How to design a lightweight implement an open API gateway.
Article Address: blog.piaoruiqing.com/blog/2019/0...
Foreword
As your business grows, more and more the butt of a third party, various business systems face the same problem: 如何让第三方安全快速接入
At this time there is a set of inspection signed, authenticated, current limiting, demotion and other in-one Gateway Services API change It is particularly important.
Next will share how to design a lightweight implement an open API Gateway, including interface design, database design, signature verification check scheme, authentication, etc. This article focuses on the overall design, the specific implementation details will continue to share in a future article.
API Gateway Profile
API Gateway is particularly important in micro-services, the abstract of the authentication, limiting, demotion and other business systems common features as many internal business systems outside of a barrier.
basic needs
- Signature and sign test
- Authentication
- routing
- Permissions and Resource Management
The overall design
Sign test, authentication and other functions in a manner duty chain process, according to the configuration and routing gateway for additional parameters with the business system for processing (such as data filtering, etc.) Summary request process is as follows:
Interface Design
Gateway most basic function is to forward the request, a common approach is based on the routing rule configuration will forward the request to the internal services, such as:
The /order/*
forwards the request to the internal ordering system, /user/*
the request is forwarded to the user's internal system, a practice commonly used in the foundation gateway is responsible for the entire business system.
As used herein, the design is 服务于第三方的开放API网关
, not using the resources approach, but as a parameter to the request into the request body, for the following reasons:
- Open API Service to a third party, shielding the internal path, help to provide a unified and standardized naming interface.
- Request mapping interface is maintained by the gateway routing tables, the internal interface upgrade even switch to a new service external interfaces unchanged.
- It can be more fine-grained interface for access control, limiting and statistics.
address
Open API The gateway provides the only entrance, specifically requested resource as an argument.
Public parameters
To simplify the test signature and the sign of the operation, but also to improve the flexibility, the only entrance to the fixed public agreed parameters and return values, as follows:
Public request parameters
parameter name | Do you have to | Types of | Examples | Remark |
---|---|---|---|---|
app_id | Yes | string | Application ID | |
method | Yes | string | aaa.bbb.ccc | Request method |
charset | Yes | string | UTF-8 | coding |
format | Yes | string | JSON | Business parameter format |
sign_type | Yes | string | RSA2 | Signature type |
sign | Yes | string | signature | |
timestamp | Yes | number | 1564929661796 | Time stamp, unit: ms |
nonce | Yes | string | 63DCB93D270E44D49499F9E5D55705FE | Random string (recommended UUID) |
version | Yes | string | 1.0 | Interface Version |
biz_content | Yes | string | {"start_time":"1564929661796", ...} | Request service parameters |
app_id
: Application ID, application ID is an authorized body, is the identity of the caller's identitymethod
: Request method, the URL corresponding to the inside, maintained by the gateway routing table.timestamp
Andnonce
used to prevent replay attacks.biz_content
: Business argument, which will be forwarded to internal business systems.
Common return parameters
parameter name | Do you have to | Types of | Examples | Remark |
---|---|---|---|---|
code | Yes | number | 0 | error code |
message | no | string | Error Messages | |
charset | Yes | string | UTF-8 | coding |
format | Yes | string | JSON | Return parameter format |
sign_type | Yes | string | RSA2 | Signature type |
sign | Yes | string | signature | |
timestamp | Yes | number | Time stamp, unit: ms | |
biz_content | Yes | string | {"id":"1564929661796", ...} | Back to Business parameters |
biz_content
: Return business parameters, the gateway forwards the return value of the business system.
This article published in Pu Ruiqing's blog , allows non-commercial use reproduced, reprinted but must retain the original author Pu Ruiqing and links: blog.piaoruiqing.com . If the authorization aspects of consultation or cooperation, please contact E-mail: piaoruiqing @ Gmail. COM .
Signature Scheme
The caller and the service side are generated 2048
bit RSA
keys, public key exchange private key used for signing, public key is used to sign inspection, open API The gateway interface https
, do so temporarily without additional encryption processing.
Signature Algorithm
Signature Algorithm Name | Standard signature algorithm name | Remark |
---|---|---|
RSA2 | SHA256WithRSA | Mandatory RSA key length of at least 2048 |
Signature Rules
Signature Data Description
Excluding sign
all the parameters after.
Sort signature parameters
According to the parameter name ASCII
in ascending order (in ascending alphabetical order) code.
Signature generation mode
Parameter combined into a sorted list 参数名a=参数值a&参数名b=参数值b&...&参数名z=参数值z
of strings, and used 私钥
to generate sign
.
Database Design
Rights database for storing keys and other configurations, between multiple levels of caching programs and databases to improve the access speed ER FIG briefly as follows:
app
: Caller principal, used to identify the requesting party.group
: Group,app
grouping, it cangroup
authorize unity.subject
: A body (app / group).resource
: Resources and maintaining mapping between request resources and internal interface,url
+http_method
corresponds to a unique resource_id.
Technology Selection
In addition to meeting the needs of the gateway functions, performance needs also important to consider that, after all, as the performance of various business systems outside of the only entrance, the gateway can be a bottleneck entire business system. Business is not complicated, high performance requirements, response programming It is a good choice.
Spring WebFlux
+netty
: Responsive Web framework.Spring Data Reactive Redis
+Lettuce
: Responsive redis client.Guava
: Google Toolkit, useLoadingCache
as in-process cache.
Epilogue
Gateway as a barrier outside the entrance and internal systems, in addition to the basic requirements on functionality and performance monitoring, statistics, logs, etc. need to be considered to the problem, many aspects of open source gateway products, but the choice must consider their own business for each reference under the premise of their own programs mature practice.
This article published in Pu Ruiqing's blog , allows non-commercial use reproduced, reprinted but must retain the original author Pu Ruiqing and links: blog.piaoruiqing.com . If the authorization aspects of consultation or cooperation, please contact E-mail: piaoruiqing @ Gmail. COM .