kong服务网关API

kong简介

Kong 是在客户端和(微)服务间转发API通信的API网关,通过插件扩展功能。Kong 有两个主要组件:
Kong Server :基于 openresty 的服务器,用来接收 API 请求。

Apache Cassandra或者PG :用来存储操作数据。

你可以通过增加更多 Kong Server 机器对 Kong 服务进行水平扩展,通过前置的负载均衡器向这些机器分发请求。根据文档描述,两个Cassandra节点就足以支撑绝大多数情况,但如果网络非常拥挤,可以考虑适当增加更多节点。
对于开源社区来说,Kong 中最诱人的一个特性是可以通过插件扩展已有功能,这些插件在 API 请求响应循环的生命周期中被执行。插件使用 Lua 编写,而且 Kong 还有如下几个基础功能:HTTP 基本认证、密钥认证、CORS( Cross-origin Resource Sharing,跨域资源共享)、TCP、UDP、文件日志、API 请求限流、请求转发以及 nginx 监控。
Kong包可运行在某些 Linux 发行版、Mac OS X 和 Docker 中,无论是本地机还是云端服务器皆可运行。
除了免费的开源版本,Mashape 还提供了付费的企业版,其中包括技术支持、使用培训服务以及 API 分析插件。

Paste_Image.png

kong安装

官网提供了多种安装方式https://getkong.org/install/,采用yum或者docker安装较为方便。docker安装需要先安装数据库,本文使用PG数据库。

安装过程

因为现场网络不通在家里测试环境安装好save下,在现场load使用即可。使用了export和import装载是报错,因为安装时也没有进行其他配置,索性使用save进行拷贝。

docker save -o kong-database-postgres-docker-9.4.tar.gz docker.io/postgres
docker save -o kong.tar.gz docker.io/kong

docker load -i kong-database-postgres-docker-9.4.tar.gz
docker load -i kong.tar.gz

1. 安装kong

[slview@DEMO:~]$ docker search  kong
INDEX       NAME                                DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
docker.io   docker.io/kong                      Open-source Microservice & API Management ...   73        [OK]       
docker.io   docker.io/pgbi/kong-dashboard       Web UI for managing your Kong setup.            14                   [OK]
docker.io   docker.io/pantsel/konga             More than just another GUI to KONG Admin API.   3                    [OK]
docker.io   docker.io/articulate/kong-wait      Waits for Cassandra to be connectable befo...   1                    [OK]
docker.io   docker.io/galacticfog/kong          A fork mashape/kong, with a bias towards p...   1                    [OK]
docker.io   docker.io/littlebaydigital/kong     Extension of official docker kong image wi...   1                    [OK]
docker.io   docker.io/mesoshq/kong              Run Kong clusters on Mesos/Marathon!            1                    [OK]
docker.io   docker.io/wmzhong/docker-kong       For adding solutions for clustering...          1                    [OK]
docker.io   docker.io/anduin/kong               kong                                            0                    [OK]
docker.io   docker.io/articulate/kong-monit     Adds monit to the base kong image.              0                    [OK]
docker.io   docker.io/bakstad/kong              Extension of the official Docker image for...   0                    [OK]
docker.io   docker.io/cknowles/kong             Fork of official repo to ensure logs work ...   0                    [OK]
docker.io   docker.io/dasudian/kong             Build kong docker image.                        0                    [OK]
docker.io   docker.io/derdiedasjojo/kong        kong with piwik-log plugin                      0                    [OK]
docker.io   docker.io/derdiedasjojo/kong-conf   create an api in kong by making an api-call     0                    [OK]
docker.io   docker.io/koudaiii/kong             docker-kong                                     0                    [OK]
docker.io   docker.io/misfit/kong               Kong in Docker                                  0                    [OK]
docker.io   docker.io/mrsaints/kong-aws         An extension of Kong with a plugin that ca...   0                    [OK]
docker.io   docker.io/mrsaints/kong-dev         A test / development sandbox for Kong, a s...   0                    [OK]
docker.io   docker.io/sikmi/nendo-docker-kong   nendo kong                                      0                    [OK]
docker.io   docker.io/sneck/kong                Kong(Open-Source API Management and Micros...   0                    [OK]
docker.io   docker.io/supermp/kong              Kong                                            0                    [OK]
docker.io   docker.io/vikingco/kong             Microservice & API Management Layer (https...   0                    [OK]
docker.io   docker.io/vikingco/kong-admin       Standalone Kong Admin Service                   0                    [OK]
docker.io   docker.io/zymbit/kong               Mashape Kong                                    0                    [OK]
[slview@DEMO:~]$ 
[slview@DEMO:~]$ 
[slview@DEMO:~]$ 
[slview@DEMO:~]$ 
[slview@DEMO:~]$ docker pull  kong:0.10
Trying to pull repository 192.168.5.249:5000/kong ... 
Pulling repository 192.168.5.249:5000/kong
Trying to pull repository docker.io/library/kong ... 
sha256:ff6dd0495f1a5b312bff9fd42f6aee6437200a337e190eb0ddc8e5ca83482995: Pulling from docker.io/library/kong
343b09361036: Pull complete 
eb953d76e90b: Pull complete 
ebdf6ecbe509: Pull complete 
24f20231ced9: Pull complete 
Digest: sha256:ff6dd0495f1a5b312bff9fd42f6aee6437200a337e190eb0ddc8e5ca83482995
Status: Downloaded newer image for docker.io/kong:0.10

