Release Notes

These release notes list and describe the new features, enhancements, and resolved issues in NGINX Management Suite API Connectivity Manager.

1.9.0

September 07, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.6.0 - 1.8.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Server URL templating in OpenAPI specification file

  Now you can use templating for the server URL in a supplied OpenAPI specification. You must supply the full explicit basePath as part of the server URL in the OpenAPI specification file.

  When creating an API proxy using an OAS file, the following values will not be editable in the web interface if they are provided via the OAS spec file:

  servers:
   url: http://{server}.hostname.com/api/{version}
    variables:
      server:
        default: customers
      version:
        default: v1
      basePathVersionAppendRule:
        default : none
      stripBasePathVersion:
        default : false
  

• OpenAPI specification support for OAuth2 JWT assertion policy

  You can now specify an OAuth2 JWT assertion policy to apply to the API Proxy being created using an OpenAPI specification file.

• Backend server configuration from OpenAPI specification file

  You can provide the backend server configuration for upstream servers in an OpenAPI specification file using extensions specific to API Connectivity Manager. See the Publish an API Proxy documentation.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• A proxy deployed with a specRef field (OAS) and basePathVersionAppendRule set to other than NONE may cause versions to appear twice in the deployed location block (36666)
• Resources deployed to a Developer Portal which has had its database reset cannot be updated or removed (43140)
• Certificates associated with empty instance groups can be deleted, resulting in a broken reference in the API Connectivity Manager module (43671)
• Deployment fails due to duplicate locations (43673)
• Cannot use TLS enabled backend with HTTP backend-config policy (44212)

Known Issues

You can find information about known issues in the Known Issues topic.

1.8.0

July 27, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.5.0 - 1.7.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Advanced security policy for proxies

  You can use the Advanced Security policy to add a pre-defined NGINX App Protect to your deployment. This enhancement allows you to specify the rules for each API.

• Publish APIs using OpenAPI Specification version 3.0 or 3.1

  Now, you can publish APIs using OpenAPI Specification version 3.0 or 3.1

• Added matchRule field to the route items in proxyConfig.ingress

  The matchRule field is now available in the route items in proxyConfig.ingress. This field is optional and allows you to define a path matching rule for advanced routes.

  The OpenAPI Specification now supports the x-acm-match-rule extension for defining match rules for paths within routes. If you don’t specify a value for this extension, it will default to EXACT. The only allowed values for matchRule are the strings EXACT and PREFIX.

Changes in Behavior

This release has the following changes in default behavior:

• Proxy labels removed

  Labels on proxies were added with future use cases in mind although without a current need. The proxy labels have been removed to avoid confusion as to their purpose.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• Environments with WAF enabled may transition to a Failed status when a Developer Portal cluster is added. (43231)

Known Issues

You can find information about known issues in the Known Issues topic.

1.7.0

June 21, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.4.0 - 1.6.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Advanced Security Policy

  The new Advanced Security policy can be used to add a pre-defined NGINX App Protect configuration to your deployment. Doing so will apply the rules specified in the policy to your APIs.

• Option added to allow API proxy to ignore invalid headers

  The Request Header Specification policy allows headers with (.) and (_) characters to be proxied to backend services.

  By default, NGINX server will drop all headers that contain (.) and (_) characters in the header name. Though not common, it is a legal character in headers. This feature will allow users to instruct NGINX to allow such headers to be proxied.

• Regex support added to access control routing claims

  Access control routing claims can be arrays. For example, roles and groups are typically represented as an array. You can now use a regular expression to match against claims embedded in arrays.

• Ingress routing rules now allow using regular expressions

  Regular expressions are now supported in routing rules. This will enable routing of requests that match against strings like ?wsdl.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• The routes filter under the proxy metrics page won’t work with params (42471)
• Multiple entries selected when gateway proxy hostnames are the same (42515)

Known Issues

You can find information about known issues in the Known Issues topic.

