背景:
1、近年来,微服务架构在大中型企业中的应用越来越广泛。在解决了单体架构所带来的负责性高、部署慢、创新性低的问题的同时,也带来了一些新的安全问题。在微服务的架构中,一个大的应用会被拆分成多个小的单一的服务提供出来,这些小的服务有自己的处理,有自己的数据库(也可以共用),业务系统开发的每个接口都需要独立实现和安全相关的认证、授权、限速,不但重复开发而且无法统一管理,容易产生遗漏。Kong是由Mashape开发的并且于2015年开源的一款API网关框架,使用kong以后,应用系统只需要专注自己的业务实现,通过的缓存、日志记录、认证、授权等均有kong来实现,同时kong也可以用于传统业务接口的保护,如短信轰炸、账户爆破、卡号证件号遍历等等。,笔者所在的单位也在积极拓展微服务架构,身为高级安全工程(背锅侠),如何解决api安全,是笔者的工作之一。
2、近日,某监管部门发文提示,某机构驻场人员通过伪造esb报文,向esb发送请求,esb未对报文的来源及有效性做校验,直接调用转账接口进行转账,造成资金损失。笔者思考,利用kong的api key认证模式能够解决该风险。
kong的工作模式
CLIENT
KONG SERVERS
当Kong运行时,每个对API的请求将先被Kong命中,然后这个请求将会被代理到最终的API。在requests和responses之间,Kong将会执行已经事先安装和配置好的任何插件,授权您的API。Kong是每个API请求的入口点(point)。
Kong的安装
环境:虚拟机centos7 硬盘20G以上
参考
1、安装依赖
安装pcre zlib openssl
sudo yum install -y pcre pcre-devel
sudo yum install -y zlib zlib-devel
sudo yum install -y openssl openssl-devel
安装postgresql(同样也可以使用cassandra)
sudo yum install -y https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-7-x86_64/pgdg-centos95-9.5-2.noarch.rpm
sudo yum install -y postgresql95-server postgresql95-contrib
sudo /usr/pgsql-9.5/bin/postgresql95-setup initdb
sudo systemctl enable postgresql-9.5.service
sudo systemctl start postgresql-9.5.service
suso systemctl status postgresql-9.5.service
配置postgresql sudo passwd postgres(修改密码为postgresql)
新建用户kon gsudo adduser kong
切换centos用户su postgres
进入控制台psql
修改管理员postgres密码\password postgres(这里也修改为postgresql)
创建数据库用户
create user kong with password ‘123456’;
// 为新用户建立数据库
create database kong owner kong;
// 把新建的数据库权限赋予 kong
grant all privileges on database kong to kong;
退出\q
登录 psql -U kong -d kong -h 127.0.0.1 -p 5432
这个时候会登录失败,修改
/var/lib/pgsql/9.5/data/pg_hba.conf
If you want to allow non-local connections, you need to add more
“host” records.
In that case you will also need to make PostgreSQL
listen on a non-local interface via the listen addresses
configuration parameter, or via the -i or -h command line switches.
TYPE DATABASE
USER
ADDRESS
“local” is
local
IPv4 local
host
IPv6 local
host
for Unix domain
connections:
connections:
socket
Allow replication connections from
replication privilege.
- connections
- only
- 127.0.0.1/32
- localhost,
- by a
- 127.0.0.1/32
-
: 1/128
user
with
local
host
iost
replication
replication
replication
postgres
postgres
postgres
METHOD
trust
trust
trust
the
trust
trust
trust
2、安装kong
下载
安装
rpm -ivh kong-community-edition-0.13.1.el7.noarch.rpm
修改配置文件
sudo vi /etc/kong/kong.conf,添加自己开始设置的postgres的配置信息
database = postgres
pg_host =
127.0.0.1
pg_port —
- 5432
pg_user = kong
pg_password =
123456
pg_database = kong
pg_ssl = off
Determines which of PostgreSQL or Cassandra
this node will use as its datastore.
Accepted values are ‘postgres’ and
cassandra
The PostgreSQL host to connect to.
The port to connect to.
The username to authenticate if required.
The password to authenticate if required.
The database name to connect to.
Toggles client-server TLS connections
between Kong and PostgreSQL.