2. 安装PG

[slview@DEMO:~]$ docker search postgres
INDEX       NAME                                DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
docker.io   docker.io/postgres                  The PostgreSQL object-relational database ...   3552      [OK]       
docker.io   docker.io/kiasaki/alpine-postgres   PostgreSQL docker image based on Alpine Linux   30                   [OK]
docker.io   docker.io/abevoelker/postgres       Postgres 9.3 + WAL-E + PL/V8 and PL/Python...   10                   [OK]
docker.io   docker.io/macadmins/postgres        Postgres that accepts remote connections b...   8                    [OK]
docker.io   docker.io/jamesbrink/postgres       Highly configurable PostgreSQL container.       5                    [OK]
docker.io   docker.io/eeacms/postgres           Docker image for PostgreSQL (RelStorage re...   4                    [OK]
docker.io   docker.io/blacklabelops/postgres    Postgres Image for Atlassian Applications       3                    [OK]
docker.io   docker.io/azukiapp/postgres         Docker image to run PostgreSQL by Azuki - ...   2                    [OK]
docker.io   docker.io/clkao/postgres-plv8       Docker image for running PLV8 1.4 on Postg...   2                    [OK]
docker.io   docker.io/publysher/postgres-s3     A Docker-based solution for Postgres backu...   2                    [OK]
docker.io   docker.io/2020ip/postgres           Docker image for PostgreSQL with PLV8           1                    [OK]
docker.io   docker.io/eccube/postgres           Docker image for PostgreSQL extended local...   1                    [OK]
docker.io   docker.io/steenzout/postgres        Steenzout's docker image packaging for Pos...   1                    [OK]
docker.io   docker.io/1maa/postgres             PostgreSQL base image                           0                    [OK]
docker.io   docker.io/beorc/postgres            Ubuntu-based PostgreSQL server                  0                    [OK]
docker.io   docker.io/camptocamp/postgres       Docker image for PostgreSQL including some...   0                    [OK]
docker.io   docker.io/coreroller/postgres       official postgres:9.4 image but it adds 2 ...   0                    [OK]
docker.io   docker.io/debezium/postgres         PostgreSQL for use with Debezium change da...   0                    [OK]
docker.io   docker.io/examus/postgres           Postgres with change password                   0                    [OK]
docker.io   docker.io/kobotoolbox/postgres      Postgres image for KoBo Toolbox.                0                    [OK]
docker.io   docker.io/opencog/postgres          This is a configured postgres database for...   0                    [OK]
docker.io   docker.io/studionone/postgres       Postgres Docker image with postgres uuid-o...   0                    [OK]
docker.io   docker.io/timbira/postgres          Postgres  containers                            0                    [OK]
docker.io   docker.io/travix/postgres           A container to run the PostgreSQL database.     0                    [OK]
docker.io   docker.io/vrtsystems/postgres       PostgreSQL image with added init hooks, bu...   0                    [OK]
[slview@DEMO:~]$ 
[slview@DEMO:~]$ 
[slview@DEMO:~]$ 
[slview@DEMO:~]$ docker pull  postgres:9.4
Trying to pull repository 192.168.5.249:5000/postgres ... 
Pulling repository 192.168.5.249:5000/postgres
Trying to pull repository docker.io/library/postgres ... 
sha256:8988064772fc8a39f0be47f7f2557788559221b27a51cbba595f23868edbc426: Pulling from docker.io/library/postgres
10a267c67f42: Pull complete 
e9a920522e33: Pull complete 
6888e696bd71: Pull complete 
798096eed143: Pull complete 
fb58419959b5: Pull complete 
97f9ec09cb68: Pull complete 
94972b6e82a0: Pull complete 
a281bad165d7: Pull complete 
080dd452e4af: Pull complete 
e04973558177: Pull complete 
79155f9ed5e1: Pull complete 
010432309d6c: Pull complete 
d1d8761b1fae: Pull complete 
Digest: sha256:8988064772fc8a39f0be47f7f2557788559221b27a51cbba595f23868edbc426
Status: Downloaded newer image for docker.io/postgres:9.4

