APISIX Readonly Proxy

Prerequisites
Before you start following your guide you need prepare this list in advance Virtual Machine (VM) with Ubuntu Installed SSH access and Public IP of that machine Assigned Domain Name on that Public Ip e.g. - client-exante-proxy.company.com Ports 22, 80, 443 should be open Bearer Token to be provided (e.g. in case of Exante) Generate Auth Token Open a terminal window. Type this command, replacing YOUR_API_KEY and YOUR_SECRET_KEY with your real keys: echo -n "YOUR_API_KEY:YOUR_SECRET_KEY" | base64 Press Enter. The terminal will show a long string of letters and numbers. This is your encoded token. Copy that string. When you call your API, add this header (showing your copied string in place of ENCODED_STRING ): Authorization: Basic ENCODED_STRING If your API really needs a Bearer header instead, use: Authorization: Bearer ENCODED_STRING That’s it. Now your API call will send the correct token.

Installing Docker
Open Terminal Find the “Terminal” app and click it. Run the Easy Install Command In Terminal, type or paste this whole line and press Enter : wget -qO- https://get.docker.com/ | sh This downloads a small script and runs it. It will install Docker for you. Wait for It to Finish The script will show text as it downloads and sets up Docker. When the text stops, Docker is installed. Check Docker Works Still in Terminal, type: sudo docker run hello-world Press Enter . Docker will download a tiny test program and run it. If you see “Hello from Docker!”, it means Docker is ready. Let You Use Docker Without “sudo” (Optional) By default, you need to type sudo before every Docker command. If you want to skip typing sudo , do this: Type: sudo usermod -aG docker $USER Press Enter . Close Terminal and log out of your Ubuntu account. Then log back in. Now you can run Docker commands without sudo . For example: docker run hello-world That’s it! Docker is now installed on your Ubuntu 22.04 in just one simple step.

Installing APISIX
Open a terminal on your VM. Make a folder for APISIX: sudo mkdir -p /opt/apisix Create the file /opt/apisix/apisix.yaml : sudo nano /opt/apisix/apisix.yaml Copy and paste exactly this content into apisix.yaml . Replace YOUR_BASE64_DEMO_TOKEN and YOUR_BASE64_LIVE_TOKEN with your real Base64(API_KEY:SECRET_KEY) strings: apisix:

 node_listen: 9080 # APISIX will listen on port 9080 for HTTP

consumers:

 - username: finmars # a name for this client

 plugins:

 basic-auth:

 username: foo # user name you want to use for APISIX basic auth

 password: bar # password you want to use for APISIX basic auth

upstreams:

 - id: 1

 nodes:

 api-demo.exante.eu:443: 1

 scheme: https

 pass_host: node

 type: roundrobin

 - id: 2

 nodes:

 api-live.exante.eu:443: 1

 scheme: https

 pass_host: node

 type: roundrobin

plugin_configs:

 - id: 1

 plugins:

 basic-auth: {}

 proxy-rewrite:

 headers:

 set:

 # Replace this with your Base64(API_KEY:SECRET_KEY) for the demo environment

 Authorization: "Basic %TOKEN%"

 regex_uri:

 - "^/demo/(.*)"

 - "/$1"

 - id: 2

 plugins:

 basic-auth: {}

 proxy-rewrite:

 headers:

 set:

 # Replace this with your Base64(API_KEY:SECRET_KEY) for the live environment

 Authorization: "Basic %TOKEN%"

 regex_uri:

 - "^/live/(.*)"

 - "/$1"

routes:

 - uris:

 - /demo/md/*/accounts

 - /demo/md/*/symbols/*

 - /demo/md/*/summary/*

 - /demo/md/*/ohlc/*

 - /demo/md/*/transactions

 - /demo/md/*/crossrates/*

 - /demo/trade/*/orders/*

 upstream_id: 1

 plugin_config_id: 1

 - uris:

 - /live/md/*/accounts

 - /live/md/*/symbols/*

 - /live/md/*/summary/*

 - /live/md/*/ohlc/*

 - /live/md/*/transactions

 - /live/md/*/crossrates/*

 - /live/trade/*/orders/*

 upstream_id: 2

 plugin_config_id: 2

deployment:

 role: data_plane

 role_data_plane:

 config_provider: yaml

#END Save and close the file: Press Ctrl+O , then Enter to save. Press Ctrl+X to exit Nano. 2. Create a restart script for APISIX In the terminal, make a new script: nano /opt/apisix/restart_apisix.sh Copy and paste this into restart_apisix.sh : #!/bin/bash

# If a container named "apache-apisix" exists, stop and remove it

if docker ps -a --format '{{.Names}}' | grep -Eq "^apache-apisix\$"; then

 echo "Stopping and removing existing apache-apisix container..."

 docker stop apache-apisix

 docker rm apache-apisix

fi

echo "Starting a new APISIX container..."

docker run -d \

 --name apache-apisix \

 -p 9080:9080 \

 -e APISIX_STAND_ALONE=true \

 -v /opt/apisix/apisix.yaml:/usr/local/apisix/conf/config.yaml \

 -v /opt/apisix/apisix.yaml:/usr/local/apisix/conf/apisix.yaml \

 apache/apisix

echo "APISIX container is now running." Save and close: Press Ctrl+O , then Enter . Press Ctrl+X . Make the script executable: chmod +x /opt/apisix/restart_apisix.sh 3. Run APISIX for the first time In the terminal, run: ./restart_apisix.sh Wait a few seconds. APISIX will start in Docker, listening on port 9080, reading your /opt/apisix/apisix.yaml as both config.yaml and apisix.yaml . Check that it is running: sudo docker ps You should see a line for apache/apisix with 0.0.0.0:9080->9080/tcp . Look at the logs to ensure no errors: sudo docker logs apache-apisix You should see messages like “config file … reloaded” and no errors. 4. Test APISIX locally with curl (no Nginx yet) In the terminal, run: curl -u foo:bar http://127.0.0.1:9080/demo/md/3.0/accounts -u foo:bar sends your Basic Auth. The path /demo/md/3.0/accounts matches your route pattern /demo/md/*/accounts . If everything is correct, you will see JSON returned from Exante. If you see {"error_msg":"404 Route Not Found"} , double-check that the path matches exactly and that your tokens are correct.

Install Nginx Proxy
5. Install and configure Nginx and Let’s Encrypt 5.1. Install Nginx Update package lists: sudo apt update Install Nginx: sudo apt install nginx -y Start and enable Nginx: sudo systemctl start nginx

sudo systemctl enable nginx 5.2. Install Certbot for Let’s Encrypt Add repositories and update: sudo apt install software-properties-common -y

sudo add-apt-repository universe

sudo add-apt-repository ppa:certbot/certbot -y

sudo apt update Install Certbot with Nginx plugin: sudo apt install certbot python3-certbot-nginx -y 5.3. Obtain a certificate for your domain Make sure your DNS A record for abeta-proxy.finmars.com points to your VM PUBLIC_IP . Run: sudo certbot --nginx -d abeta-proxy.finmars.com Follow the prompts: Enter your email, then press Enter . Agree to terms by typing A , then Enter . Choose option 2 to redirect HTTP to HTTPS, then Enter . Certbot will create an Nginx site file and install the certificate under /etc/letsencrypt/live/abeta-proxy.finmars.com/ . 6. Configure Nginx to proxy to APISIX Open the site file Certbot created: sudo nano /etc/nginx/sites-available/default Inside the server { ... } block for port 443, find these lines: listen 443 ssl;

server_name abeta-proxy.finmars.com;

ssl_certificate /etc/letsencrypt/live/abeta-proxy.finmars.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/abeta-proxy.finmars.com/privkey.pem; Right below them, add: location / {

 proxy_pass http://127.0.0.1:9080;

 proxy_set_header Host $host;

 proxy_set_header X-Real-IP $remote_addr;