添加环境变量export KONG_SERF_PATH=”/usr/local/bin/serf”
启动kong kong start –c kong.conf
这个时候会报错,按照提示 kong migrations up
再次启动
kong的默认端口为8000 管理端口为8001
3、安装kong 图形化界面
yum install npm
npm install -g kong-dashboard
kong-dashboard start –kong-url http://127.0.0.1:8001
默认开放8080号端口,访问
192.168.1.101
Home
APIs
Consumers
Plugins
SNIs
Certificates
Upstreams
Search
Welcome to Kong Dashboard
Kong dashboard is a central hub for you to manage your Kong setup.
Learn Kong
This Dashboard will let you interact with
your Kong API to create or edit APIs,
Consumers and Plugins.
Wondering what all that means? Have a
look at the Kong documentation.
DOCUMENTATION
Get started
Not sure where to start?
How about listing your current APIs or
Consumers, creating a new API or a new
Consumer?
CREATE AN API
Contribute
Kong Dashboard is an open source
project hosted on github.
Special thanks to 5 top contributors:
marceldiass
balexandre
nkCoding
GITHUB PAGE
4、安装lnmp
wget http://soft.vpser.net/lnmp/lnmp1.5.tar.gz
解压 tar -xzvf lnmpl.5.tar.gz
进入解压目录执行./install.sh lnmp 自动化安装
创建数据库farmsec 表 student 在/home/wwwroot/default/douwaf-api
目录下创建文件下farsec,创建文件users.php内容为
uid
con)
mysql select db(“farmsec” ,
sql
‘select from users where uid=
result
mysql query(
row = my'ql fetch array(
username —
email =
phone = $row[ ‘phone’];
echo ;
创建3个用户分别为柯南 小六 和19
farmsec
New
users
information schema
mysql
performance schema
Show all
+ Options
Number of mws:
email
kaoquanyang
wangba
[email protected]
25
phone
1366666
13888888
1382772
Filter
uid
3
username
kenan
xiaoliu
shijiu
正常情况下,这个场景就相当于我们说的,通过遍历uid越权查看其他用户信息
访问http://192.168.1.101/farmsec/users.php?uid=1
@ 192.168.1.101/farmsec/users.php?uid=1
uid=l, username=kenan, email=kaoquanyang, phone=1366666
4、配置kong
配置基础转发服务
curl -i -X POST –url http://localhost:8001/apis/ –data ‘name=farmsec’ –data ‘hosts=127.0.0.1’ –data ‘upstream_url=http://127.0.0.1:80’
第一个–data 指定目录为farmsec,第二个data制定为本机 第三个–data 是要转发的url地址
创建成功
[root@localhost farmsec]# curl -i -X POST
e=farmsec
-data ‘hosts=127.0.0.1’
-data
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
Server: kong/0.13.1
upstream
{“created at” :1530447738574, “strip uri” :true, id
” , “hosts , “name
” : “farmsec” , “http if terminated” :false, “preserve host” :fal
se, “upstream url •
” . “http:\/\/127.O.O.1:80
” , “upstream connect timeout” :60000, “upstream se
nd timeout” :60000, “upstream read timeout” :60000, ” retries” “https only” :false}
–url http://localhost:8001/apis/
uri=http://127.O.O.1:80’
- -data
’ nam
这时可以通过curlf访问kong的api服务,通过执行http header的HOST字段来区分不同的api服务
curl “http://127.0.0.1:8000/farmsec/users.php?uid=2” –header ‘HOST:127.0.0.1’
Not Found[root@localhost fcurl -i -X POST –url http://localhost:8001/apis/
e=farmsec’ –data ‘hosts=127.0.0.1’
-data
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
Server: kong/0.13.1
-data
‘nam
upstream
uri=http://127.O.O.1:80’
{“created at” :1530448218066, “strip uri” :true, “Id
” , “hosts , “name
” : “farmsec” , “http if terminated” :false, “preserve host” :fal
se, “upstream url •
” . “http:\/\/127.O.O.1:80
” , “upstream connect timeout” :60000, “upstream se