1.6.0

May 11, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.3.0 - 1.5.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Create security policies using an OAS specification

  With the latest update, you can now create APIKey and Basic Auth security policies using an OAS specification. This enhancement streamlines the process for creating policies, reduces errors, and improves system security. API Connectivity Manager and NGINX can be integrated into the build pipeline where you generate OpenAPI specs.

• New buffer settings were added to the HTTP Backend Configuration Proxy policy to enhance performance

  With the latest HTTP Backend Configuration Proxy policy update, you can now modify the size and location of buffer temporary files or turn off buffering altogether. This enhancement offers greater flexibility and control to API Connectivity Manager users, allowing them to optimize their system’s performance and improve the overall end-user experience.

• Gain deeper insights into your environments with enhanced analytics and metrics

  With this release, you can view more information about your environments. This includes the number of clusters and runtimes, the number of APIs available, and the total amount of data transmitted in and out of each cluster. Additionally, you can view graphs displaying crucial analytics, including traffic metrics, which can help you better understand your system’s performance.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• CORS policy doesn’t support proxying preflight requests to the backend when combined with an authentication policy (34449)
• TLS setting on listener is not reset when TLS policy is removed (41426)
• Developer Portal: When typing the links to use for the footer, the text boxes keep losing focus (41626)
• Array values in token claims are treated as string values (42388)

Known Issues

You can find information about known issues in the Known Issues topic.

1.5.0

March 28, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.2.0 - 1.4.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Use role-based access control for enhanced security and governance

  With new built-in RBAC roles for API Connectivity Manager, administrators can grant or restrict user access to workspaces and features, empowering teams to manage their own workflows.

  See Also:
  

  • Set Up RBAC for API Owners
  • Set Up RBAC for Infra Admins

• Multiple hostname support

  Proxy clusters can be shared across multiple environments (hostnames).

• Secure handling of sensitive data

  API Connectivity Manager now provides enhanced security for sensitive data, including credentials used in APIKeys, Basic Auth, OAuth2, and JWT policies. All secrets are stored in a secure Vault and encrypted for added protection.

• Runtime state sharing in an API gateway or Developer Portal

  Administrators can use cluster-wide policies to configure uniform settings across all instances in the cluster, such as worker connections, hash table size, and keepalive settings, to optimize performance. Furthermore, using the Cluster Zone Sync policy, the cluster can be configured to share the runtime state and sync data across all instances, allowing for cluster-wide rate limits and sticky sessions.

• Performance improvements for the web interface

  A number of improvements have been made to how the web interface queries the backend services when fetching data.

• Add a Health Check policy to your gRPC proxy to ensure optimal performance

  The gRPC proxy can be enabled with a Health Check policy, allowing it to check the health status of backend gRPC services and route requests accordingly.

• Improved certificate handling

  API Connectivity Manager will not generate new certificates if any have already been specified in the TLS policy; instead, ACM will reference the existing certificates. In this way, wildcard certificates may be employed.

Security Updates

Important:
For the protection of our customers, NGINX doesn’t disclose security issues until an investigation has occurred and a fix is available.

This release includes the following security updates:

• Instance Manager vulnerability CVE-2023-1550

  NGINX Agent inserts sensitive information into a log file (CVE-2023-1550). An authenticated attacker with local access to read NGINX Agent log files may gain access to private keys. This issue is exposed only when the non-default trace-level logging is enabled.

  NGINX Agent is included with NGINX Instance Manager, and used in conjunction with API Connectivity Manager and the Security Monitoring module.

  This issue has been classified as CWE-532: Insertion of Sensitive Information into Log File.

  Mitigation

  • Avoid configuring trace-level logging in the NGINX Agent configuration file. For more information, refer to the Configuring the NGINX Agent section of NGINX Management Suite documentation. If trace-level logging is required, ensure only trusted users have access to the log files.

  Fixed in

  • NGINX Agent 2.23.3
  • Instance Manager 2.9.0

  For more information, refer to the MyF5 article K000133135.

