Release Notes

1.9.3

November 06, 2024

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.6.0 - 1.9.2

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

This release includes stability and performance improvements.

Known Issues

You can find information about known issues in the Known Issues topic.

1.9.2

March 14, 2024

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.6.0 - 1.9.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.9.1

October 05, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.6.0 - 1.9.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.9.0

September 07, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.6.0 - 1.8.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

Now you can use templating for the server URL in a supplied OpenAPI specification. You must supply the full explicit basePath as part of the server URL in the OpenAPI specification file.

When creating an API proxy using an OAS file, the following values will not be editable in the web interface if they are provided via the OAS spec file:

servers:
 url: http://{server}.hostname.com/api/{version}
  variables:
    server:
      default: customers
    version:
      default: v1
    basePathVersionAppendRule:
      default : none
    stripBasePathVersion:
      default : false

You can now specify an OAuth2 JWT assertion policy to apply to the API Proxy being created using an OpenAPI specification file.

You can provide the backend server configuration for upstream servers in an OpenAPI specification file using extensions specific to API Connectivity Manager. See the Publish an API Proxy documentation.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.8.0

July 27, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.5.0 - 1.7.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

You can use the Advanced Security policy to add a pre-defined NGINX App Protect to your deployment. This enhancement allows you to specify the rules for each API.

Now, you can publish APIs using OpenAPI Specification version 3.0 or 3.1

The matchRule field is now available in the route items in proxyConfig.ingress. This field is optional and allows you to define a path matching rule for advanced routes.

The OpenAPI Specification now supports the x-acm-match-rule extension for defining match rules for paths within routes. If you don’t specify a value for this extension, it will default to EXACT. The only allowed values for matchRule are the strings EXACT and PREFIX.

Changes in Default Behavior

This release has the following changes in default behavior:

Labels on proxies were added with future use cases in mind although without a current need. The proxy labels have been removed to avoid confusion as to their purpose.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.7.0

June 21, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.4.0 - 1.6.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

The new Advanced Security policy can be used to add a pre-defined NGINX App Protect configuration to your deployment. Doing so will apply the rules specified in the policy to your APIs.

The Request Header Specification policy allows headers with (.) and (_) characters to be proxied to backend services.

By default, NGINX server will drop all headers that contain (.) and (_) characters in the header name. Though not common, it is a legal character in headers. This feature will allow users to instruct NGINX to allow such headers to be proxied.

Access control routing claims can be arrays. For example, roles and groups are typically represented as an array. You can now use a regular expression to match against claims embedded in arrays.

Regular expressions are now supported in routing rules. This will enable routing of requests that match against strings like ?wsdl.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.6.0

May 11, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.3.0 - 1.5.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

With the latest update, you can now create APIKey and Basic Auth security policies using an OAS specification. This enhancement streamlines the process for creating policies, reduces errors, and improves system security. API Connectivity Manager and NGINX can be integrated into the build pipeline where you generate OpenAPI specs.

With the latest HTTP Backend Configuration Proxy policy update, you can now modify the size and location of buffer temporary files or turn off buffering altogether. This enhancement offers greater flexibility and control to API Connectivity Manager users, allowing them to optimize their system’s performance and improve the overall end-user experience.

With this release, you can view more information about your environments. This includes the number of clusters and runtimes, the number of APIs available, and the total amount of data transmitted in and out of each cluster. Additionally, you can view graphs displaying crucial analytics, including traffic metrics, which can help you better understand your system’s performance.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.5.0

March 28, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.2.0 - 1.4.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

With new built-in RBAC roles for API Connectivity Manager, administrators can grant or restrict user access to workspaces and features, empowering teams to manage their own workflows.

• Set Up RBAC for API Owners
• Set Up RBAC for Infra Admins

Proxy clusters can be shared across multiple environments (hostnames).

API Connectivity Manager now provides enhanced security for sensitive data, including credentials used in APIKeys, Basic Auth, OAuth2, and JWT policies. All secrets are stored in a secure Vault and encrypted for added protection.

Administrators can use cluster-wide policies to configure uniform settings across all instances in the cluster, such as worker connections, hash table size, and keepalive settings, to optimize performance. Furthermore, using the Cluster Zone Sync policy, the cluster can be configured to share the runtime state and sync data across all instances, allowing for cluster-wide rate limits and sticky sessions.

A number of improvements have been made to how the web interface queries the backend services when fetching data.

The gRPC proxy can be enabled with a Health Check policy, allowing it to check the health status of backend gRPC services and route requests accordingly.

API Connectivity Manager will not generate new certificates if any have already been specified in the TLS policy; instead, ACM will reference the existing certificates. In this way, wildcard certificates may be employed.

