Set Up Access Control Routing

Learn how to restrict access to your application servers based on JWT claims or header values.


This documentation applies to NGINX Management Suite API Connectivity Manager 1.3.0 and later.

Overview

In NGINX Management Suite API Connectivity Manager (ACM), you can apply global policies to API Gateway and Developer Portal clusters to ensure your organization’s security requirements are enforced.

When you add policies at the environment level, they will apply to all proxies hosted within that environment.

See the Learn about Policies topic for an overview of the different policy types and available policies.

Before You Begin

Complete the following prerequisites before proceeding with this guide:

  • API Connectivity Manager is installed, licensed, and running.
  • You have one or more Environments with API Gateway or Dev Portal clusters.
  • You have published one or more API Gateways or Developer Portals with either JSON Web Token Assertion or OAuth2 Introspection enabled.

How to Access the User Interface

This guide provides instructions for completing tasks using the NGINX Management Suite API Connectivity Manager user interface (UI).

To access the UI, go to the FQDN of your NGINX Management Suite host and log in. On the Launchpad menu, select “API Connectivity Manager.”

How to Access the REST API

You can use tools such as curl or Postman to interact with the NGINX Management Suite API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION>.

When making API calls by using curl, Postman, or any other tool, you need to provide your authentication information with each call. Refer to the API Overview for more information about authentication options.

Create Access Control Routing Policy

Take the steps in this section if you would like to restrict access to Advanced Routes or HTTP methods based on either request headers or JWT tokens.

  1. In the ACM user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Gateway or Dev Portal.
  2. Select Edit Advanced Config from the Actions menu for the desired API Gateway or Dev Portal.
  3. On the Policies tab, select Add Policy from the Actions menu.
  4. Select Add route to configure a rule. Select one or more keys and approved values which will be checked before allowing the end user access to the API. Optionally select an Advanced Route or list of HTTP methods which will restrict the Access Control check to requests which match that configuration.
  5. Optionally set the return code, which should be returned to requests which do not satisfy the condition specified.

"policies": {
    "access-control-routing": [
            {
                "action": {
                    "conditions": [
                        {
                            "allowAccess": {
                                "httpMethods": ["GET"]
                            },
                            "when": [
                                {
                                    "key": "token.role",
                                    "matchOneOf": {
                                        "values": [
                                            "admin"
                                        ]
                                    }
                                }
                            ]
                        }
                    ]
                }
            }
        ]
Note:
  • Any requests which do not match a specified condition will be allowed to access the API Gateway or Developer Portal. Adding a rule with no route or HTTP method specified means that
  • Adding multiple match conditions in a rule requires that all conditions are matched in order to access the API.
  • Adding the same configuration of route and HTTP method to multiple rules will be treated as an OR condition.
  • Any requests which match multiple rules will be checked from most to least specific.

Verification

  1. Attempt to contact the API Gateway or Developer Portal from a client
  2. Contact the IP address from an allowed IP address. The traffic should not be denied.