nd timeout” :60000, “upstream read timeout” :60000, ” retries” “https only” :false}
[root@localhost farmsec]# Is
p.php users.php
[root@localhost farmsec]# curl “http://127.0.0.1:8000/farmsec/users.php?uid=2”
‘HOST:127.O.O.1
farmsec]#
-header
图形化界面的管理后台的api栏目中也多了一个api
192.168.1.101
Home
APIs
Consumers
Plugins
SNIs
Certificates
Upstreams
APIs
Name
farmsec
Host(s)
127.0.0.1
Uri(s)
Method(s)
Search
Upstream url
http://127.O.O.1:80
Created
Jul 1, 2018
eoo
使用kong进行key认证
1、创建consumer
curl -i -X POST –url http://127.0.0.1:8001/consumers/ –data “username=xiaodong” –data “custom_id=5”
[root@localhost farmsec]# curl -i -X POST –url http://127.0.0.1:8001/consumers/
“username=xiaodong” - -data “custom id=5”
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
” username ” : “xiaodong
-data
Server: kong/0.13.1
{“custom id” : “5” , “created
[root@localhost farmsec]#
at” : 1530419836000 ,
” , ” id” : “a64f7411-a9fO-4
记下id
2、创建API key
curl -i -X POST –url http://127.0.0.1:8001/consumers/xiaodong/key-auth –data “key=a64f7411-a9f0-4e77-b042-a3a280079783”(这一点兜哥书中给的为-d “” 实际中可能由于版本问题无法实现)
[root@localhost farmsec]# curl
-i -X POST –url http://127.0.0.1:8001/consumers/xiaodon
g/key-auth
- -data “key=a64f7411
-a9fO-4e77-b042-a3a280079783”
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json;
charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
Server: kong/0.13.1
id” : “9eeOc95c-f945-46gg-9da5-19860a928ed4” , “created at” : 1530420003000, “key” : “a64f7411
-a9fO-4e77-b042-a3a280079783
” , “consumer id
分配的apikey 为64f7411-a9f0-4e77-b042-a3a280079783
开启api key认证功能
curl -i -X POST –url http://127.0.0.1:8001/apis/farmsec/plugins –data “name=key-auth” –data “config.hide_credentials=true”
[root@localhost farmsec]# curl -i -X POST –url http://127.0.0.1:8001/apis/farmsec/plug
-data “name—key-auth”
-data “config.hide credentials=true”
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
Server: kong/0.13.1
{“created at” :1530420169000, “config” in body” :false, “hide credentials” :true, “anon
, ” • ” :iiff34c30f-afd2-4a24-9814
ymous” : , ” run on preflight” :true, “key names” : [“apikey”]} Id
-Ocgc2f36b65e -
” , “name” : “key-auth” , “api Id
” , “enabl
ed” : true}
api key验证
开启认证后,不允许直接访问原j接口
[root@localhost farmsec]# curl
‘HOST:127.O.O.1’
{“message” : “No API key found in
[root@localhost farmsecl#
“http : //127.0.0.1 : 8000/farmsec/users .
request”}
-header
Url也不允许访问
192.168.1.101
:8000/farmsec/users.php?uid=2
“message
. no route and no API found with those values
使用api认证访问
[root@localhost farmsec]# curl “http://127.0.0.1:8000/farmsec/users.php?uid=2”
‘HOST:127.O.O.1
-H “apikey:a64f7411-a9fO-4e77-b042-a3a280079783”
farmsec]#
-header
再看consumer
192.168.1.101
:8080/#!/consumers
Jul 1, 2018
Home
APIs
Consumers
Plugins
SNIs
Certificates
Upstreams
Consumers
Usemame
Mac
farmsec
kongtest —data customer_id=2
xiaodong
Custom id
2
(none)
5
Search
Created
Jun 30, 2018
Jun 30, 2018
Jun 30, 2018
eoo
eoo
eoo
eoo
此外kong还可以用于api访问限速、Bot检测等等。当然了,这只是一个简单的尝试,如果要应用于实际的业务场景还需要更多的探索,写出适合业务的插件。
参考:
https://github.com/xuxiangwork/Sharing/wiki/centos7-%E5%AE%89%E8%A3%85-kong-%E8%AF%A6%E8%A7%A3
《企业安全建设—基于开源软件打造企业网络安全》-刘焱