/migrate-from-azure-apim.md +292 -0
- package/docs/articles/migrate-from-kong.md +300 -0
- package/docs/articles/migration-overview.md +81 -0
- package/docs/articles/monetization/api-access.mdx +69 -0
- package/docs/articles/monetization/billing-models.md +520 -0
- package/docs/articles/monetization/developer-portal.md +167 -0
- package/docs/articles/monetization/features.mdx +98 -0
- package/docs/articles/monetization/index.mdx +113 -0
- package/docs/articles/monetization/meters.mdx +135 -0
- package/docs/articles/monetization/monetization-policy.md +314 -0
- package/docs/articles/monetization/plan-examples.mdx +366 -0
- package/docs/articles/monetization/plans.mdx +266 -0
- package/docs/articles/monetization/pricing-models.mdx +225 -0
- package/docs/articles/monetization/private-plans.md +154 -0
- package/docs/articles/monetization/quickstart.md +355 -0
- package/docs/articles/monetization/rate-cards.mdx +171 -0
- package/docs/articles/monetization/stripe-integration.md +195 -0
- package/docs/articles/monetization/subscription-lifecycle.md +298 -0
- package/docs/articles/monetization/tax-collection.md +166 -0
- package/docs/articles/monetization/troubleshooting.md +272 -0
- package/docs/articles/monetization-custom.mdx +71 -0
- package/docs/articles/monetization-integrations.mdx +104 -0
- package/docs/articles/monitoring-your-gateway.mdx +53 -0
- package/docs/articles/monorepo-deployment.mdx +350 -0
- package/docs/articles/multiple-auth-policies.mdx +81 -0
- package/docs/articles/non-standard-ports.mdx +30 -0
- package/docs/articles/oauth-authentication.mdx +54 -0
- package/docs/articles/openapi-server-urls.mdx +60 -0
- package/docs/articles/openapi.mdx +130 -0
- package/docs/articles/opentelemetry.mdx +250 -0
- package/docs/articles/per-user-rate-limits-using-db.mdx +112 -0
- package/docs/articles/performance-testing.mdx +304 -0
- package/docs/articles/plugin-akamai-api-security.mdx +76 -0
- package/docs/articles/plugin-azure-blob.mdx +73 -0
- package/docs/articles/plugin-azure-event-hubs.mdx +64 -0
- package/docs/articles/plugin-hydrolix-traffic-peak.mdx +147 -0
- package/docs/articles/policies.mdx +33 -0
- package/docs/articles/rename-or-move-project.mdx +39 -0
- package/docs/articles/rick-and-morty-api-developer-portal-example.mdx +23 -0
- package/docs/articles/routing.mdx +193 -0
- package/docs/articles/s3-signed-url-uploads.mdx +521 -0
- package/docs/articles/secure-tunnel.mdx +84 -0
- package/docs/articles/securing-backend-mtls.mdx +268 -0
- package/docs/articles/securing-your-backend.mdx +148 -0
- package/docs/articles/security.mdx +105 -0
- package/docs/articles/sharing-code-across-projects.mdx +412 -0
- package/docs/articles/source-control-setup-azure.mdx +13 -0
- package/docs/articles/source-control-setup-bitbucket.mdx +43 -0
- package/docs/articles/source-control-setup-github.mdx +172 -0
- package/docs/articles/source-control-setup-gitlab.mdx +12 -0
- package/docs/articles/source-control.mdx +80 -0
- package/docs/articles/step-1-setup-basic-gateway-local.mdx +136 -0
- package/docs/articles/step-1-setup-basic-gateway.mdx +118 -0
- package/docs/articles/step-2-add-rate-limiting-local.mdx +126 -0
- package/docs/articles/step-2-add-rate-limiting.mdx +82 -0
- package/docs/articles/step-3-add-api-key-auth-local.mdx +199 -0
- package/docs/articles/step-3-add-api-key-auth.mdx +166 -0
- package/docs/articles/step-4-deploying-to-the-edge.mdx +220 -0
- package/docs/articles/step-5-dynamic-rate-limiting.mdx +167 -0
- package/docs/articles/support.mdx +144 -0
- package/docs/articles/terraform.mdx +114 -0
- package/docs/articles/testing-graphql.mdx +34 -0
- package/docs/articles/testing.mdx +522 -0
- package/docs/articles/troubleshooting-slow-responses.mdx +301 -0
- package/docs/articles/troubleshooting.md +302 -0
- package/docs/articles/tsconfig.mdx +105 -0
- package/docs/articles/tunnel-setup.mdx +195 -0
- package/docs/articles/tunnel-troubleshooting.mdx +50 -0
- package/docs/articles/update-zup-in-github-action.mdx +110 -0
- package/docs/articles/use-openapi-extension-data.mdx +79 -0
- package/docs/articles/users/multifactor-authentication.mdx +64 -0
- package/docs/articles/users/profile.mdx +13 -0
- package/docs/articles/versioning-on-zuplo.mdx +89 -0
- package/docs/articles/waf-ddos-akamai.md +133 -0
- package/docs/articles/waf-ddos-aws-waf-shield.mdx +85 -0
- package/docs/articles/waf-ddos-fastly.mdx +251 -0
- package/docs/articles/waf-ddos.mdx +140 -0
- package/docs/articles/zuplo-waf.mdx +156 -0
- package/docs/ask.mdx +3 -0
- package/docs/cli/authentication.mdx +56 -0
- package/docs/cli/connectivity.mdx +38 -0
- package/docs/cli/create-zuplo-api.mdx +80 -0
- package/docs/cli/delete.mdx +79 -0
- package/docs/cli/deploy.mdx +156 -0
- package/docs/cli/deploy.partial.mdx +46 -0
- package/docs/cli/dev.mdx +115 -0
- package/docs/cli/docs.mdx +66 -0
- package/docs/cli/editor.mdx +50 -0
- package/docs/cli/global-options.mdx +19 -0
- package/docs/cli/init.mdx +74 -0
- package/docs/cli/link.mdx +74 -0
- package/docs/cli/list.mdx +55 -0
- package/docs/cli/mtls-certificate-create.mdx +94 -0
- package/docs/cli/mtls-certificate-delete.mdx +55 -0
- package/docs/cli/mtls-certificate-describe.mdx +55 -0
- package/docs/cli/mtls-certificate-disable.mdx +55 -0
- package/docs/cli/mtls-certificate-list.mdx +47 -0
- package/docs/cli/mtls-certificate-update.mdx +72 -0
- package/docs/cli/openapi-convert.mdx +111 -0
- package/docs/cli/openapi-merge.mdx +138 -0
- package/docs/cli/openapi-merge.partial.mdx +29 -0
- package/docs/cli/openapi-overlay.mdx +123 -0
- package/docs/cli/overview.mdx +78 -0
- package/docs/cli/project-create.mdx +43 -0
- package/docs/cli/source-migrate.mdx +18 -0
- package/docs/cli/source-upgrade.mdx +41 -0
- package/docs/cli/test.mdx +70 -0
- package/docs/cli/test.partial.mdx +7 -0
- package/docs/cli/tunnel-create.mdx +53 -0
- package/docs/cli/tunnel-create.partial.mdx +9 -0
- package/docs/cli/tunnel-delete.mdx +35 -0
- package/docs/cli/tunnel-delete.partial.mdx +9 -0
- package/docs/cli/tunnel-describe.mdx +45 -0
- package/docs/cli/tunnel-describe.partial.mdx +5 -0
- package/docs/cli/tunnel-list.mdx +35 -0
- package/docs/cli/tunnel-list.partial.mdx +9 -0
- package/docs/cli/tunnel-rate-token.partial.mdx +9 -0
- package/docs/cli/tunnel-rotate-token.mdx +39 -0
- package/docs/cli/tunnel-services-describe.mdx +45 -0
- package/docs/cli/tunnel-services-describe.partial.mdx +9 -0
- package/docs/cli/tunnel-services-update.mdx +48 -0
- package/docs/cli/variable-create.mdx +91 -0
- package/docs/cli/variable-create.partial.mdx +5 -0
- package/docs/cli/variable-update.mdx +75 -0
- package/docs/cli/variable-update.partial.mdx +5 -0
- package/docs/concepts/api-keys.md +146 -0
- package/docs/concepts/authentication.mdx +109 -0
- package/docs/concepts/how-zuplo-works.mdx +120 -0
- package/docs/concepts/project-structure.mdx +174 -0
- package/docs/concepts/rate-limiting.md +246 -0
- package/docs/concepts/request-lifecycle.mdx +56 -0
- package/docs/concepts/source-control-and-deployment.mdx +229 -0
- package/docs/conferences/conference-prize-terms.mdx +80 -0
- package/docs/dedicated/akamai/ai-powered-applications.mdx +223 -0
- package/docs/dedicated/akamai/architecture.mdx +280 -0
- package/docs/dedicated/akamai/caching.mdx +212 -0
- package/docs/dedicated/akamai/cdn.mdx +156 -0
- package/docs/dedicated/architecture.mdx +208 -0
- package/docs/dedicated/custom-domains.mdx +31 -0
- package/docs/dedicated/federated-gateways.mdx +80 -0
- package/docs/dedicated/networking.mdx +69 -0
- package/docs/dedicated/overview.mdx +80 -0
- package/docs/dedicated/source-control.mdx +63 -0
- package/docs/dev-portal/dev-portal-create-consumer-on-auth.mdx +134 -0
- package/docs/dev-portal/introduction.mdx +65 -0
- package/docs/dev-portal/local-development.mdx +72 -0