Security Updates

For the protection of our customers, NGINX doesn’t disclose security issues until an investigation has occurred and a fix is available.

This release includes the following security updates:

NGINX Agent inserts sensitive information into a log file (CVE-2023-1550). An authenticated attacker with local access to read NGINX Agent log files may gain access to private keys. This issue is exposed only when the non-default trace-level logging is enabled.

NGINX Agent is included with NGINX Instance Manager, and used in conjunction with API Connectivity Manager and the Security Monitoring module.

This issue has been classified as CWE-532: Insertion of Sensitive Information into Log File.

• Mitigation:

  • Avoid configuring trace-level logging in the NGINX Agent configuration file. For more information, refer to the Configuring the NGINX Agent section of NGINX Management Suite documentation. If trace-level logging is required, ensure only trusted users have access to the log files.

• Fixed in:

  • NGINX Agent 2.23.3
  • Instance Manager 2.9.0

For more information, refer to the MyF5 article K000133135.

Changes in Default Behavior

This release has the following changes in default behavior:

Updates the ACL IP policy to deny IP addresses by default instead of allowing them by default.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.4.1

February 02, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.1.0 - 1.4.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.4.0

January 23, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.1.0 - 1.3.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

Control access to APIs to prevent unauthorized requests from designated consumers.

API admins can configure an OAuth2 Introspection policy with token claim verification. If the value of an introspected token claim matches the values in the policy configuration, the request will be allowed to proceed to the backend. If not, the request will be denied, and 403 Forbidden will be returned.

API Connectivity Manager 1.4.0 is compatible with NGINX Plus R28. For requirements related to NGINX Management Suite and API Connectivity Manager, please refer to the Technical Specifications guide.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.3.1

December 16, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0 - 1.3.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.3.0

December 12, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0 - 1.2.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

API lifecycle management requires routing API traffic with fine-level control, which is something that token-based authentication schemes that leverage JWT claims do well. Permissions can be encoded as custom claims in the token. Then, once the API proxy validates the token (JWT), it can access all the fields in the token as variables. Decisions can be made based on matching the claims.

• Applying Fine-Grained Access Control

  API Owners can apply fine-grained access control and restrict access to their APIs based on specific claims in the token. The policy can be configured to enforce fine-grained control for specific routes or be fine-tuned to support particular methods per route.

• Header-Based Routing

  Routing decisions can be made based on headers in the incoming requests. API owners can configure rules and conditions that must be matched before routing requests.

See Configure Access Control Routing to learn how to restrict access to your application servers based on JWT claims or header values.

With API Connectivity Manager 1.2, we introduced support for publishing and managing gRPC services. Now, in this release, we extend that capability to the web interface.

You can secure gRPC services with the following policies:

• gRPC environment policies

  • Error Response Format
  • Log Format
  • Proxy Response Headers
  • Request Body Size Limit
  • Request Correlation ID
  • TLS Backend
  • TLS Inbound

• gRPC proxy policies:

  • ACL IP Restriction
  • APIKey Authentication
  • Basic Authentication
  • GRPC Backend Config
  • JSON Web Token Assertion
  • OAuth2 Introspection
  • Proxy Request Headers
  • Rate Limit

API Connectivity Manager communicates with the Developer Portal host to publish API docs and create API credentials. Now, PlatformOps can secure this communication channel by enabling mTLS between the hosts.

Previously, mTLS required a TLS backend policy on the internal portal proxy cluster. API Connectivity Manager 1.3 removes that restriction. The TLS inbound policy on the internal portal allows providing a client certificate for API Connectivity Manager when mTLS is enabled. API Connectivity Manager presents this client certificate when connecting to the Developer Portal, identifying itself as a trusted client.

• Improved policy layout

  The Policy user interface has been improved with highlights for the different policy sections.

• NGINX Management Suite config changes are preserved during upgrade

  Upgrades no longer overwrite customized configurations unless instructed to by the user.

• Support for chained certificates

  Infrastructure administrators can now upload public certificates in PEM format, along with an optional list of intermediate certificates for validating the public certificate.

• Support for SNI requirements from hosted services

  API owners can now use the OAuth2 policy with hosted Identity Provider services that enforce Server Name Indication (SNI).

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.2.0

October 18, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0 - 1.1.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

Using the ACL-IP policy, API owners can now restrict access to APIs based on IP addresses. APIs can be protected by quickly blocking rogue requests from certain IPs or allowing access to only known IPs.