} After editing, that server { } block looks like: server {

 listen 443 ssl;

 server_name abeta-proxy.finmars.com;

 ssl_certificate /etc/letsencrypt/live/abeta-proxy.finmars.com/fullchain.pem;

 ssl_certificate_key /etc/letsencrypt/live/abeta-proxy.finmars.com/privkey.pem;

 location / {

 proxy_pass http://127.0.0.1:9080;

 proxy_set_header Host $host;

 proxy_set_header X-Real-IP $remote_addr;

 }

} Make sure there is also a block that redirects HTTP to HTTPS. It looks like: server {

 listen 80;

 server_name abeta-proxy.finmars.com;

 return 301 https://$host$request_uri;

} Save and close: Press Ctrl+O , then Enter . Press Ctrl+X . Test Nginx configuration: sudo nginx -t You should see “syntax is ok” and “test is successful”. Reload Nginx so it uses the new config: sudo systemctl reload nginx 7. Open firewall ports (if you use UFW) Allow HTTP (port 80) and HTTPS (port 443), and APISIX port (9080) in UFW: sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

sudo ufw allow 9080/tcp Check UFW status: sudo ufw status

Final Tests
8. Final tests Test HTTPS through Nginx: In a browser or terminal, go to: https://abeta-proxy.finmars.com/demo/md/3.0/accounts Enter Basic Auth user foo and password bar . If your Base64 tokens are correct, you see JSON from Exante. Test other routes: https://abeta-proxy.finmars.com/live/md/3.0/accounts Use the same Basic Auth. Should return JSON if live token is correct. Test local APISIX again (no Nginx): curl -u foo:bar http://127.0.0.1:9080/demo/md/3.0/accounts This hits APISIX directly, without Nginx. Should return JSON if config is correct. 9. Automatic certificate renewal Certbot already set up automatic renewal. To test renewal, run: sudo certbot renew --dry-run If it says “Congratulations, all renewals succeeded,” your auto-renew is working. 10. How to update your APISIX config later Edit /opt/apisix/apisix.yaml any time: sudo nano /opt/apisix/apisix.yaml Save changes and exit. Run the restart script: ./restart_apisix.sh Check logs: sudo docker logs apache-apisix Test again with curl or in a browser.

Complete Recap
Complete Recap Create folder /opt/apisix . Create and fill /opt/apisix/apisix.yaml (with role: data_plane , consumers, upstreams, plugin_configs, routes, and #END ). Make restart_apisix.sh script that stops any old container and starts a new one, mounting /opt/apisix/apisix.yaml as both config.yaml and apisix.yaml . Run ./restart_apisix.sh to start APISIX. Test APISIX locally: curl -u foo:bar http://127.0.0.1:9080/demo/md/3.0/accounts . Install Nginx ( sudo apt install nginx ). Install Certbot ( sudo apt install certbot python3-certbot-nginx ). Get SSL : sudo certbot --nginx -d abeta-proxy.finmars.com . Edit Nginx site at /etc/nginx/sites-available/default to add: location / {

 proxy_pass http://127.0.0.1:9080;

 proxy_set_header Host $host;

 proxy_set_header X-Real-IP $remote_addr;

} Reload Nginx ( sudo nginx -t then sudo systemctl reload nginx ). Open firewall ports 80, 443, 9080 ( sudo ufw allow ... ). Test https://abeta-proxy.finmars.com/demo/md/3.0/accounts in a browser. Auto-renew is handled by Certbot. To update , edit /opt/apisix/apisix.yaml and run ./restart_apisix.sh . That is the full, clear set of instructions. Now your APISIX runs behind Nginx with a Let’s Encrypt SSL certificate, and you can update the config anytime by editing the file and restarting with the script.