- package/docs/dev-portal/migration.mdx +526 -0
- package/docs/dev-portal/node-modules.mdx +45 -0
- package/docs/dev-portal/updating.mdx +28 -0
- package/docs/dev-portal/zudoku/components/alert.mdx +130 -0
- package/docs/dev-portal/zudoku/components/badge.mdx +70 -0
- package/docs/dev-portal/zudoku/components/button.mdx +132 -0
- package/docs/dev-portal/zudoku/components/callout.mdx +112 -0
- package/docs/dev-portal/zudoku/components/card.mdx +104 -0
- package/docs/dev-portal/zudoku/components/checkbox.mdx +72 -0
- package/docs/dev-portal/zudoku/components/client-only.mdx +79 -0
- package/docs/dev-portal/zudoku/components/code-tabs.mdx +179 -0
- package/docs/dev-portal/zudoku/components/dialog.mdx +167 -0
- package/docs/dev-portal/zudoku/components/head.mdx +199 -0
- package/docs/dev-portal/zudoku/components/icons.mdx +27 -0
- package/docs/dev-portal/zudoku/components/input.mdx +96 -0
- package/docs/dev-portal/zudoku/components/label.mdx +86 -0
- package/docs/dev-portal/zudoku/components/link.mdx +242 -0
- package/docs/dev-portal/zudoku/components/markdown.mdx +151 -0
- package/docs/dev-portal/zudoku/components/mermaid.mdx +81 -0
- package/docs/dev-portal/zudoku/components/playground.mdx +87 -0
- package/docs/dev-portal/zudoku/components/secret.mdx +78 -0
- package/docs/dev-portal/zudoku/components/select.mdx +176 -0
- package/docs/dev-portal/zudoku/components/shadcn.mdx +73 -0
- package/docs/dev-portal/zudoku/components/slider.mdx +108 -0
- package/docs/dev-portal/zudoku/components/slot.mdx +119 -0
- package/docs/dev-portal/zudoku/components/stepper.mdx +138 -0
- package/docs/dev-portal/zudoku/components/switch.mdx +96 -0
- package/docs/dev-portal/zudoku/components/syntax-highlight.mdx +602 -0
- package/docs/dev-portal/zudoku/components/textarea.mdx +78 -0
- package/docs/dev-portal/zudoku/components/tooltip.mdx +195 -0
- package/docs/dev-portal/zudoku/components/typography.mdx +61 -0
- package/docs/dev-portal/zudoku/configuration/ai-assistants.md +64 -0
- package/docs/dev-portal/zudoku/configuration/api-catalog.md +108 -0
- package/docs/dev-portal/zudoku/configuration/api-reference.md +397 -0
- package/docs/dev-portal/zudoku/configuration/authentication-auth0.md +173 -0
- package/docs/dev-portal/zudoku/configuration/authentication-azure-ad.md +238 -0
- package/docs/dev-portal/zudoku/configuration/authentication-clerk.md +110 -0
- package/docs/dev-portal/zudoku/configuration/authentication-firebase.md +61 -0
- package/docs/dev-portal/zudoku/configuration/authentication-pingfederate.md +136 -0
- package/docs/dev-portal/zudoku/configuration/authentication-supabase.md +225 -0
- package/docs/dev-portal/zudoku/configuration/authentication.md +199 -0
- package/docs/dev-portal/zudoku/configuration/build-configuration.mdx +147 -0
- package/docs/dev-portal/zudoku/configuration/docs.md +282 -0
- package/docs/dev-portal/zudoku/configuration/footer.mdx +214 -0
- package/docs/dev-portal/zudoku/configuration/llms.md +89 -0
- package/docs/dev-portal/zudoku/configuration/navigation.mdx +408 -0
- package/docs/dev-portal/zudoku/configuration/overview.md +380 -0
- package/docs/dev-portal/zudoku/configuration/protected-routes.md +149 -0
- package/docs/dev-portal/zudoku/configuration/search.md +169 -0
- package/docs/dev-portal/zudoku/configuration/sentry.mdx +44 -0
- package/docs/dev-portal/zudoku/configuration/site.md +124 -0
- package/docs/dev-portal/zudoku/configuration/slots.mdx +124 -0
- package/docs/dev-portal/zudoku/configuration/vite-config.md +18 -0
- package/docs/dev-portal/zudoku/custom-plugins.md +287 -0
- package/docs/dev-portal/zudoku/customization/colors-theme.mdx +275 -0
- package/docs/dev-portal/zudoku/customization/fonts.md +110 -0
- package/docs/dev-portal/zudoku/extending/events.md +124 -0
- package/docs/dev-portal/zudoku/guides/custom-pages.md +106 -0
- package/docs/dev-portal/zudoku/guides/environment-variables.md +99 -0
- package/docs/dev-portal/zudoku/guides/mermaid.mdx +70 -0
- package/docs/dev-portal/zudoku/guides/navigation-migration.md +87 -0
- package/docs/dev-portal/zudoku/guides/navigation-rules.mdx +197 -0
- package/docs/dev-portal/zudoku/guides/processors.mdx +234 -0
- package/docs/dev-portal/zudoku/guides/static-files.md +55 -0
- package/docs/dev-portal/zudoku/guides/transforming-examples.md +156 -0
- package/docs/dev-portal/zudoku/guides/using-multiple-apis.md +87 -0
- package/docs/dev-portal/zudoku/markdown/admonitions.md +128 -0
- package/docs/dev-portal/zudoku/markdown/code-blocks.md +196 -0
- package/docs/dev-portal/zudoku/markdown/frontmatter.md +172 -0
- package/docs/dev-portal/zudoku/markdown/mdx.md +68 -0
- package/docs/dev-portal/zudoku/markdown/overview.md +275 -0
- package/docs/dev-portal/zudoku/plugins.md +5 -0
- package/docs/dev-portal/zudoku/writing.mdx +72 -0
- package/docs/errors/bad-request.mdx +39 -0
- package/docs/errors/build-error.mdx +45 -0
- package/docs/errors/fatal-project-error.mdx +39 -0
- package/docs/errors/gateway-timeout.mdx +33 -0
- package/docs/errors/get-head-body-error.mdx +41 -0
- package/docs/errors/main-mod-error.mdx +40 -0
- package/docs/errors/no-project-set.mdx +41 -0
- package/docs/errors/not-found.mdx +43 -0
- package/docs/errors/rate-limit-exceeded.mdx +31 -0
- package/docs/errors/schema-validation-failed.mdx +51 -0
- package/docs/errors/system-configuration-error.mdx +44 -0
- package/docs/errors/unauthorized.mdx +50 -0
- package/docs/errors/unknown-error.mdx +42 -0
- package/docs/errors.mdx +14 -0
- package/docs/guides/canary-routing-for-employees.mdx +385 -0
- package/docs/guides/geolocation-backend-routing.mdx +404 -0
- package/docs/guides/modify-openapi-paths.mdx +371 -0
- package/docs/guides/openapi-overlays.mdx +492 -0
- package/docs/guides/overview.mdx +12 -0
- package/docs/guides/user-based-backend-routing.mdx +437 -0
- package/docs/handlers/aws-lambda.mdx +201 -0
- package/docs/handlers/custom-handler.mdx +112 -0
- package/docs/handlers/legacy-dev-portal-handler.mdx +135 -0
- package/docs/handlers/mcp-server.mdx +730 -0
- package/docs/handlers/openapi.mdx +78 -0
- package/docs/handlers/redirect.mdx +115 -0
- package/docs/handlers/system-handlers.mdx +41 -0
- package/docs/handlers/url-forward.mdx +204 -0
- package/docs/handlers/url-rewrite.mdx +224 -0
- package/docs/handlers/websocket-handler.mdx +154 -0
- package/docs/home.mdx +6 -0
- package/docs/managed-edge/overview.md +78 -0
- package/docs/mcp-server/configuration-migration-guide.mdx +344 -0
- package/docs/mcp-server/custom-tools.mdx +487 -0
- package/docs/mcp-server/graphql.mdx +241 -0
- package/docs/mcp-server/introduction.mdx +122 -0
- package/docs/mcp-server/openai-apps-sdk.mdx +160 -0
- package/docs/mcp-server/prompts.mdx +283 -0
- package/docs/mcp-server/resources.mdx +288 -0
- package/docs/mcp-server/testing.mdx +53 -0
- package/docs/mcp-server/tools.mdx +306 -0
- package/docs/policies/_index.md +92 -0
- package/docs/policies/ab-test-inbound/intro.md +8 -0
- package/docs/policies/ab-test-inbound/policy.ts +14 -0
- package/docs/policies/ab-test-inbound/schema.json +27 -0
- package/docs/policies/ab-test-outbound/intro.md +8 -0
- package/docs/policies/ab-test-outbound/policy.ts +26 -0
- package/docs/policies/ab-test-outbound/schema.json +27 -0
- package/docs/policies/acl-policy-inbound/intro.md +5 -0
- package/docs/policies/acl-policy-inbound/policy.ts +32 -0
- package/docs/policies/acl-policy-inbound/schema.json +52 -0
- package/docs/policies/akamai-ai-firewall/schema.json +98 -0
- package/docs/policies/amberflo-metering-inbound/doc.md +183 -0
- package/docs/policies/amberflo-metering-inbound/intro.md +20 -0
- package/docs/policies/amberflo-metering-inbound/schema.json +108 -0
- package/docs/policies/api-key-inbound/doc.md +77 -0
- package/docs/policies/api-key-inbound/intro.md +30 -0