安装后启动

  • 启动pg
docker run -d --name kong-database \
                -p 5432:5432 \
                -e "POSTGRES_USER=kong" \
                -e "POSTGRES_DB=kong" \
                postgres:9.4
  • 启动kong
docker run -d --name kong \
    --link kong-database:kong-database \
    -e "KONG_DATABASE=postgres" \
    -e "KONG_CASSANDRA_CONTACT_POINTS=kong-database" \
    -e "KONG_PG_HOST=kong-database" \
    -p 8000:8000 \
    -p 8443:8443 \
    -p 8001:8001 \
    -p 7946:7946 \
    -p 7946:7946/udp \
    kong:0.10

API

  1. 增加API
    strip_uri :When matching an API via one of the uris prefixes, strip that matching prefix from the upstream URI to be requested. Default: true. 默认会删除uris前缀
curl -i -X POST --url http://127.0.0.1:8001/apis/ --data 'name=iot_user_app' --data 'upstream_url=http://127.0.0.1:16666/' --data 'uris=/getuserinfo,/getnatipmapinfo,/getimeibindinfo' --data 'strip_uri=false'
curl -i -X POST --url http://127.0.0.1:8001/apis/ --data 'name=iot_vpdn_app' --data 'upstream_url=http://127.0.0.1:16666/' --data 'uris=/getvpdnuserinfo,/getvpdnservinfo' --data 'strip_uri=false'
  1. 删除API
curl -i -X DELETE http://127.0.0.1:8001/apis/iot_user_app
  1. 查询API http://127.0.0.1:8001/apis/
{
    data: [
        {
            uris: [
                "/getuserinfo",
                "/getnatipmapinfo",
                "/getimeibindinfo"
            ],
            id: "65dd8d1a-aea5-449d-a1d4-e705a4c88d1c",
            upstream_read_timeout: 60000,
            preserve_host: false,
            created_at: 1495682904000,
            upstream_connect_timeout: 60000,
            upstream_url: "http://127.0.0.1:20000/",
            strip_uri: false,
            https_only: false,
            name: "iot_user_app",
            http_if_terminated: true,
            upstream_send_timeout: 60000,
            retries: 5
        },
        {
            uris: [
                "/getvpdnuserinfo",
                "/getvpdnservinfo"
            ],
            id: "146df495-455d-48dd-a051-eaefacbd7b1e",
            upstream_read_timeout: 60000,
            preserve_host: false,
            created_at: 1495682920000,
            upstream_connect_timeout: 60000,
            upstream_url: "http://127.0.0.1:16666/",
            strip_uri: false,
            https_only: false,
            name: "iot_vpdn_app",
            http_if_terminated: true,
            upstream_send_timeout: 60000,
            retries: 5
        }
    ],
    total: 2
}
  1. 访问
-bash-4.4$ curl http://127.0.0.1:8000/getuserinfo?Type=hss\&IMSI=46003xxxxx\&REVLP=1
{
    "86xxxxxxx": {
        "CDMA_IMSI": "46003xxxxxxxxxx",
        "ISDN": "86xxxxxxxxx",
        "LTE_IMSI": "46011xxxxxxx",
        "TYPE": "2/3/4G"
    }
}

