we have API Portal 3.1 implementation for one bank. Due to their security regulations they issued penetration test for API Portal and come with several problems to be fixed on API Portal site.
For example they want /admin url can only be opened inside LAN. Requirements like these can be achieved with Portals local Apache httpd configuration changes like LocationMatch directive, however this brakes logout functionality( since logout is in fact a url like /admin?action=logout ). Upgrading httpd to 2.4.18 may be a solution but it is nightmare to update Redhat without internet connection and we may not be supported. Anyway they require much more complicated issues. I don't think we can address them all using httpd. They also find some security issues like a user can delete other users invitations etc.
My question is, can we use API Gateway for "WAF" functionality. We might fix these issues by writing custom policies but I would like to know if anyone has experience using API Gateway as reverse proxy for API Portal.
Thanks in advance.