- package/docs/policies/api-key-inbound/schema.json +84 -0
- package/docs/policies/archive-request-aws-s3-inbound/intro.md +4 -0
- package/docs/policies/archive-request-aws-s3-inbound/policy.ts +58 -0
- package/docs/policies/archive-request-aws-s3-inbound/schema.json +68 -0
- package/docs/policies/archive-request-azure-storage-inbound/doc.md +31 -0
- package/docs/policies/archive-request-azure-storage-inbound/intro.md +4 -0
- package/docs/policies/archive-request-azure-storage-inbound/policy.ts +54 -0
- package/docs/policies/archive-request-azure-storage-inbound/schema.json +53 -0
- package/docs/policies/archive-request-gcp-storage-inbound/doc.md +63 -0
- package/docs/policies/archive-request-gcp-storage-inbound/intro.md +4 -0
- package/docs/policies/archive-request-gcp-storage-inbound/policy.ts +68 -0
- package/docs/policies/archive-request-gcp-storage-inbound/schema.json +47 -0
- package/docs/policies/archive-response-aws-s3-outbound/intro.md +2 -0
- package/docs/policies/archive-response-aws-s3-outbound/policy.ts +59 -0
- package/docs/policies/archive-response-aws-s3-outbound/schema.json +68 -0
- package/docs/policies/archive-response-azure-storage-outbound/doc.md +31 -0
- package/docs/policies/archive-response-azure-storage-outbound/intro.md +3 -0
- package/docs/policies/archive-response-azure-storage-outbound/policy.ts +54 -0
- package/docs/policies/archive-response-azure-storage-outbound/schema.json +53 -0
- package/docs/policies/audit-log-inbound/doc.md +78 -0
- package/docs/policies/audit-log-inbound/intro.md +10 -0
- package/docs/policies/audit-log-inbound/schema.json +81 -0
- package/docs/policies/auth0-jwt-auth-inbound/doc.md +125 -0
- package/docs/policies/auth0-jwt-auth-inbound/intro.md +17 -0
- package/docs/policies/auth0-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/authzen-inbound/doc.md +24 -0
- package/docs/policies/authzen-inbound/intro.md +31 -0
- package/docs/policies/authzen-inbound/schema.json +126 -0
- package/docs/policies/axiomatics-authz-inbound/doc.md +144 -0
- package/docs/policies/axiomatics-authz-inbound/intro.md +11 -0
- package/docs/policies/axiomatics-authz-inbound/schema.json +161 -0
- package/docs/policies/basic-auth-inbound/intro.md +9 -0
- package/docs/policies/basic-auth-inbound/schema.json +99 -0
- package/docs/policies/bot-detection-inbound/intro.md +4 -0
- package/docs/policies/bot-detection-inbound/schema.json +56 -0
- package/docs/policies/brownout-inbound/doc.md +55 -0
- package/docs/policies/brownout-inbound/intro.md +12 -0
- package/docs/policies/brownout-inbound/schema.json +115 -0
- package/docs/policies/caching-inbound/doc.md +209 -0
- package/docs/policies/caching-inbound/intro.md +23 -0
- package/docs/policies/caching-inbound/schema.json +98 -0
- package/docs/policies/change-method-inbound/schema.json +56 -0
- package/docs/policies/clear-headers-inbound/schema.json +59 -0
- package/docs/policies/clear-headers-outbound/schema.json +59 -0
- package/docs/policies/clerk-jwt-auth-inbound/doc.md +85 -0
- package/docs/policies/clerk-jwt-auth-inbound/intro.md +4 -0
- package/docs/policies/clerk-jwt-auth-inbound/schema.json +68 -0
- package/docs/policies/cognito-jwt-auth-inbound/intro.md +7 -0
- package/docs/policies/cognito-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/comet-opik-tracing-inbound/schema.json +65 -0
- package/docs/policies/complex-rate-limit-inbound/doc.md +20 -0
- package/docs/policies/complex-rate-limit-inbound/intro.md +23 -0
- package/docs/policies/complex-rate-limit-inbound/schema.json +142 -0
- package/docs/policies/composite-inbound/doc.md +69 -0
- package/docs/policies/composite-inbound/intro.md +15 -0
- package/docs/policies/composite-inbound/schema.json +59 -0
- package/docs/policies/composite-outbound/intro.md +6 -0
- package/docs/policies/composite-outbound/schema.json +59 -0
- package/docs/policies/curity-phantom-token-inbound/doc.md +109 -0
- package/docs/policies/curity-phantom-token-inbound/intro.md +3 -0
- package/docs/policies/curity-phantom-token-inbound/schema.json +68 -0
- package/docs/policies/custom-code-inbound/doc.md +267 -0
- package/docs/policies/custom-code-inbound/intro.md +2 -0
- package/docs/policies/custom-code-inbound/schema.json +48 -0
- package/docs/policies/custom-code-outbound/doc.md +235 -0
- package/docs/policies/custom-code-outbound/intro.md +2 -0
- package/docs/policies/custom-code-outbound/schema.json +43 -0
- package/docs/policies/firebase-jwt-inbound/intro.md +6 -0
- package/docs/policies/firebase-jwt-inbound/schema.json +68 -0
- package/docs/policies/formdata-to-json-inbound/schema.json +60 -0
- package/docs/policies/galileo-tracing-inbound/schema.json +65 -0
- package/docs/policies/geo-filter-inbound/doc.md +33 -0
- package/docs/policies/geo-filter-inbound/schema.json +108 -0
- package/docs/policies/graphql-complexity-limit-inbound/doc.md +48 -0
- package/docs/policies/graphql-complexity-limit-inbound/intro.md +2 -0
- package/docs/policies/graphql-complexity-limit-inbound/schema.json +90 -0
- package/docs/policies/graphql-disable-introspection-inbound/doc.md +66 -0
- package/docs/policies/graphql-disable-introspection-inbound/intro.md +15 -0
- package/docs/policies/graphql-disable-introspection-inbound/schema.json +48 -0
- package/docs/policies/graphql-introspection-filter-outbound/doc.md +148 -0
- package/docs/policies/graphql-introspection-filter-outbound/schema.json +79 -0
- package/docs/policies/hmac-auth-inbound/doc.md +30 -0
- package/docs/policies/hmac-auth-inbound/intro.md +10 -0
- package/docs/policies/hmac-auth-inbound/policy.ts +70 -0
- package/docs/policies/hmac-auth-inbound/schema.json +53 -0
- package/docs/policies/http-deprecation-outbound/doc.md +73 -0
- package/docs/policies/http-deprecation-outbound/schema.json +83 -0
- package/docs/policies/ip-restriction-inbound/intro.md +8 -0
- package/docs/policies/ip-restriction-inbound/policy.ts +40 -0
- package/docs/policies/ip-restriction-inbound/schema.json +58 -0
- package/docs/policies/jwt-scopes-inbound/schema.json +59 -0
- package/docs/policies/ldap-auth-inbound/schema.json +56 -0
- package/docs/policies/mock-api-inbound/schema.json +72 -0
- package/docs/policies/moesif-inbound/doc.md +44 -0
- package/docs/policies/moesif-inbound/intro.md +6 -0
- package/docs/policies/moesif-inbound/schema.json +68 -0
- package/docs/policies/monetization-inbound/doc.md +87 -0
- package/docs/policies/monetization-inbound/intro.md +6 -0
- package/docs/policies/monetization-inbound/schema.json +102 -0
- package/docs/policies/mtls-auth-inbound/intro.md +6 -0
- package/docs/policies/mtls-auth-inbound/schema.json +68 -0
- package/docs/policies/okta-fga-authz-inbound/doc.md +181 -0
- package/docs/policies/okta-fga-authz-inbound/intro.md +20 -0
- package/docs/policies/okta-fga-authz-inbound/schema.json +104 -0
- package/docs/policies/okta-jwt-auth-inbound/intro.md +7 -0
- package/docs/policies/okta-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/open-id-jwt-auth-inbound/doc.md +58 -0
- package/docs/policies/open-id-jwt-auth-inbound/intro.md +30 -0
- package/docs/policies/open-id-jwt-auth-inbound/schema.json +128 -0
- package/docs/policies/openfga-authz-inbound/doc.md +207 -0
- package/docs/policies/openfga-authz-inbound/intro.md +17 -0
- package/docs/policies/openfga-authz-inbound/schema.json +191 -0
- package/docs/policies/openmeter-inbound/doc.md +163 -0
- package/docs/policies/openmeter-inbound/intro.md +18 -0
- package/docs/policies/openmeter-inbound/schema.json +183 -0
- package/docs/policies/prompt-injection-outbound/doc.md +106 -0
- package/docs/policies/prompt-injection-outbound/intro.md +4 -0
- package/docs/policies/prompt-injection-outbound/schema.json +74 -0
- package/docs/policies/propel-auth-jwt-inbound/doc.md +88 -0