Changes in Behavior

This release has the following changes in default behavior:

• ACL IP Policy denies IP addresses by default

  Updates the ACL IP policy to deny IP addresses by default instead of allowing them by default.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• Configurations aren’t pushed to newly onboarded instances if another instance is offline (40035)
• The Proxy Cluster API isn’t ready to be used (40097)

Known Issues

You can find information about known issues in the Known Issues topic.

1.4.1

February 02, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.1.0 - 1.3.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Stability and performance improvements

  This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• Cluster and Environment deletion issues when Portal Docs are published (40163)

Known Issues

You can find information about known issues in the Known Issues topic.

1.4.0

January 23, 2023

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.1.0 - 1.3.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Allow or deny access to APIs for specified consumers

  Control access to APIs to prevent unauthorized requests from designated consumers.

• OAuth2 Introspection policy now supports token claim verification

  API admins can configure an OAuth2 Introspection policy with token claim verification. If the value of an introspected token claim matches the values in the policy configuration, the request will be allowed to proceed to the backend. If not, the request will be denied, and 403 Forbidden will be returned.

• Adds support for NGINX Plus R28

  API Connectivity Manager 1.4.0 is compatible with NGINX Plus R28. For requirements related to NGINX Management Suite and API Connectivity Manager, please refer to the Technical Specifications guide.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• A JWT token present in a query parameter is not proxied to the backend for advanced routes (39328)
• OIDC policy cannot be applied alongside a proxy authentication policy (39604)

Known Issues

You can find information about known issues in the Known Issues topic.

1.3.1

December 16, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0 - 1.2.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Stability and performance improvements

  This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• Developer Portal backend information is unintentionally updated when editing clusters within an environment (39409)
• The Inbound TLS policy breaks when upgrading from API Connectivity Manager 1.2.0 to 1.3.0. (39426)
• The web interface doesn’t pass the enableSNI property for the TLS backend policy (39445)

Known Issues

You can find information about known issues in the Known Issues topic.

1.3.0

December 12, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0 - 1.2.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Configure access-controlled routing

  API lifecycle management requires routing API traffic with fine-level control, which is something that token-based authentication schemes that leverage JWT claims do well. Permissions can be encoded as custom claims in the token. Then, once the API proxy validates the token (JWT), it can access all the fields in the token as variables. Decisions can be made based on matching the claims.

  • Applying Fine-Grained Access Control

    API Owners can apply fine-grained access control and restrict access to their APIs based on specific claims in the token. The policy can be configured to enforce fine-grained control for specific routes or be fine-tuned to support particular methods per route.

  • Header-Based Routing

    Routing decisions can be made based on headers in the incoming requests. API owners can configure rules and conditions that must be matched before routing requests.

  See Configure Access Control Routing to learn how to restrict access to your application servers based on JWT claims or header values.

• Use the web interface to publish and manage gRPC services

  With API Connectivity Manager 1.2, we introduced support for publishing and managing gRPC services. Now, in this release, we extend that capability to the web interface.

  You can secure gRPC services with the following policies:

  • gRPC environment policies

    • Error Response Format
    • Log Format
    • Proxy Response Headers
    • Request Body Size Limit
    • Request Correlation ID
    • TLS Backend
    • TLS Inbound

  • gRPC proxy policies:

    • ACL IP Restriction
    • APIKey Authentication
    • Basic Authentication
    • GRPC Backend Config
    • JSON Web Token Assertion
    • OAuth2 Introspection
    • Proxy Request Headers
    • Rate Limit

• Secure communication between API Connectivity Manager and Developer Portal with mTLS

  API Connectivity Manager communicates with the Developer Portal host to publish API docs and create API credentials. Now, PlatformOps can secure this communication channel by enabling mTLS between the hosts.

  Previously, mTLS required a TLS backend policy on the internal portal proxy cluster. API Connectivity Manager 1.3 removes that restriction. The TLS inbound policy on the internal portal allows providing a client certificate for API Connectivity Manager when mTLS is enabled. API Connectivity Manager presents this client certificate when connecting to the Developer Portal, identifying itself as a trusted client.

