Hi, I have an application in internal network with no public internet access.

I want NGINX API gateway deployed in public exposed network that authenticates incoming HTTP, and rest service traffic and then relays the traffic to upstream servers.

Similarly I want the NGINX API Gateway to authenticate SOAP requests also. But SOAP has its own WS security, and I believe SOAP request should not have any sessionid or token for web authentication. So this means API gateway will not be able to perform authentication as its doing for
normal http and rest service traffic.

What should be the best solution to secure a SOAP service behind a NGINX API gateway ? Or it should not be protected by NGINX API Gateway module ?