- package/docs/policies/propel-auth-jwt-inbound/intro.md +4 -0
- package/docs/policies/propel-auth-jwt-inbound/schema.json +74 -0
- package/docs/policies/query-param-to-header-inbound/doc.md +70 -0
- package/docs/policies/query-param-to-header-inbound/intro.md +5 -0
- package/docs/policies/query-param-to-header-inbound/schema.json +74 -0
- package/docs/policies/quota-inbound/doc.md +235 -0
- package/docs/policies/quota-inbound/intro.md +7 -0
- package/docs/policies/quota-inbound/schema.json +133 -0
- package/docs/policies/rate-limit-inbound/doc.md +78 -0
- package/docs/policies/rate-limit-inbound/intro.md +30 -0
- package/docs/policies/rate-limit-inbound/schema.json +134 -0
- package/docs/policies/rbac-policy-inbound/intro.md +3 -0
- package/docs/policies/rbac-policy-inbound/policy.ts +42 -0
- package/docs/policies/rbac-policy-inbound/schema.json +52 -0
- package/docs/policies/readme-metrics-inbound/doc.md +1 -0
- package/docs/policies/readme-metrics-inbound/intro.md +3 -0
- package/docs/policies/readme-metrics-inbound/schema.json +84 -0
- package/docs/policies/remove-headers-inbound/schema.json +59 -0
- package/docs/policies/remove-headers-outbound/schema.json +59 -0
- package/docs/policies/remove-query-params-inbound/schema.json +59 -0
- package/docs/policies/replace-string-outbound/schema.json +69 -0
- package/docs/policies/request-size-limit-inbound/schema.json +60 -0
- package/docs/policies/request-validation-inbound/doc.md +72 -0
- package/docs/policies/request-validation-inbound/intro.md +24 -0
- package/docs/policies/request-validation-inbound/schema.json +98 -0
- package/docs/policies/require-origin-inbound/intro.md +12 -0
- package/docs/policies/require-origin-inbound/schema.json +65 -0
- package/docs/policies/secret-masking-outbound/doc.md +41 -0
- package/docs/policies/secret-masking-outbound/intro.md +13 -0
- package/docs/policies/secret-masking-outbound/schema.json +65 -0
- package/docs/policies/semantic-cache-inbound/doc.md +63 -0
- package/docs/policies/semantic-cache-inbound/intro.md +4 -0
- package/docs/policies/semantic-cache-inbound/schema.json +179 -0
- package/docs/policies/set-body-inbound/intro.md +7 -0
- package/docs/policies/set-body-inbound/schema.json +56 -0
- package/docs/policies/set-headers-inbound/doc.md +41 -0
- package/docs/policies/set-headers-inbound/intro.md +2 -0
- package/docs/policies/set-headers-inbound/schema.json +83 -0
- package/docs/policies/set-headers-outbound/schema.json +83 -0
- package/docs/policies/set-query-params-inbound/schema.json +83 -0
- package/docs/policies/set-status-outbound/schema.json +62 -0
- package/docs/policies/sleep-inbound/schema.json +56 -0
- package/docs/policies/stripe-webhook-verification-inbound/intro.md +2 -0
- package/docs/policies/stripe-webhook-verification-inbound/schema.json +60 -0
- package/docs/policies/supabase-jwt-auth-inbound/doc.md +29 -0
- package/docs/policies/supabase-jwt-auth-inbound/intro.md +12 -0
- package/docs/policies/supabase-jwt-auth-inbound/schema.json +86 -0
- package/docs/policies/transform-body-inbound/intro.md +8 -0
- package/docs/policies/transform-body-inbound/policy.ts +16 -0
- package/docs/policies/transform-body-inbound/schema.json +27 -0
- package/docs/policies/transform-body-outbound/intro.md +8 -0
- package/docs/policies/transform-body-outbound/policy.ts +19 -0
- package/docs/policies/transform-body-outbound/schema.json +27 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/doc.md +82 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/intro.md +20 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/schema.json +84 -0
- package/docs/policies/upstream-firebase-admin-auth-inbound/intro.md +10 -0
- package/docs/policies/upstream-firebase-admin-auth-inbound/schema.json +68 -0
- package/docs/policies/upstream-firebase-user-auth-inbound/intro.md +2 -0
- package/docs/policies/upstream-firebase-user-auth-inbound/schema.json +113 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/doc.md +139 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/intro.md +21 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/schema.json +96 -0
- package/docs/policies/upstream-gcp-jwt-inbound/intro.md +10 -0
- package/docs/policies/upstream-gcp-jwt-inbound/schema.json +62 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/doc.md +132 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/intro.md +25 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/schema.json +95 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/doc.md +213 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/intro.md +16 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/schema.json +101 -0
- package/docs/policies/validate-json-schema-inbound/doc.md +129 -0
- package/docs/policies/validate-json-schema-inbound/intro.md +7 -0
- package/docs/policies/validate-json-schema-inbound/schema.json +56 -0
- package/docs/policies/web-bot-auth-inbound/doc.md +104 -0
- package/docs/policies/web-bot-auth-inbound/intro.md +16 -0
- package/docs/policies/web-bot-auth-inbound/schema.json +76 -0
- package/docs/policies/xml-to-json-outbound/doc.md +71 -0
- package/docs/policies/xml-to-json-outbound/intro.md +4 -0
- package/docs/policies/xml-to-json-outbound/schema.json +117 -0
- package/docs/programmable-api/audit-log.mdx +74 -0
- package/docs/programmable-api/background-dispatcher.mdx +124 -0
- package/docs/programmable-api/background-loader.mdx +104 -0
- package/docs/programmable-api/cache.mdx +186 -0
- package/docs/programmable-api/compatibility-dates.mdx +201 -0
- package/docs/programmable-api/console-logging.mdx +48 -0
- package/docs/programmable-api/context-data.mdx +127 -0
- package/docs/programmable-api/custom-cors-policy.mdx +64 -0
- package/docs/programmable-api/environment.mdx +328 -0
- package/docs/programmable-api/hooks.mdx +569 -0
- package/docs/programmable-api/http-problems.mdx +385 -0
- package/docs/programmable-api/jwt-service-plugin.mdx +420 -0
- package/docs/programmable-api/logger.mdx +223 -0
- package/docs/programmable-api/memory-zone-read-through-cache.mdx +96 -0
- package/docs/programmable-api/node-modules.mdx +67 -0
- package/docs/programmable-api/not-found-handler.mdx +47 -0
- package/docs/programmable-api/oauth-protected-resource-plugin.mdx +46 -0
- package/docs/programmable-api/overview.mdx +213 -0
- package/docs/programmable-api/problem-response-formatter.mdx +183 -0
- package/docs/programmable-api/request-user.mdx +289 -0
- package/docs/programmable-api/reusing-code.mdx +26 -0
- package/docs/programmable-api/route-raw.mdx +55 -0
- package/docs/programmable-api/runtime-behaviors.mdx +25 -0
- package/docs/programmable-api/runtime-errors.mdx +246 -0
- package/docs/programmable-api/runtime-extensions.mdx +340 -0
- package/docs/programmable-api/safely-clone-a-request-or-response.mdx +57 -0
- package/docs/programmable-api/streaming-zone-cache.mdx +155 -0
- package/docs/programmable-api/web-crypto-apis.mdx +219 -0
- package/docs/programmable-api/web-standard-apis.mdx +109 -0
- package/docs/programmable-api/zone-cache.mdx +131 -0
- package/docs/programmable-api/zp-body-removed.mdx +32 -0
- package/docs/programmable-api/zuplo-context.mdx +414 -0
- package/docs/programmable-api/zuplo-id-token.mdx +90 -0
- package/docs/programmable-api/zuplo-json.mdx +91 -0
- package/docs/programmable-api/zuplo-request.mdx +200 -0
- package/docs/sample-apis.mdx +78 -0
- package/docs/self-hosted/overview.md +60 -0
- package/package.json +6 -5
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Configuring Zuplo with Akamai App & API Protector
|
|
3
|
+
sidebar_label: Akamai App & API Protector
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
Akamai App & API Protector runs at Akamai edge locations. Zuplo can be
|
|
7
|
+
configured to run as a custom origin behind Akamai.