• Other Enhancements

  • Improved policy layout

    The Policy user interface has been improved with highlights for the different policy sections.

  • NGINX Management Suite config changes are preserved during upgrade

    Upgrades no longer overwrite customized configurations unless instructed to by the user.

  • Support for chained certificates

    Infrastructure administrators can now upload public certificates in PEM format, along with an optional list of intermediate certificates for validating the public certificate.

  • Support for SNI requirements from hosted services

    API owners can now use the OAuth2 policy with hosted Identity Provider services that enforce Server Name Indication (SNI).

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• No validation when conflicting policies are added (34531)
• Installing NGINX Agent on Ubuntu 22.04 LTS fails with 404 Not Found error (35339)
• New users are unable to see pages even though they have been given access. (36607)
• Portals secured with TLS policy require additional environment configuration prior to publishing API docs (38028)
• The user interface is erroneously including irrelevant information on the TLS inbound policy workflow (38046)

Known Issues

You can find information about known issues in the Known Issues topic.

1.2.0

October 18, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0 - 1.1.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Restrict access to APIs based on IP address

  Using the ACL-IP policy, API owners can now restrict access to APIs based on IP addresses. APIs can be protected by quickly blocking rogue requests from certain IPs or allowing access to only known IPs.

• Secure API access with OAuth2 tokens

  API Owners can restrict access to their APIs with OAuth2 tokens by swapping an opaque token for claims or a JWT token to be proxied to the backend service. The policy can be configured to grant access to APIs after having the tokens introspected. In addition, the claims in the token can be extracted and forwarded to the backend service.

  Tip:
  Learn how to set up an OAuth2 Introspection policy with Keycloak as the authorization server.

• Enhanced API documentation on developer portal

  The API documentation published to the Developer Portal now displays detailed security schema information for each API.

• Support for HTTP/2

  To improve the performance and efficiency of client-server interactions, HTTP/2 can be enabled on the API proxies. With HTTP/2 enabled, API Proxies will continue to maintain backward compatibility with older browsers.

• Improved visualizations for resource credentials

  API owners can now view the origin of resource credentials. The source field indicates where the credentials were created. For security reasons, the credentials created on the Developer Portal will be masked, but the API owners can view the origin of the resource credentials.

• Express API payload size with unit of measure

  The maximum allowed size for the client request body can now be configured in bytes, kilobytes(K) or megabytes(M).

  The maxRequestBodySizeLimit attribute of the policy is deprecated and will be removed in API Connectivity Manager 1.3.0. Size is the new attribute that supports bytes, megabytes(M), and kilobytes(K). The default setting is 1M.

• Database backup included in support packages

  The Developer Portal support package now includes the option to back up the PostgreSQL database.

• Publish and manage gRPC services - preview release

  Important:
  This is a preview feature for you to try out. You shouldn’t use preview features for production purposes.

  To handle gRPC traffic, you can now publish and manage gRPC proxies.

  Publish gRPC proxies and route gRPC traffic to support the following use cases:

  • Simple RPC (single request‑response)
  • Response‑streaming RPC
  • Request‑streaming RPC
  • Bidirectional‑streaming RPC
  • Route to all services in a gRPC service package
  • Route to a single gRPC service
  • Route to individual gRPC methods
  • Route to multiple gRPC services
  • Respond to errors with custom gRPC error response format policy

• Out-of-the-box protection for Developer Portals

  Developer Portals are now deployed with out-of-the-box protection against rapid requests/overuse and server fingerprinting:

  1. Protection against server fingerprinting

  The proxy response header policy is now applied by default to a Developer Portal. The default policy disables server tokens from being returned in the proxy response.

  2. Protection against rapid requests and over-use

  To protect the portal application, the default rate limit policy limits the number of requests a client can make in a time period. Platform admins can customize the policy to meet their SLAs.