插件

kong提供了很多插件,一般使用的是授权和流量控制。

{
    enabled_plugins: [
        "syslog",
        "ldap-auth",
        "rate-limiting",
        "correlation-id",
        "jwt",
        "request-termination",
        "runscope",
        "request-transformer",
        "http-log",
        "loggly",
        "response-transformer",
        "basic-auth",
        "tcp-log",
        "hmac-auth",
        "oauth2",
        "acl",
        "bot-detection",
        "udp-log",
        "cors",
        "file-log",
        "ip-restriction",
        "datadog",
        "request-size-limiting",
        "galileo",
        "aws-lambda",
        "statsd",
        "response-ratelimiting",
        "key-auth"
    ]
}
{
    data: [
        {
            api_id: "ff315a1a-d98d-4a62-aad9-7bc6bb063e22",
            id: "65146028-c231-4618-82d4-02f8cc2b6e57",
            created_at: 1495684427000,
            enabled: true,
            name: "ip-restriction",
            config: {
                whitelist: [
                    "59.43.53.0/24",
                    "100.66.124.0/24",
                    "100.66.44.0/24",
                    "172.16.0.0/18"
                ]
            }
        },
        {
            api_id: "ff315a1a-d98d-4a62-aad9-7bc6bb063e22",
            id: "2aa6b021-cf73-4651-9c07-a3d5c60b900f",
            created_at: 1495684482000,
            enabled: true,
            name: "rate-limiting",
            config: {
                fault_tolerant: true,
                limit_by: "consumer",
                policy: "cluster",
                redis_database: 0,
                second: 100,
                hour: 6000,
                redis_timeout: 2000,
                redis_port: 6379
            }
        },
        {
            api_id: "ff315a1a-d98d-4a62-aad9-7bc6bb063e22",
            id: "c53fa430-1b2a-47e8-a093-3c19a23bd87b",
            created_at: 1495684523000,
            enabled: true,
            name: "request-size-limiting",
            config: {
                allowed_payload_size: 128
            }
        }
    ],
    total: 3
}
  • 安全插件
    通过设置安全插件可以控制IP白名单、黑名单以及ACL来控制访问范围,多个IP段使用逗号分隔:
curl -X POST http://127.0.0.1:8001/apis/iot_user_app/plugins  \
--data "name=ip-restriction"  \
--data "config.whitelist=59.43.53.0/24,100.66.124.0/24,100.66.44.0/24,172.16.0.0/18"
  • 访问速率插件
    通过设置访问速率插件可以访问速率,防止访问速率过大造成服务器压力,目前支持每秒、每小时进行限制:
curl -X POST http://127.0.0.1:8001/apis/iot_user_app/plugins \
--data "name=rate-limiting" \
--data "config.second=1000" \
--data "config.hour=60000"
  • 访问速率插件
    通过设置访问速率插件可以访问速率,防止访问速率过大造成服务器压力,目前支持每秒、每小时进行限制:
curl -X POST http://127.0.0.1:8001/apis/iot_user_app/plugins \
--data "name=rate-limiting" \
--data "config.second=1000" \
--data "config.hour=60000"
  • 访问包大小控制
curl -X POST http://127.0.0.1:8001/apis/iot_user_app/plugins \
--data "name=request-size-limiting" \
--data "config.allowed_payload_size=128"

遗留问题

  1. kong可以做oauth2.0和jwt做鉴权。
  2. 未进行压力测试,后面再探索吧。

推荐阅读更多精彩内容