|
|
8
|
+
|
|
9
|
+
## Securing Zuplo from Direct Access
|
|
10
|
+
|
|
11
|
+
With any WAF product, you will want to ensure that network traffic can't bypass
|
|
12
|
+
your WAF and hit your API Gateway directly. Akamai offers several ways to ensure
|
|
13
|
+
that your API Gateway is only accessible through the WAF.
|
|
14
|
+
|
|
15
|
+
The information below is a summary of Akamai's own recommendations for securing
|
|
16
|
+
your backend - regardless of whether you are using Zuplo, another API Gateway,
|
|
17
|
+
or Akamai origins. You can reference the
|
|
18
|
+
[Akamai documentation](https://techdocs.akamai.com/application-security/docs/origin-server-protection).
|
|
19
|
+
|
|
20
|
+
### IP Address Restrictions
|
|
21
|
+
|
|
22
|
+
Akamai maintains a list of IP addresses that you can use to restrict access to
|
|
23
|
+
your API Gateway. This is a good way to ensure that only Akamai can access your
|
|
24
|
+
API Gateway. However, as Akamai is a multi-tenant service, this method isn't
|
|
25
|
+
sufficient to protect unauthorized traffic from hitting your API Gateway.
|
|
26
|
+
|
|
27
|
+
In Zuplo, you can utilize the IP Address Restriction policy to limit traffic to
|
|
28
|
+
only the Akamai IP addresses. You don't need to provide the address list
|
|
29
|
+
manually, instead you can utilize the built-in list as shown below.
|
|
30
|
+
|
|
31
|
+
```json
|
|
32
|
+
{
|
|
33
|
+
"name": "allow-akamai-only",
|
|
34
|
+
"policyType": "ip-address-restriction-inbound",
|
|
35
|
+
"handler": {
|
|
36
|
+
"export": "IPAddressRestrictionInbound",
|
|
37
|
+
"module": "$import(@zuplo/runtime)",
|
|
38
|
+
"options": {
|
|
39
|
+
"allowedIpAddresses": ["list:akamai"]
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
With this policy in place, only Akamai traffic will be allowed to hit your Zuplo
|
|
46
|
+
API Gateway.
|
|
47
|
+
|
|
48
|
+
### Custom Headers
|
|
49
|
+
|
|
50
|
+
Another way to ensure that traffic is coming from Akamai is to use custom
|
|
51
|
+
headers. Custom headers can be added to your Akamai configuration and then
|
|
52
|
+
checked by your API Gateway. This provides an additional layer of security on
|
|
53
|
+
top of IP address restrictions and prevents any unauthorized traffic from
|
|
54
|
+
hitting your API Gateway - regardless of the source.
|
|
55
|
+
|
|
56
|
+
In Akamai, you can configure custom headers using the Property Manager or the
|
|
57
|
+
Akamai API. Add a custom header with a secret value that only you and Akamai
|
|
58
|
+
know.
|
|
59
|
+
|
|
60
|
+
In Zuplo, you can utilize the Header Restriction policy to limit traffic to only
|
|
61
|
+
those requests that include the custom header and secret value.
|
|
62
|
+
|
|
63
|
+
```json
|
|
64
|
+
{
|
|
65
|
+
"name": "allow-akamai-custom-header",
|
|
66
|
+
"policyType": "require-header-inbound",
|
|
67
|
+
"handler": {
|
|
68
|
+
"export": "RequireHeaderInboundPolicyOptions",
|
|
69
|
+
"module": "$import(@zuplo/runtime)",
|
|
70
|
+
"options": {
|
|
71
|
+
"headerName": "x-akamai-auth",
|
|
72
|
+
"allowedValues": ["$env(AKAMAI_SECRET_HEADER_VALUE)"]
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
With this policy in place, only requests that include the custom header with the
|
|
79
|
+
secret value will be allowed to hit your Zuplo API Gateway.
|
|
80
|
+
|
|
81
|
+
## Additional Akamai Origin Security Options
|
|
82
|
+
|
|
83
|
+
Akamai provides several additional security features to protect your origin
|
|
84
|
+
servers beyond IP restrictions and custom headers:
|
|
85
|
+
|
|
86
|
+
### Mutual TLS (mTLS) Authentication
|
|
87
|
+
|
|
88
|
+
Use mutual TLS to establish secure, certificate-based authentication between
|
|
89
|
+
Akamai edge servers and your origin. This ensures only authenticated Akamai
|
|
90
|
+
servers can connect to your backend.
|
|
91
|
+
|
|
92
|
+
Learn more:
|
|
93
|
+
[mTLS Origin Keystore](https://techdocs.akamai.com/property-mgr/docs/mtls-origin-keystore)
|
|
94
|
+
|
|
95
|
+
### Origin IP Access Control List
|
|
96
|
+
|
|
97
|
+
Configure an IP-based access control list that specifically defines which Akamai
|
|
98
|
+
IP addresses can access your origin servers. This provides more granular control
|
|
99
|
+
than general IP restrictions.
|
|
100
|
+
|
|
101
|
+
Learn more:
|
|
102
|
+
[Origin IP ACL](https://techdocs.akamai.com/origin-ip-acl/docs/welcome)
|
|
103
|
+
|
|
104
|
+
### Site Shield
|
|
105
|
+
|
|
106
|
+
Site Shield provides a dedicated set of IP addresses that Akamai uses to connect
|
|
107
|
+
to your origin servers. This creates a more predictable and secure connection
|
|
108
|
+
pattern between Akamai and your backend infrastructure.
|
|
109
|
+
|
|
110
|
+
Learn more:
|
|
111
|
+
[Site Shield](https://techdocs.akamai.com/site-shield/docs/welcome-site-shield)
|
|
112
|
+
|
|
113
|
+
### Authentication Token 2.0
|
|
114
|
+
|
|
115
|
+
Implement token-based authentication for origin requests. This method allows you
|
|
116
|
+
to validate that requests are coming from legitimate Akamai edge servers using
|
|
117
|
+
cryptographic tokens.
|
|
118
|
+
|
|
119
|
+
Learn more:
|
|
120
|
+
[Auth Token 2.0](https://techdocs.akamai.com/property-mgr/docs/auth-token-2-0-ver)
|
|
121
|
+
|
|
122
|
+
### Custom Request Headers with Shared Secrets
|
|
123
|
+
|
|
124
|
+
Configure Akamai to modify incoming request headers and add shared secret values
|
|
125
|
+
that your origin can validate. This is similar to the custom header approach
|
|
126
|
+
mentioned above but provides more advanced header manipulation capabilities.
|
|
127
|
+
|
|
128
|
+
Learn more:
|
|
129
|
+
[Modify Incoming Request Header](https://techdocs.akamai.com/property-mgr/docs/modify-incoming-req-header)
|
|
130
|
+
|
|
131
|
+
These security measures can be used individually or combined to create multiple
|
|
132
|
+
layers of protection for your Zuplo API Gateway when running behind Akamai App &
|
|
133
|
+
API Protector.
