Possible Issues and Solutions in Apinizer
Problem | The addresses within the WSDL returned by GetCapabilities in Geographic Information System services need to be migrated to Apinizer |
---|---|
Reason/Cause | - |
Solution | If the value 'GetCapabilities' in the 'request' key as a query parameter comes in the URL, it should be replaced with the corresponding address in Apinizer using a Business Rule or Script policy to be added to the second region. |
Problem | Seeing the client IP address in the format 10.244.x.x |
---|---|
Reason/Cause | In the Kubernetes NodePort structure, if the X-Forwarded-For value is not coming from the client, it defaults to forwarding the pod's IP address to the backend application. As a solution, setting the externalTrafficPolicy value to Local can resolve the issue. However, this leads to accessibility problems because NodePort doesn't route the incoming request to other servers in the cluster. You need to know the specific Node to access it. |
Solution | Since Apinizer Workers will be placed behind a structure like Nginx or F5, the configuration file of the relevant load balancer needs to include adding the xff information to the header, as shown below. # For Nginx, the configuration can be done as follows: location /apigateway/ { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://api.inst.com/apigateway/; |
Problem | Not displaying/transferring headers containing underscores in API Traffic Logs |
---|---|
Reason/Cause | This issue is not directly related to Apinizer but is related to the default settings of Nginx, which might be used in front of Apinizer. Nginx is commonly used as a web server and reverse proxy server. However, in the default configuration of Nginx, HTTP headers with underscores (_) in their names are not processed and passed. This is due to underscores not being standard in the HTTP RFC. |
Solution | To resolve this issue, you should set the vi /etc/nginx/nginx.conf http { underscores_in_headers on; }
kind: ConfigMap metadata: name: nginx-configuration namespace: ingress-nginx labels: app: ingress-nginx data: enable-underscores-in-headers: "true" |
Problem | Turkish characters are transmitted corruptly |
---|---|
Reason/Cause | Character set information must be set in the Content-Type header when sending data by the client. |
Solution | Content-Type header should be send, not just like "application/xml" but also setting "charset=UTF-8" which will look like "application/xml; charset=UTF-8" |
Problem | PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target |
---|---|
Reason/Cause | - |
Solution | The public certificate of the relevant address must be added to Apinizer from the Certificate Management page. If there is no browser that can access the address, use the openssl command with a server that has openssl installed and can access the address: openssl s_client -showcerts -connect server.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > serverscertfile.pem |
Problem | After our Apinizer has upgraded to 2024.05.4 users report that they can not login to web interface |
---|---|
Reason/Cause | With the security patch made in this version, it has been made mandatory to check the value of client IPs where the browsers are located in the Apinizer Management Console. For this reason, organizations that connect to the interface using "Kubernetes Ingress Controller" will need to set the X-Forwarded-For header setting |
Solution | Two changes are required for Ingress Nginx Controller to send this value.
YML
The "nginx.ingress.kubernetes.io/use-forwarded-headers" key should be added to the annotation section of the Ingress source definition with the value "true". The sample yaml file should look like this:
YML
|
Problem | WS-S or WS-STS policies used on SOAP services fail to get token with error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" |
---|---|
Reason/Cause | The token request for this service needs to be done through a reverse proxy, since the certificate uploaded to Apinizer cannot be used during the SOAP service call. |
Solution | A reverse proxy is created that routes with the relevant token receiving address, and the token receiving address of the wss/wssts policy in the service using the token is given as this service. In rare cases, it may be necessary to change the address in the xml message with a script via reverse proxy. |