Membrane API Gateway

Open Source API Gateway written in Java for REST APIs, WebSockets, STOMP and legacy Web Services. Featuring:

API Security:

• Authentification with OAuth2, API Keys, NTLM and Basic Authentication
• OAuth2 Authorization server
• Rate Limiting
• XML Protection

OpenAPI:

• Deployment of OpenAPI documents as APIs
• Message validation against OpenAPI

Legacy Web Services:

• SOAP Message Routing
• WSDL configuration, message Validation and WSDL rewritting

Other:

• Admin Web console
• Load balancing
• Embeddable reverse proxy HTTP framework for own API Gateways and products

Get Started

1. Download the binary and unzip it.

2. Run service-proxy.sh or service-proxy.bat in a terminal.

3. Look at the configuration conf/proxies.xml and change to your needs.

Run the samples, follow the REST or SOAP tutorial, see the Documentation or the FAQ.

Configuration

Try the following snippets by copying them into the conf/proxies.xml file.

REST

Routing requests from port 8080 to api.predic8.de when the path starts with /foo.

<api port="8080">
  <path>/shop</path>
  <target host="api.predic8.de" port="80" />
</api>

OpenAPI Configuration & Validation

Configures APIs from OpenAPI documents and validates messages against it. more...

<api port="2000">
    <openapi location="fruitshop-api.yml" validateRequests="yes"/>
</api>

Monitoring and Message Manipulation using Groovy or Javascript

Dynamically manipulate and monitor messages with Groovy:

<api port="2000">
  <groovy>
    exc.request.header.add("X-Groovy", "Hello from Groovy")
    CONTINUE
  </groovy>
  <target host="localhost" port="8080" />
</api>

or Javascript:

<api port="2000">
  <javascript>
    exc.getRequest().getHeader().add("X-Javascript", "Hello from JavaScript");
    CONTINUE;
  </javascript>
  <target host="localhost" port="8080" />
</api>

Try also the Groovy example and Javascript Example.

Rewrite URLs for Hypermedia

<api port="2000">
    <rewriter>
    	<map from="^/goodlookingpath/(.*)" to="/backendpath/$1" />
    </rewriter>
    <target host="my.backend.server" port="80" />
</api>

Log HTTP

Log data about requests and responses to a file or database as CSV or JSON file.

<api port="2000">
  <log/> <!-- Logs to the console -->
  <statisticsCSV file="./log.csv" /> <!-- Logs finegrained CSV --> 
  <target host="api.predic8.de">
    <ssl/>
  </target>
</api>

Websockets

Route and intercept WebSocket traffic:

<api port="2000">
  <webSocket url="http://my.websocket.server:1234">
    <wsLog/>
  </webSocket>
  <target port="8080" host="localhost"/>
</api>

(Find an example on membrane-soa.org)

Security

OAuth2

Secure an API with OAuth2

Use the widely adopted OAuth2/OpenID Framework to secure endpoints against Google, Azure AD, github, Keycloak or Membrane authentication servers.

<api name="Resource Service" port="2001">
  <oauth2Resource>
    <membrane src="https://accounts.google.com" clientId="INSERT_CLIENT_ID" clientSecret="INSERT_CLIENT_SECRET" scope="email profile" subject="sub"/>
  </oauth2Resource>    
  <groovy>
    // Get email from OAuth2 and forward it to the backend
    def oauth2 = exc.properties.oauth2
    exc.request.header.setValue('X-EMAIL',oauth2.userinfo.email)
    CONTINUE
  </groovy>
  <target host="thomas-bayer.com" port="80"/>
</api>

(Find an example on membrane-soa.org)

Membrane as AuthorizationServer/Identity Provider

Operate your own OAuth2/OpenID AuthorizationServer/Identity Provider:

<api name="Authorization Server" port="2000">
  <oauth2authserver location="logindialog" issuer="http://localhost:2000" consentFile="consentFile.json">
    <staticUserDataProvider>
      <user username="john" password="password" email="[email protected]" />
    </staticUserDataProvider>
    <staticClientList>
      <client clientId="abc" clientSecret="def" callbackUrl="http://localhost:2001/oauth2callback" />
    </staticClientList>
    <bearerToken/>
    <claims value="aud email iss sub username">
      <scope id="username" claims="username"/>
      <scope id="profile" claims="username email password"/>
    </claims>
  </oauth2authserver>
</api>

(Find an example on membrane-soa.org)

Basic Authentication

Secure an endpoint with basic authentication:

<api port="2000">
    <basicAuthentication>
        <user name="bob" password="secret" />
    </basicAuthentication>
    <target host="localhost" port="8080" />
</api>

SSL/TLS

Route to SSL/TLS secured endpoints:

<api port="8080">
  <target host="www.predic8.de" port="443">
    <ssl/>
  </target>
</api>

Secure endpoints with SSL/TLS:

<api port="443">
  <ssl>
    <keystore location="membrane.jks" password="secret" keyPassword="secret" />
    <truststore location="membrane.jks" password="secret" />
  </ssl>
  <target host="localhost" port="8080"  />
</api>

Rate Limiting

Limit the number of incoming requests:

<api port="2000">
  <rateLimiter requestLimit="3" requestLimitDuration="PT30S"/>
  <target host="localhost" port="8080" />
</api>

Loadbalancing

Distribute workload to multiple backend nodes. more ...

<api name="Balancer" port="8080">
  <balancer name="balancer">
    <clusters>
      <cluster name="Default">
        <node host="my.backend-1" port="4000"/>
        <node host="my.backend-2" port="4000"/>
        <node host="my.backend-3" port="4000"/>
      </cluster>
    </clusters>
  </balancer>
</api>

Legacy SOAP and XML Web Services

API configuration from WSDL

SOAP proxies configure themselves by analysing WSDL:

<soapProxy wsdl="http://thomas-bayer.com/axis2/services/BLZService?wsdl"/>

Message Validation against WSDL and XSD

The validator checks SOAP messages against a WSDL document including referenced XSD schemas.

<soapProxy wsdl="http://thomas-bayer.com/axis2/services/BLZService?wsdl">
  <validator />
</soapProxy>

See configuration reference for much more.