API Gateway Overview and Practical Implementation Using OpenResty/Nginx

1.1 What is API Gateway

API Gateway (APIGateway) is a unified entry point for external requests. Requests first pass through the gateway before reaching backend services, providing a single interface that abstracts the underlying services. It also enables unified permission control, security monitoring, and load‑balancing.

Without a gateway, callers must know the real addresses of each backend service and combine them manually. With a gateway, callers interact with a stable interface, and backend changes can be handled transparently by the gateway.

2.1 Project Background

1. Need to add a new domain name, proxy it to a backend web service, and provide encryption/decryption.

2. Existing NGINX management is manual and lacks automation.

3. API documentation is inconsistent, with missing authentication definitions and deprecated interfaces posing security risks.

4. OpenResty features are under‑utilized; only basic functions are used.

2.2 Problem Analysis

The current architecture requires manual configuration of reverse‑proxy machines and backend web servers for each new domain, making the setup inflexible. Adding new routing rules for domain‑ or URL‑based traffic splitting, gray‑testing, or releases requires separate proxy configurations.

Traffic identification and permission control are not enforced at the application layer, limiting visibility for developers and business owners.

2.3 Feasibility Analysis

Major cloud providers (Alibaba Cloud, Tencent Cloud, AWS, etc.) already offer API gateway services.

A high‑availability active‑standby architecture can be adopted for automatic failover.

In case of failure, a traditional NGINX reverse‑proxy can serve as a backup.

2.4 Project Goals

Achieve a simple architecture that fully leverages OpenResty/NGINX features, with strong customizability and high extensibility.

Provide flexible configuration, dynamic updates, and plugin‑based management.

3.1 Technical Research

Open source gateways such as Kong and Orange were evaluated. Orange, built on OpenResty, was selected for secondary development to meet business requirements.

Orange offers API monitoring, custom rule management, traffic splitting, API redirection, authentication, and a web firewall. It can replace traditional NGINX/OpenResty front‑ends with a feature‑rich gateway system. Project address: https://github.com/sumory/orange/

Understanding OpenResty’s request flow is essential; the processing pipeline starts from “Request start” and proceeds through various phases.

3.2 Traffic Forwarding

Previously, traffic splitting relied on domain names. The gateway now enables multi‑condition routing (e.g., host equals test.com, URI matches /usr/query or a regex), allowing more flexible traffic control.

3.3 Authentication

Earlier approaches used query arguments or POST body fields, which are insecure and inflexible. The gateway can perform authentication via HTTP headers or combined field conditions, without modifying backend code.

3.4 Encryption & Decryption

Encryption/decryption capabilities are integrated at the gateway layer to protect data in transit.

4. Project Name Origin

The name “Aegis” (Greek: Αιγίς) refers to the mythological shield of Zeus and Athena, symbolizing protection—an apt metaphor for an API security gateway.