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Configuring Zuplo with AWS WAF + Shield
|
|
3
|
+
sidebar_label: AWS WAF + Shield
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
AWS WAF + Shield run at AWS CloudFront edge locations. Zuplo can be configured
|
|
7
|
+
to run as a custom backend behind CloudFront.
|
|
8
|
+
|
|
9
|
+
## Securing Zuplo from Direct Access
|
|
10
|
+
|
|
11
|
+
With any WAF product, you will want to ensure that network traffic can't bypass
|
|
12
|
+
your WAF and hit your API Gateway directly. AWS WAF + Shield offer several ways
|
|
13
|
+
to ensure that your API Gateway is only accessible through the WAF.
|
|
14
|
+
|
|
15
|
+
The information below is a summary of Amazon's own recommendations for securing
|
|
16
|
+
your backend - regardless of whether you are using Zuplo, another API Gateway,
|
|
17
|
+
or AWS origins. You can also reference
|
|
18
|
+
[the AWS documentation](https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/custom-origin-with-cloudfront.html)
|
|
19
|
+
directly.
|
|
20
|
+
|
|
21
|
+
### IP Address Restrictions
|
|
22
|
+
|
|
23
|
+
Amazon maintains a list of CloudFront IP addresses (separate from other AWS
|
|
24
|
+
uses) that you can use to restrict access to your API Gateway. This is a good
|
|
25
|
+
way to ensure that only CloudFront can access your API Gateway. However, as
|
|
26
|
+
CloudFront is available to any AWS customer, this method isn't sufficient to
|
|
27
|
+
protect unauthorized traffic from hitting your API Gateway.
|
|
28
|
+
|
|
29
|
+
In Zuplo, you can utilize the IP Address Restriction policy to limit traffic to
|
|
30
|
+
only the CloudFront IP addresses. You don't need to provide the address list
|
|
31
|
+
manually, instead you can utilize the built-in list as shown below.
|
|
32
|
+
|
|
33
|
+
```json
|
|
34
|
+
{
|
|
35
|
+
"name": "allow-cloudfront-only",
|
|
36
|
+
"policyType": "ip-address-restriction-inbound",
|
|
37
|
+
"handler": {
|
|
38
|
+
"export": "IPAddressRestrictionInbound",
|
|
39
|
+
"module": "$import(@zuplo/runtime)",
|
|
40
|
+
"options": {
|
|
41
|
+
"allowedIpAddresses": ["list:aws-cloudfront"]
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
With this policy in place, only CloudFront traffic will be allowed to hit your
|
|
48
|
+
Zuplo API Gateway.
|
|
49
|
+
|
|
50
|
+
### Custom Headers
|
|
51
|
+
|
|
52
|
+
Another way to ensure that traffic is coming from CloudFront is to use custom
|
|
53
|
+
headers. Custom headers can be added to your CloudFront distribution and then
|
|
54
|
+
checked by your API Gateway. This provides an additional layer of security on
|
|
55
|
+
top of IP address restrictions and prevents any unauthorized traffic from
|
|
56
|
+
hitting your API Gateway - regardless of the source.
|
|
57
|
+
|
|
58
|
+
In Zuplo, you can utilize the Header Restriction policy to limit traffic to only
|
|
59
|
+
those requests that include the custom header and secret value.
|
|
60
|
+
|
|
61
|
+
```json
|
|
62
|
+
{
|
|
63
|
+
"name": "allow-cloudfront-custom-header",
|
|
64
|
+
"policyType": "require-header-inbound",
|
|
65
|
+
"handler": {
|
|
66
|
+
"export": "RequireHeaderInboundPolicyOptions",
|
|
67
|
+
"module": "$import(@zuplo/runtime)",
|
|
68
|
+
"options": {
|
|
69
|
+
"headerName": "secure-header",
|
|
70
|
+
"allowedValues": ["$env(MY_SECRET_HEADER_VALUE)"]
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
With this policy in place, only requests that include the custom header with the
|
|
77
|
+
secret value will be allowed to hit your Zuplo API Gateway.
|
|
78
|
+
|
|
79
|
+
### Identity Based Options
|
|
80
|
+
|
|
81
|
+
Unfortunately, AWS WAF + Shield don't offer identity-based options like IAM or
|
|
82
|
+
network based options for securing your API Gateway. This is true for
|
|
83
|
+
[both AWS](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html)
|
|
84
|
+
and non-AWS API Gateway products. If you require these options, you will need to
|
|
85
|
+
use a different WAF product in front of your Zuplo API Gateway.
|
|
@@ -0,0 +1,251 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Configuring Zuplo with Fastly Next-Gen WAF
|
|
3
|
+
sidebar_label: Fastly Next-Gen WAF
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
Fastly Next-Gen WAF runs at Fastly edge locations. Zuplo can be configured to
|
|
7
|
+
run as a host behind Fastly.
|
|
8
|
+
|
|
9
|
+
Refer to Zuplo's documentation on
|
|
10
|
+
[how to configure Zuplo as a Fastly host](./fastly-zuplo-host-setup.mdx).
|
|
11
|
+
|
|
12
|
+
## Securing Zuplo from Direct Access
|
|
13
|
+
|
|
14
|
+
With any WAF product, you will want to ensure that network traffic can't bypass
|
|
15
|
+
your WAF and hit your API Gateway directly. Fastly offers several ways to ensure
|
|
16
|
+
that your API Gateway is only accessible through the WAF.
|
|
17
|
+
|
|
18
|
+
The information below is a summary of Fastly's own recommendations for securing
|
|
19
|
+
your backend - regardless of whether you are using Zuplo, another API Gateway,
|
|
20
|
+
or Fastly origins. You can reference the
|
|
21
|
+
[Fastly documentation](https://www.fastly.com/documentation/guides/integrations/non-fastly-services/developer-guide-backends/).
|
|
22
|
+
|
|
23
|
+
### IP Address Restrictions
|
|
24
|
+
|
|
25
|
+
Fastly maintains a list of IP addresses that you can use to restrict access to
|
|
26
|
+
your API Gateway. This is a good way to ensure that only Fastly can access your
|
|
27
|
+
API Gateway. However, as Fastly is a multi-tenant service, this method isn't
|
|
28
|
+
sufficient to protect unauthorized traffic from hitting your API Gateway.
|
|
29
|
+
|
|
30
|
+
In Zuplo, you can utilize the IP Address Restriction policy to limit traffic to
|
|
31
|
+
only the Fastly IP addresses. You don't need to provide the address list
|
|
32
|
+
manually, instead you can utilize the built-in list as shown below.
|
|
33
|
+
|
|
34
|
+
```json
|
|
35
|
+
{
|
|
36
|
+
"name": "allow-fastly-only",
|
|
37
|
+
"policyType": "ip-address-restriction-inbound",
|
|
38
|
+
"handler": {
|
|
39
|
+
"export": "IPAddressRestrictionInbound",
|
|
40
|
+
"module": "$import(@zuplo/runtime)",
|
|
41
|
+
"options": {
|
|
42
|
+
"allowedIpAddresses": ["list:fastly"]
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
With this policy in place, only Fastly traffic will be allowed to hit your Zuplo
|
|
49
|
+
API Gateway.
|
|
50
|
+
|
|
51
|
+
### Signed Headers
|
|
52
|
+
|
|
53
|
+
Another way to ensure that traffic is coming from Fastly is to use signed
|
|
54
|
+
headers. Signed headers can be added using a
|
|
55
|
+
[VLC Snippet](https://docs.fastly.com/en/guides/about-vcl-snippets) and then
|
|
56
|
+
checked by your API Gateway. This provides an additional layer of security on
|
|
57
|
+
top of IP address restrictions and prevents any unauthorized traffic from
|
|
58
|
+
hitting your API Gateway - regardless of the source.
|
|
59
|
+
|
|
60
|
+
In Fastly, you will need to create a VCL snippet that adds a signed header as
|
|
61
|
+
shown below. This example uses the `shared_secret` value stored in an
|
|
62
|
+
[Edge Dictionary](https://www.fastly.com/documentation/guides/concepts/edge-state/dynamic-config/#edge-dictionaries).
|
|
63
|
+
|
|
64
|
+
```txt
|
|
65
|
+
declare local var.zuplo_auth_secret STRING;
|
|
66
|
+
set var.zuplo_auth_secret = table.lookup(Zuplo, "shared_secret");
|
|
67
|
+
declare local var.data STRING;
|
|
68
|
+
set var.data = strftime({"%s"}, now) + "," + server.datacenter;
|
|
69
|
+
set bereq.http.X-Signature = var.data + "," + digest.hmac_sha256(var.zuplo_auth_secret, var.data);
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
In Zuplo, you can utilize a custom code inbound policy to limit traffic to only
|
|
73
|
+
those requests that include the signed header.
