DoD Dark Site API Gateway: STIG-Compliant, COTS-Free, Self-Service

The Problem With COTS in Classified Environments

Commercial off-the-shelf gateway appliances are the default choice in many government environments, but they come with a set of problems that compound over time in sensitive or air-gapped deployments.

The Architecture

The replacement stack is built entirely on proven open-source components, each with full source code available for audit, reproducible container builds, and no external dependencies required at runtime.

Zero Trust Implementation

The stack implements Zero Trust aligned with NIST SP 800-207, the CISA Zero Trust Maturity Model, and the DoD Zero Trust Reference Architecture. Every API request is authenticated and authorized independently. Network location grants nothing.

1. 1
   Verify identity (Keycloak)

   Every request must carry a valid token issued by Keycloak. Tokens are short-lived. Users authenticate against Active Directory via LDAPS federation. MFA can be enforced per realm or per client.

2. 2
   Enforce policy (APISIX)

   APISIX validates the token on every request via the Keycloak plugin and enforces RBAC policies at the gateway edge. Routes only accept traffic from identities with the required role. No implicit trust based on internal network position.

3. 3
   Validate the request

   Rate limiting, input validation, and request size enforcement run as APISIX plugins before traffic reaches any backend service. Malformed or over-limit requests are rejected at the gateway.

4. 4
   Log everything

   Every transaction is logged with timestamps across all components. Keycloak logs all authentication and admin events. APISIX logs all routing decisions. PostgreSQL logs all connections and DDL. Logs are structured for SIEM ingestion and forensic export.

STIG Compliance Out of the Box

The hardened deployment configuration addresses 26 of 32 applicable STIG controls automatically on first deploy. The remaining 6 require manual steps that are fully documented: TLS certificate generation, Keycloak password policy configuration, AD federation setup, FIPS mode activation, image signing, and network segmentation for Kubernetes.

• All containers drop all Linux capabilities and add back only what is required
• All containers run as non-root with no privilege escalation allowed
• Read-only filesystems with tmpfs mounts for writable paths only
• Resource limits set on all containers to prevent resource exhaustion
• Health checks configured on all services
• TLS 1.2 minimum with DoD-approved cipher suites enforced at the edge
• Security headers enforced: HSTS, CSP, X-Frame-Options, and others
• DoD consent banner served at the gateway login path
• JSON structured logging with rotation on all components
• SCRAM-SHA-256 database authentication, connection logging, and session timeouts

FIPS 140-2 capability is built in. The Nginx layer uses Red Hat UBI9 which is FIPS-capable. Running the stack on a FIPS-enabled RHEL host brings the entire deployment into compliance. Keycloak FIPS strict mode is a single environment variable.

Air-Gap and Dark Site Deployment

The environment has no internet access. All images must be transferred physically or over a classified network. The repository includes tooling to handle this without manual intervention.

• A script pulls and packages all required container images on a connected machine
• The image bundle is transferred to the air-gapped environment by whatever means is approved
• A load script on the dark side imports images locally or pushes them to an internal registry
• A compose file generator rewrites image references to point at the internal registry automatically
• The full stack deploys from a single command with no external calls at runtime

There are no license checks, no telemetry, no phone-home behavior, and no dependency on any external service once the images are loaded. The deployment is fully self-contained.

Self-Service for Teams

One of the primary goals was eliminating the bottleneck of gateway changes requiring specialized vendor knowledge or a ticket to a central team. The APISIX admin interface and declarative configuration make route and policy management accessible to any developer with appropriate access.

• New API routes are defined in a YAML file and applied via the admin API or dashboard
• Auth policies, rate limits, and routing rules update in real time without restarting anything
• The APISIX dashboard provides a UI for teams that prefer not to work directly with the API
• All configuration is version-controllable, diff-able, and reviewable like any other code
• Keycloak realm configuration can be exported and stored in source control for reproducible identity setup

Cost Comparison

The proprietary appliance carried licensing costs that scaled with usage and required vendor support contracts. The open-source replacement has no licensing cost at any scale.

• Nginx, APISIX, etcd, Keycloak, and PostgreSQL are all Apache 2.0 or equivalent permissive licenses
• No per-node, per-request, or per-service fees at any scale
• Infrastructure cost is the compute required to run the containers, nothing more
• Vulnerability response no longer depends on a vendor patch cycle
• No vendor relationship required for configuration changes or troubleshooting