API Owners can restrict access to their APIs with OAuth2 tokens by swapping an opaque token for claims or a JWT token to be proxied to the backend service. The policy can be configured to grant access to APIs after having the tokens introspected. In addition, the claims in the token can be extracted and forwarded to the backend service.

Learn how to set up an OAuth2 Introspection policy with Keycloak as the authorization server.

The API documentation published to the Developer Portal now displays detailed security schema information for each API.

To improve the performance and efficiency of client-server interactions, HTTP/2 can be enabled on the API proxies. With HTTP/2 enabled, API Proxies will continue to maintain backward compatibility with older browsers.

API owners can now view the origin of resource credentials. The source field indicates where the credentials were created. For security reasons, the credentials created on the Developer Portal will be masked, but the API owners can view the origin of the resource credentials.

The maximum allowed size for the client request body can now be configured in bytes, kilobytes(K) or megabytes(M).

The maxRequestBodySizeLimit attribute of the policy is deprecated and will be removed in API Connectivity Manager 1.3.0. Size is the new attribute that supports bytes, megabytes(M), and kilobytes(K). The default setting is 1M.

The Developer Portal support package now includes the option to back up the PostgreSQL database.

This is a preview feature for you to try out. You shouldn’t use preview features for production purposes.

To handle gRPC traffic, you can now publish and manage gRPC proxies.

Publish gRPC proxies and route gRPC traffic to support the following use cases:

• Simple RPC (single request‑response)

• Response‑streaming RPC

• Request‑streaming RPC

• Bidirectional‑streaming RPC

• Route to all services in a gRPC service package

• Route to a single gRPC service

• Route to individual gRPC methods

• Route to multiple gRPC services

• Respond to errors with custom gRPC error response format policy

Developer Portals are now deployed with out-of-the-box protection against rapid requests/overuse and server fingerprinting:

1. Protection against server fingerprinting

The proxy response header policy is now applied by default to a Developer Portal. The default policy disables server tokens from being returned in the proxy response.

2. Protection against rapid requests and over-use

To protect the portal application, the default rate limit policy limits the number of requests a client can make in a time period. Platform admins can customize the policy to meet their SLAs.

Developer Portals can support multiple deployment patterns. The portal backend API service can be scaled to multiple hosts and can be load-balanced using host IP addresses or internal DNS.

To support the deployment patterns, configs -> proxyConfig -> backends object has been introduced in the Portal Proxy runtime. The existing backend object in the proxyCluster object of the Portal Proxy runtime is being deprecated and will not be available in the next major release version.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.1.1

August 31, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0 - 1.1.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.1.0

August 18, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

What’s New

This release includes the following updates:

Including more than one proxy cluster with the same hostname in an environment replicates configuration across all clusters and assists with blue-green deployments. With advanced cluster management, you can use a load balancer in front of the clusters to slowly move to the newer version of the API gateway. For example, one cluster may belong to NGINX Plus version R26 and another to R27. See the Technical Specifications.

Advanced routing feature is available now. You can use it to publish an API Proxy and route specific URIs/endpoints precisely to a backend service. Advanced routing with OAS Specification allows you to import a specification file, parse all the URIs/endpoints in the file and publish API proxy by routing each URI/endpoint precisely to a backend service. To use the advanced routing feature without an OAS specification file, add the URI/endpoints while publishing the API proxy. See the Advanced Configurations section.

SQLite is now supported as a database for Developer Portal installations.

This release supports NGINX Plus Release 27 (R27) version for Data Plane instances. See the Technical Specifications.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

Known Issues

You can find information about known issues in the Known Issues topic.

1.0.0

July 19, 2022

What’s New

This release includes the following updates:

• Create and manage isolated workspaces for business units, development teams, etc., so each team can develop and deploy at its own pace without affecting other teams.
• Create and manage API infrastructure in isolated workspaces.
• Create and manage production and non-production environments within team workspaces and control who can access APIs at various lifecycle stages. For example, keep APIs under development private and publish production-ready APIs for public access.
• Enforce uniform security policies across all workspaces by applying global policies.
• Create Developer Portals that align with your brand, with custom color themes, logos, and favicons.
• On-board your APIs, publish to an API gateway, and publish your API documentation to the Developer Portal.
• Let teams apply policies to their API proxies to provide custom quality of service for individual applications.
• On-board API documentation by uploading an OpenAPI spec.
• Publish your API docs to a Developer Portal without giving the public access to your API.
• Monitor system and traffic metrics at the instance level.
• Self-service credential issuance for API Keys and Basic Authentication.
• Test API calls to your system using the “Try it out” feature in the Developer Portal.

Known Issues

You can find information about known issues in the Known Issues topic.