|
|
74
|
+
|
|
75
|
+
```json title="/config/policies.json"
|
|
76
|
+
{
|
|
77
|
+
"name": "fastly-auth-inbound",
|
|
78
|
+
"policyType": "custom-code-inbound",
|
|
79
|
+
"handler": {
|
|
80
|
+
"export": "default",
|
|
81
|
+
"module": "$import(./modules/fastly-auth-inbound)",
|
|
82
|
+
"options": {
|
|
83
|
+
"secret": "$env(FASTLY_SECRET)",
|
|
84
|
+
"headerName": "x-signature"
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
```ts title="/modules/fastly-auth-inbound.ts"
|
|
91
|
+
import { HttpProblems, ZuploContext, ZuploRequest } from "@zuplo/runtime";
|
|
92
|
+
|
|
93
|
+
interface PolicyOptions {
|
|
94
|
+
secret: string;
|
|
95
|
+
headerName: string;
|
|
96
|
+
requestOffset?: number;
|
|
97
|
+
}
|
|
98
|
+
|
|
99
|
+
export default async function (
|
|
100
|
+
request: ZuploRequest,
|
|
101
|
+
context: ZuploContext,
|
|
102
|
+
options: PolicyOptions,
|
|
103
|
+
policyName: string,
|
|
104
|
+
) {
|
|
105
|
+
// Validate the policy options
|
|
106
|
+
if (typeof options.secret !== "string") {
|
|
107
|
+
throw new Error(
|
|
108
|
+
`The option 'secret' on policy '${policyName}' must be a string. Received ${typeof options.secret}.`,
|
|
109
|
+
);
|
|
110
|
+
}
|
|
111
|
+
if (typeof options.headerName !== "string") {
|
|
112
|
+
throw new Error(
|
|
113
|
+
`The option 'headerName' on policy '${policyName}' must be a string. Received ${typeof options.headerName}.`,
|
|
114
|
+
);
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
// Get the authorization header
|
|
118
|
+
const headerValue = request.headers.get(options.headerName);
|
|
119
|
+
|
|
120
|
+
// No auth header, unauthorized
|
|
121
|
+
if (!headerValue) {
|
|
122
|
+
return HttpProblems.unauthorized(request, context);
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
const encoder = new TextEncoder();
|
|
126
|
+
|
|
127
|
+
// Split the header into the parts
|
|
128
|
+
const [timestamp, datacenter, hash] = headerValue.split(",");
|
|
129
|
+
|
|
130
|
+
context.log.info({ timestamp, datacenter, hash });
|
|
131
|
+
|
|
132
|
+
// Convert the timestamp to milliseconds
|
|
133
|
+
const timestampInMilliseconds = parseInt(timestamp) * 1000;
|
|
134
|
+
const currentTimeInMilliseconds = new Date().getTime();
|
|
135
|
+
const differenceInSeconds =
|
|
136
|
+
Math.abs(currentTimeInMilliseconds - timestampInMilliseconds) / 1000;
|
|
137
|
+
const offset = options.requestOffset ?? 30;
|
|
138
|
+
if (differenceInSeconds > offset) {
|
|
139
|
+
context.log.error("The request is old than 30 seconds.");
|
|
140
|
+
return HttpProblems.unauthorized(request, context);
|
|
141
|
+
}
|
|
142
|
+
|
|
143
|
+
// Convert the hex HMAC to an ArrayBuffer
|
|
144
|
+
const signature = new Uint8Array(
|
|
145
|
+
hash
|
|
146
|
+
.slice(2)
|
|
147
|
+
.match(/.{1,2}/g)
|
|
148
|
+
.map((byte) => parseInt(byte, 16)),
|
|
149
|
+
);
|
|
150
|
+
|
|
151
|
+
// Get the hash value and encode it
|
|
152
|
+
const hashValue = `${timestamp},${datacenter}`;
|
|
153
|
+
const hashData = encoder.encode(hashValue);
|
|
154
|
+
|
|
155
|
+
// Create the secret from the policy options
|
|
156
|
+
const encodedSecret = encoder.encode(options.secret);
|
|
157
|
+
const key = await crypto.subtle.importKey(
|
|
158
|
+
"raw",
|
|
159
|
+
encodedSecret,
|
|
160
|
+
{ name: "HMAC", hash: "SHA-256" },
|
|
161
|
+
false,
|
|
162
|
+
["verify"],
|
|
163
|
+
);
|
|
164
|
+
|
|
165
|
+
// Verify that the data
|
|
166
|
+
const verified = await crypto.subtle.verify("HMAC", key, signature, hashData);
|
|
167
|
+
|
|
168
|
+
// Check if the data is verified, if not return unauthorized
|
|
169
|
+
if (!verified) {
|
|
170
|
+
return HttpProblems.unauthorized(request, context);
|
|
171
|
+
}
|
|
172
|
+
|
|
173
|
+
// Request is authorized, continue
|
|
174
|
+
return request;
|
|
175
|
+
}
|
|
176
|
+
```
|
|
177
|
+
|
|
178
|
+
With this policy in place, only requests that include a valid sign header will
|
|
179
|
+
be allowed to hit your Zuplo API Gateway.
|
|
180
|
+
|
|
181
|
+
### JWT Header
|
|
182
|
+
|
|
183
|
+
Another way to ensure that traffic is coming from Fastly is to add a JWT header
|
|
184
|
+
to the outgoing request. JWT headers can be added using a
|
|
185
|
+
[VLC Snippet](https://docs.fastly.com/en/guides/about-vcl-snippets) and then
|
|
186
|
+
checked by your API Gateway. This provides an additional layer of security on
|
|
187
|
+
top of IP address restrictions and prevents any unauthorized traffic from
|
|
188
|
+
hitting your API Gateway - regardless of the source.
|
|
189
|
+
|
|
190
|
+
:::tip
|
|
191
|
+
|
|
192
|
+
This demo shows using a shared secret for generating and verifying the JWT.
|
|
193
|
+
However, you could also use public/private keys for this purpose. Additionally,
|
|
194
|
+
you could use a third-party identity provider (Auth0, Cognito) to issue machine
|
|
195
|
+
to machine tokens.
|
|
196
|
+
|
|
197
|
+
:::
|
|
198
|
+
|
|
199
|
+
In Fastly, you will need to create a VCL snippet that adds a JWT header as shown
|
|
200
|
+
below. This example uses the `shared_secret` value stored in an
|
|
201
|
+
[Edge Dictionary](https://www.fastly.com/documentation/guides/concepts/edge-state/dynamic-config/#edge-dictionaries).
|
|
202
|
+
|
|
203
|
+
```txt
|
|
204
|
+
declare local var.jwt_secret STRING;
|
|
205
|
+
declare local var.jwt_audience STRING;
|
|
206
|
+
declare local var.jwt_issued STRING;
|
|
207
|
+
declare local var.jwt_expires STRING;
|
|
208
|
+
declare local var.jwt_header STRING;
|
|
209
|
+
declare local var.jwt_payload STRING;
|
|
210
|
+
declare local var.jwt_signature STRING;
|
|
211
|
+
|
|
212
|
+
|
|
213
|
+
set var.jwt_secret = table.lookup(Zuplo, "shared_secret");
|
|
214
|
+
set var.jwt_audience = "my-api.example.com";
|
|
215
|
+
set var.jwt_issued = now.sec;
|
|
216
|
+
set var.jwt_expires = strftime({"%s"}, time.add(now, 60s));
|
|
217
|
+
|
|
218
|
+
set var.jwt_header = digest.base64url_nopad({"{"alg":"HS256","typ":"JWT""}{"}"});
|
|
219
|
+
set var.jwt_payload = digest.base64url_nopad({"{"audience":""} var.jwt_audience {"","exp":"} var.jwt_expires {","iat":"} var.jwt_issued {","iss":"Fastly""}{"}"});
|
|
220
|
+
set var.jwt_signature = digest.base64url_nopad(digest.hmac_sha256(var.jwt_secret, var.jwt_header "." var.jwt_payload));
|
|
221
|
+
|
|
222
|
+
set bereq.http.X-JWT = var.jwt_header "." var.jwt_payload "." var.jwt_signature;
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
To verify the JWT header in Zuplo, you can utilize the JWT Auth Inbound policy.
|
|
226
|
+
|
|
227
|
+
```json
|
|
228
|
+
{
|
|
229
|
+
"name": "verify-fastly-jwt",
|
|
230
|
+
"policyType": "open-id-jwt-auth-inbound",
|
|
231
|
+
"handler": {
|
|
232
|
+
"export": "OpenIdJwtInboundPolicy",
|
|
233
|
+
"module": "$import(@zuplo/runtime)",
|
|
234
|
+
"options": {
|
|
235
|
+
"authHeader": "x-jwt",
|
|
236
|
+
"issuer": "Fastly",
|
|
237
|
+
"audience": "my-api.example.com",
|
|
238
|
+
"secret": "$env(FASTLY_SECRET)"
|
|
239
|
+
}
|
|
240
|
+
}
|
|
241
|
+
}
|
|
242
|
+
```
|
|
243
|
+
|
|
244
|
+
### mTLS Authentication
|
|
245
|
+
|
|
246
|
+
Fastly supports mTLS authentication for backend services. This is a good way to
|
|
247
|
+
ensure that only Fastly can access your API Gateway. For documentation on
|
|
248
|
+
configuring Fastly with mTLS, see the
|
|
249
|
+
[Fastly documentation](https://docs.fastly.com/en/guides/working-with-hosts#advanced-tls-options).
|
|
250
|
+
To configure Zuplo to accept mTLS connections, see the
|
|
251
|
+
[Zuplo mTLS Policy documentation](/docs/policies/mtls-auth-inbound).
|
|
@@ -0,0 +1,140 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Zuplo + WAF/DDoS Services
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
Many customers using Zuplo (or any other API Gateway) often choose to deploy WAF
|
|
6
|
+
and DDoS protection in front of their gateway. You can use any WAF - we have
|
|
7
|
+
customers today using Azure, AWS, Akamai, CloudFlare and many other options.