• Support for multi-host deployment pattern for Developer Portals

  Developer Portals can support multiple deployment patterns. The portal backend API service can be scaled to multiple hosts and can be load-balanced using host IP addresses or internal DNS.

  To support the deployment patterns, configs -> proxyConfig -> backends object has been introduced in the Portal Proxy runtime. The existing backend object in the proxyCluster object of the Portal Proxy runtime is being deprecated and will not be available in the next major release version.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• Enums are not supported in Advanced Routing. (34854)
• Unable to delete an environment that is stuck in a Configuring state. (35546)
• Credentials endpoint is disabled by default (35630)
• Ratelimit policy cannot be applied with OAuth2 JWT Assertion policy. (36095)
• Using labels to specify the backend is partially available (36317)
• To see updates to the Listener’s table, forced refresh of the cluster details page is required. (36540)

Known Issues

You can find information about known issues in the Known Issues topic.

1.1.1

August 31, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Stability and performance improvements

  This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• OIDC policy doesn’t work with Auth0 Identity Providers (36058)
• Traffic is not secured between the API Proxy and backend servers (36714)
• Advanced routing ignores the Context Root setting for backend proxies (36775)

Known Issues

You can find information about known issues in the Known Issues topic.

1.1.0

August 18, 2022

Upgrade Paths

API Connectivity Manager supports upgrades from these previous versions:

• 1.0.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Advanced Cluster Management

  Including more than one proxy cluster with the same hostname in an environment replicates configuration across all clusters and assists with blue-green deployments. With advanced cluster management, you can use a load balancer in front of the clusters to slowly move to the newer version of the API gateway. For example, one cluster may belong to NGINX Plus version R26 and another to R27. See the Technical Specifications.

• Advanced Routing feature is available now

  Advanced routing feature is available now. You can use it to publish an API Proxy and route specific URIs/endpoints precisely to a backend service. Advanced routing with OAS Specification allows you to import a specification file, parse all the URIs/endpoints in the file and publish API proxy by routing each URI/endpoint precisely to a backend service. To use the advanced routing feature without an OAS specification file, add the URI/endpoints while publishing the API proxy. See the Advanced Configurations section.

• SQLite is supported for Developer Portal

  SQLite is now supported as a database for Developer Portal installations.

• Support for NGINX Plus Release 27 (R27)

  This release supports NGINX Plus Release 27 (R27) version for Data Plane instances. See the Technical Specifications.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• JWT Assertion policy accepts an empty string value for tokenName property (35419)
• Environment is in a premature success state even though all proxy clusters may not be onboarded (35430)
• Cannot add, remove, or edit proxy clusters from an environment that has a published API proxy (35463)
• Features in the web interface are not displayed after uploading license (35525)
• DEVPORTAL_OPTS in /etc/{default,sysconfig}/nginx-devportal does not work if value has multiple words (36040)

Known Issues

You can find information about known issues in the Known Issues topic.

1.0.0

July 19, 2022

What’s New

This release includes the following updates:

• API Connectivity Manager is now available

  • Create and manage isolated workspaces for business units, development teams, etc., so each team can develop and deploy at its own pace without affecting other teams.
  • Create and manage API infrastructure in isolated workspaces.
  • Create and manage production and non-production environments within team workspaces and control who can access APIs at various lifecycle stages. For example, keep APIs under development private and publish production-ready APIs for public access.
  • Enforce uniform security policies across all workspaces by applying global policies.
  • Create Developer Portals that align with your brand, with custom color themes, logos, and favicons.
  • On-board your APIs, publish to an API gateway, and publish your API documentation to the Developer Portal.
  • Let teams apply policies to their API proxies to provide custom quality of service for individual applications.
  • On-board API documentation by uploading an OpenAPI spec.
  • Publish your API docs to a Developer Portal without giving the public access to your API.
  • Monitor system and traffic metrics at the instance level.
  • Self-service credential issuance for API Keys and Basic Authentication.
  • Test API calls to your system using the “Try it out” feature in the Developer Portal.

Known Issues

You can find information about known issues in the Known Issues topic.