Skip to content

Running in Production

When running Auto-REST in production, it is strongly recommended to deploy the generated server behind a reverse proxy. In additional to their many implicit benefits, modern proxies offer advanced configuration options that Auto-REST alone does not.

The following documentation highlights common proxy features for consideration by administrators. The Nginx proxy is used in examples for demonstrative purposes. Examples are provided for clarification and as a starting point for administrators. They are not intended for use as-is.

Enforcing TLS

It is generally considered good practice to prevented unencrypted connections from accessing APIs. Administrators may choose to block these connections outright, or redirect them to a port requiring encryption.

Example: Redirecting to TLS

The following example redirects unencrypted requests to a port requiring TLS. It is assumed the API server is running on http://localhost:8081 and SSL certificates are available under /etc/ssl.

server {
    listen 80;
    server_name api.example.com;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name api.example.com;

    # SSL configuration
    ssl_certificate /etc/ssl/certs/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/privkey.pem;

    # Proxy configuration
    location / {
        proxy_pass http://localhost:8081;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

User Authentication

Authentication can be enforced at the proxy level, ensuring that only verified users can access the API. This can be used to protect private APIs or enforce login requirements before requests reach the backend server.

Example: Nginx Basic Authentication

The configuration below uses an HTTP Basic Authentication scheme which requires users to authenticate with a username and password. User credentials are managed using the htpasswd utility, which stores hashed user credentials in a /etc/nginx/.htpasswd file.

server {
    listen 443 ssl;
    server_name api.example.com;

    # SSL configuration
    ssl_certificate /etc/ssl/certs/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/privkey.pem;

    # Enable Basic Authentication
    auth_basic           "Restricted API";
    auth_basic_user_file /etc/nginx/.htpasswd;

    # Proxy configuration
    location / {
        proxy_pass http://localhost:8081;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enforcing Rate Limits

Rate-limiting provides a safeguard from malicious clients seeking to overwhelm a server with excessive requests. These limits may be applied globally, or on a per-client basis for more refined control.

Example: Nginx Rate Limiting

The following configuration demonstrates rate limiting using the limit_req_zone directive. The api_limit policy enforces a limit of 10 requests per second (10r/s) per user ($binary_remote_addr). The burst parameter allows a temporary burst of up to 20 requests, allowing momentary surges before applying the policy.

server {
    limit_req_zone $binary_remote_addr zone=api_limit rate=10r/s;
    location / {
        limit_req zone=api_limit burst=20;
    }
}

Enforcing CORS Policies

Cross-Origin Resource Sharing (CORS) prevents requests from unauthorized sources against the server. It restricts clients from submitting requests from unrecognized origins, unless explicitly allowed by the target server. This mechanism helps mitigate unauthorized data access from malicious third-party websites.

Example: Nginx CORS Configuration

The configuration below demonstrates a basic CORS policy using the add_header directive. This setup allows requests from any origin (Access-Control-Allow-Origin: '*') and limits the supported HTTP methods to those explicitly listed.

server {
    location / {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, HEAD';
        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type';
    }
}