Problem

The addresses within the WSDL returned by GetCapabilities in Geographic Information System services need to be migrated to Apinizer

Reason/Cause-
Solution

If the value 'GetCapabilities' in the 'request' key as a query parameter comes in the URL, it should be replaced with the corresponding address in Apinizer using a Business Rule or Script policy to be added to the second region.

Problem

Seeing the client IP address in the format 10.244.x.x

Reason/Cause

In the Kubernetes NodePort structure, if the X-Forwarded-For value is not coming from the client, it defaults to forwarding the pod's IP address to the backend application. As a solution, setting the externalTrafficPolicy value to Local can resolve the issue. However, this leads to accessibility problems because NodePort doesn't route the incoming request to other servers in the cluster. You need to know the specific Node to access it.

Solution

Since Apinizer Workers will be placed behind a structure like Nginx or F5, the configuration file of the relevant load balancer needs to include adding the xff information to the header, as shown below.


# For Nginx, the configuration can be done as follows:

location /apigateway/ {

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_pass http://api.inst.com/apigateway/;
} # end location

Problem

Not displaying/transferring headers containing underscores in API Traffic Logs

Reason/Cause

This issue is not directly related to Apinizer but is related to the default settings of Nginx, which might be used in front of Apinizer.

Nginx is commonly used as a web server and reverse proxy server. However, in the default configuration of Nginx, HTTP headers with underscores (_) in their names are not processed and passed. This is due to underscores not being standard in the HTTP RFC.

Solution

To resolve this issue, you should set the underscores_in_headers directive to on in the Nginx configuration file. This allows Nginx to correctly handle headers containing underscores.


vi /etc/nginx/nginx.conf

http {

underscores_in_headers on;

}


for ingress;


apiVersion: v1

kind: ConfigMap

metadata:

  name: nginx-configuration

  namespace: ingress-nginx

  labels:

    app: ingress-nginx

data:

  enable-underscores-in-headers: "true"


Problem

Turkish characters are transmitted corruptly

Reason/CauseCharacter set information must be set in the Content-Type header when sending data by the client.
SolutionContent-Type header should be send, not just like "application/xml" but also setting "charset=UTF-8" which will look like "application/xml; charset=UTF-8"


Problem

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Reason/Cause-
Solution

The public certificate of the relevant address must be added to Apinizer from the Certificate Management page.

If there is no browser that can access the address, use the openssl command with a server that has openssl installed and can access the address:

openssl s_client -showcerts -connect server.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > serverscertfile.pem


Problem

After our Apinizer has upgraded to 2024.05.4 users report that they can not login to web interface

Reason/CauseWith the security patch made in this version, it has been made mandatory to check the value of client IPs where the browsers are located in the Apinizer Management Console. For this reason, organizations that connect to the interface using "Kubernetes Ingress Controller" will need to set the X-Forwarded-For header setting
Solution

Two changes are required for Ingress Nginx Controller to send this value.



The "use-forwarded-headers" key must be added to the data section in the Config Maps definition with the value "true". The sample yaml file should look like this:


apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
data:
  use-forwarded-headers: "true"
YML

The "nginx.ingress.kubernetes.io/use-forwarded-headers" key should be added to the annotation section of the Ingress source definition with the value "true". The sample yaml file should look like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: apinizer-manager-ingress
  namespace: apinizer
  annotations:
    nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
YML

On the load balancer side, one of the following headers must come:

XFF
Proxy-Client-IP
WL-Proxy-Client-IP
HTTP_X_FORWARDED_FOR
HTTP_X_FORWARDED
HTTP_X_CLUSTER_CLIENT_IP
HTTP_CLIENT_IP
HTTP_FORWARDED_FOR
HTTP_FORWARDED
HTTP_VIA
REMOTE_ADDR

Problem

WS-S or WS-STS policies used on SOAP services fail to get token with error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Reason/CauseThe token request for this service needs to be done through a reverse proxy, since the certificate uploaded to Apinizer cannot be used during the SOAP service call.
SolutionA reverse proxy is created that routes with the relevant token receiving address, and the token receiving address of the wss/wssts policy in the service using the token is given as this service. In rare cases, it may be necessary to change the address in the xml message with a script via reverse proxy.