|
|
8
|
+
|
|
9
|
+
However, there are some things to consider depending on how you host Zuplo
|
|
10
|
+
(edge, dedicated, or self-hosted).
|
|
11
|
+
|
|
12
|
+
If for some reason these don't work for you - we can also offer a managed WAF as
|
|
13
|
+
part of your Zuplo Enterprise agreement; contact sales to discuss.
|
|
14
|
+
|
|
15
|
+
More details on some third-party WAF solutions are included below.
|
|
16
|
+
|
|
17
|
+
## Managed Edge Deployments
|
|
18
|
+
|
|
19
|
+
Zuplo when running on the managed edge is running in over 300 data centers
|
|
20
|
+
around the world. If you care about worldwide presence, be sure to choose a WAF
|
|
21
|
+
that is globally distributed as all traffic will be routed through your WAF.
|
|
22
|
+
|
|
23
|
+
## Managed Dedicated and Self-hosted Deployments
|
|
24
|
+
|
|
25
|
+
Customers typically use a WAF offered by their selected hosting platform (e.g.
|
|
26
|
+
Azure, Akamai, AWS, etc.) to simplify management, improve latency and reduce
|
|
27
|
+
bandwidth costs.
|
|
28
|
+
|
|
29
|
+
## Zuplo Managed WAF
|
|
30
|
+
|
|
31
|
+
Zuplo offers different WAF solutions based on your deployment model:
|
|
32
|
+
|
|
33
|
+
**Managed Edge Deployment:** Customers on Zuplo's enterprise plans using our
|
|
34
|
+
managed edge deployment can use Zuplo Managed WAF. This provides
|
|
35
|
+
enterprise-grade protection for your API Gateway with minimal configuration
|
|
36
|
+
required, including OWASP Core Ruleset, OFAC sanctions compliance, DDoS
|
|
37
|
+
protection, and custom rule capabilities.
|
|
38
|
+
|
|
39
|
+
**Managed Dedicated Deployment:** Customers using Zuplo's managed dedicated
|
|
40
|
+
deployment model can leverage custom WAF and DDoS configurations based on the
|
|
41
|
+
capabilities of their chosen cloud provider (AWS, Azure, GCP). Our team will
|
|
42
|
+
work with you to configure the appropriate security services available in your
|
|
43
|
+
cloud environment.
|
|
44
|
+
|
|
45
|
+
For detailed information about Zuplo Managed WAF for managed edge deployments,
|
|
46
|
+
see our [Zuplo Managed WAF guide](./zuplo-waf.mdx).
|
|
47
|
+
|
|
48
|
+
:::tip
|
|
49
|
+
|
|
50
|
+
Many common WAF functions can be implemented directly in Zuplo using policies,
|
|
51
|
+
without the need for a separate WAF service:
|
|
52
|
+
|
|
53
|
+
- **IP Restriction** - Block or allow requests from specific IP addresses using
|
|
54
|
+
the [IP Restriction policy](../policies/ip-restriction-inbound.mdx)
|
|
55
|
+
- **Geolocation Blocking** - Route or block requests based on country using
|
|
56
|
+
[custom policies](../guides/geolocation-backend-routing.mdx)
|
|
57
|
+
- **Rate Limiting** - Protect against abuse with built-in
|
|
58
|
+
[rate limiting policies](../policies/rate-limit-inbound.mdx)
|
|
59
|
+
- **Custom Rules** - Create any custom security logic with
|
|
60
|
+
[custom code policies](../policies/custom-code-inbound.mdx)
|
|
61
|
+
|
|
62
|
+
These policies run at the edge with your API, ensuring no additional latency
|
|
63
|
+
while providing powerful security capabilities.
|
|
64
|
+
|
|
65
|
+
:::
|
|
66
|
+
|
|
67
|
+
Contact our [sales team](mailto:sales@zuplo.com) to discuss which WAF solution
|
|
68
|
+
is right for your deployment model.
|
|
69
|
+
|
|
70
|
+
## Third-Party WAF Solutions
|
|
71
|
+
|
|
72
|
+
If you require the ability to finely control your WAF Rules or are using a
|
|
73
|
+
third-party WAF provider, Zuplo integrates seamlessly with popular edge-based
|
|
74
|
+
WAF solutions.
|
|
75
|
+
|
|
76
|
+
### Akamai App & API Protector
|
|
77
|
+
|
|
78
|
+
Akamai's App & API Protector provides comprehensive WAF and DDoS protection with
|
|
79
|
+
a global edge network. Akamai offers advanced bot management, API security, and
|
|
80
|
+
DDoS mitigation that works well with Zuplo's edge-deployed architecture. With
|
|
81
|
+
over 4,000 edge locations worldwide, Akamai ensures minimal latency when
|
|
82
|
+
protecting your Zuplo API Gateway.
|
|
83
|
+
|
|
84
|
+
Key features include:
|
|
85
|
+
|
|
86
|
+
- Advanced bot detection and mitigation
|
|
87
|
+
- API-specific security rules and rate limiting
|
|
88
|
+
- Real-time threat intelligence
|
|
89
|
+
- Automatic protection against OWASP Top 10 vulnerabilities
|
|
90
|
+
- DDoS protection across all layers
|
|
91
|
+
|
|
92
|
+
Akamai's extensive edge network ensures that security checks happen close to
|
|
93
|
+
your users, maintaining the low-latency benefits of Zuplo's edge deployment.
|
|
94
|
+
|
|
95
|
+
- [Akamai Edge Locations](https://www.akamai.com/why-akamai/our-edge-platform)
|
|
96
|
+
|
|
97
|
+
### Cloudflare WAF + DDoS
|
|
98
|
+
|
|
99
|
+
Cloudflare is the easiest solution for custom WAF + DDoS in front of your Zuplo
|
|
100
|
+
API Gateway deployed as managed-edge. Because managed-edge is already terminated
|
|
101
|
+
with Cloudflare, the integration is seamless and requires virtually zero
|
|
102
|
+
configuration. Simply point your Cloudflare managed domain to Zuplo and you are
|
|
103
|
+
protected. You can fully customize your WAF, firewall, DDoS or any other
|
|
104
|
+
security configuration offered by Cloudflare. When a request comes into
|
|
105
|
+
Cloudflare, it will be routed first through your account's configuration, then
|
|
106
|
+
will be sent to your Zuplo API Gateway. The same thing happens on the outbound
|
|
107
|
+
as well.
|
|
108
|
+
|
|
109
|
+
A custom domain configured on Zuplo that utilizes Cloudflare DNS is completely
|
|
110
|
+
protected from requests bypassing your WAF and hitting Zuplo directly.
|
|
111
|
+
Additionally, because your WAF and DDoS are in the same edge locations that
|
|
112
|
+
Zuplo uses to terminate our endpoints, there will be no additional latency.
|
|
113
|
+
|
|
114
|
+
[Cloudflare Edge Locations](https://www.cloudflare.com/network/)
|
|
115
|
+
|
|
116
|
+
### Fastly Next-Gen WAF (powered by Signal Sciences)
|
|
117
|
+
|
|
118
|
+
Fastly's next-gen WAF is another good edge-based solution for WAF/DDoS
|
|
119
|
+
protection. Fastly can be configured with minimal setup to work with Zuplo.
|
|
120
|
+
Because Fastly is most of the same edge locations as Cloudflare (while they
|
|
121
|
+
don't disclose this, we suspect that in many cases they're often in the same
|
|
122
|
+
physical colo data centers) there will be virtually no additional latency using
|
|
123
|
+
the two products together.
|
|
124
|
+
|
|
125
|
+
- [Configuring Zuplo + Fastly](./waf-ddos-fastly.mdx)
|
|
126
|
+
- [Fastly Edge Locations](https://www.fastly.com/network-map/)
|
|
127
|
+
|
|
128
|
+
### AWS Shield + AWS WAF + CloudFront
|
|
129
|
+
|
|
130
|
+
AWS offers DDoS (Shield) and WAF products that run at CloudFront edge locations.
|
|
131
|
+
This is another good option for edge-based WAF/DDoS protection in front of your
|
|
132
|
+
Zuplo API Gateway. AWS CloudFront is also in hundreds of edge locations that are
|
|
133
|
+
very close to Cloudflare locations (again, this isn't something either company
|
|
134
|
+
discloses, but we suspect there is significant overlap in the physical locations
|
|
135
|
+
used by AWS and Cloudflare).
|
|
136
|
+
|
|
137
|
+
For more information on AWS Shield and WAF, see the following links:
|
|
138
|
+
|
|
139
|
+
- [Configuring Zuplo + AWS WAF & Shield](./waf-ddos-aws-waf-shield.mdx)
|
|
140
|
+
- [AWS CloudFront Locations](https://aws.amazon.com/cloudfront/features/?whats-new-cloudfront&whats-new-cloudfront.sort-by=item.additionalFields.postDateTime&whats-new-cloudfront.sort-order=desc)
|