Focuses on user authentication, authorisation, and dynamic database connection management, enhancing security and efficiency. Key components include:

• CORAZA - Web Application Firewall 🛡️

  • Function: Filters and monitors HTTP traffic to shield against security threats.
  • Features: High performance, customisable security rules, mitigation of OWASP Top 10 risks.

• NGINX - Application Load Balancer 🌍

  • Function: Evenly distributes incoming traffic to maximise service availability and efficiency/analytics.
  • Features: High traffic management capability, scalability.

• Zalando Skipper - Request Router/Reverse Proxy 🔄

  • Function: Dynamically manages routing and request modifications, and logs every request and response in a compressed format for efficiency.
  • Features: Advanced routing, efficient management of routes.
  • Routing Table Management 📊
    • Function: Handles endpoint mappings and middleware specifications.
    • Key Feature: Manages Eskip files for dynamic routing decisions.

• Custom IAM Service 🔑

  • Function: Manages authentication, authorisation, and key management tasks.
  • Features: Tailored security services, flexible micro-service integration.

• OpenSSL - SSL/TLS Certificate Maintenance 🛡️

  • Function: Automates SSL certificate verification and renewal.
  • Implementation: Uses web-hooks for triggering IAM Service configurations upon certificate expiry.

  Request Flow Analysis

  From Frontend to API Gateway

  1. Frontend to CORAZA WAF
     • Initial traffic inspection to filter malicious requests using updated security rules.
  2. WAF to NGINX ALB
     • Traffic distribution across services to enhance load handling and fault tolerance.
     • Advantages of ALB: Supports SSL/TLS termination, facilitating reduced backend load and enabling HTTP/2.
  3. ALB to Skipper API Gateway
     • Manages public endpoints with Rate Limiting and CAPTCHA (/oauth2/token, /signup, /info, etc.,) and private endpoints with security checks:
       • JWT Verification: Validates JWT integrity using CDN-hosted public keys.
       • Authorisation: Verifies user permissions through cached data, retrieved via gRPC from the IAM Service.
       • Database Connection: Attaches necessary database details for backend interactions from the multi-tenant middleware
     • Why gRPC?: Ensures efficient, reliable low-latency communication between components.
  4. Forwarding to Micro-services
     • After passing through Skipper, requests are forwarded to the appropriate micro-service along with all relevant information.

Security and Data Handling

• CDN Usage: Distributes public keys for high availability and security, restricted to specific hosts to mitigate risks.