内容大纲
- 1. API网关概述
- 2. API网关架构
- 3. Kong API网关
- 4. AWS API Gateway
- 5. Azure API Management
- 6. Google API Gateway
- 7. Spring Cloud Gateway
- 8. API网关部署
- 9. API网关安全
- 10. 最佳实践
1. API网关概述
API网关是一个位于客户端和后端服务之间的中间层,用于管理、路由和保护API调用。它提供了统一的入口点,处理认证、授权、限流、监控等横切关注点,使后端服务可以专注于业务逻辑。
API网关的核心功能包括:
- 请求路由:将客户端请求路由到相应的后端服务
- 认证与授权:验证用户身份并控制访问权限
- 限流与熔断:保护后端服务免受过载
- 监控与日志:收集API调用数据和日志
- 协议转换:在不同协议之间进行转换
- 缓存:提高API响应速度
- API版本管理:支持多版本API共存
- 错误处理:统一处理和返回错误
更多学习教程www.fgedu.net.cn
2. API网关架构
2.1 集中式API网关
集中式API网关是最常见的架构模式,所有API请求都通过一个中央网关处理。这种架构的优点是管理简单,缺点是可能成为性能瓶颈。
2.2 分布式API网关
分布式API网关将网关功能分布到多个节点,提高了系统的可扩展性和可靠性。这种架构适合大型系统,需要更多的管理和协调。
2.3 服务网格集成
API网关可以与服务网格集成,形成完整的服务通信管理体系。API网关处理外部请求,服务网格处理内部服务间通信。
3. Kong API网关
3.1 Kong安装与配置
$ docker network create kong-net
$ docker run -d –name kong-database \
–network=kong-net \
-p 5432:5432 \
-e POSTGRES_DB=kong \
-e POSTGRES_USER=kong \
-e POSTGRES_PASSWORD=kong \
postgres:13
$ docker run –rm \
–network=kong-net \
-e KONG_DATABASE=postgres \
-e KONG_PG_HOST=kong-database \
-e KONG_PG_PASSWORD=kong \
-e KONG_CASSANDRA_CONTACT_POINTS=kong-database \
kong:latest kong migrations bootstrap
$ docker run -d –name kong \
–network=kong-net \
-e KONG_DATABASE=postgres \
-e KONG_PG_HOST=kong-database \
-e KONG_PG_PASSWORD=kong \
-e KONG_CASSANDRA_CONTACT_POINTS=kong-database \
-e KONG_PROXY_ACCESS_LOG=/dev/stdout \
-e KONG_ADMIN_ACCESS_LOG=/dev/stdout \
-e KONG_PROXY_ERROR_LOG=/dev/stderr \
-e KONG_ADMIN_ERROR_LOG=/dev/stderr \
-e KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl \
-p 8000:8000 \
-p 8443:8443 \
-p 8001:8001 \
-p 8444:8444 \
kong:latest
# 验证Kong安装
$ curl -i http://fgedudb:8001/
# 查看Kong状态
$ curl -i http://fgedudb:8001/status
3.2 Kong服务管理
$ curl -X POST http://fgedudb:8001/services \
–data “name=example-service” \
–data “url=http://httpbin.org”
# 查看服务
$ curl -X GET http://fgedudb:8001/services
# 添加路由
$ curl -X POST http://fgedudb:8001/services/example-service/routes \
–data “paths[]=/example” \
–data “methods[]=GET” \
–data “methods[]=POST”
# 查看路由
$ curl -X GET http://fgedudb:8001/services/example-service/routes
# 测试API
$ curl -i http://fgedudb:8000/example/get
# 更新服务
$ curl -X PATCH http://fgedudb:8001/services/example-service \
–data “url=http://httpbin.org/anything”
# 删除服务
$ curl -X DELETE http://fgedudb:8001/services/example-service
3.3 Kong插件管理
$ curl -X GET http://fgedudb:8001/plugins/enabled
# 配置速率限制插件
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=rate-limiting” \
–data “config.minute=5” \
–data “config.policy=local”
# 配置认证插件
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=key-auth” \
–data “config.key_names[]=apikey”
# 创建消费者
$ curl -X POST http://fgedudb:8001/consumers \
–data “username=user1”
# 添加API密钥
$ curl -X POST http://fgedudb:8001/consumers/user1/key-auth \
–data “key=secret123”
# 测试认证
$ curl -i http://fgedudb:8000/example/get
$ curl -i http://fgedudb:8000/example/get?apikey=secret123
# 配置CORS插件
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=cors” \
–data “config.origins=*” \
–data “config.methods=GET,POST,PUT,DELETE” \
–data “config.headers=Origin,Content-Type,Accept”
# 配置缓存插件
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=response-transformer” \
–data “config.add.headers[0]=Cache-Control: max-age=3600”
风哥风哥提示:Kong是一个功能强大的开源API网关,基于Nginx和OpenResty,提供了丰富的插件生态系统,可以满足各种API管理需求。
4. AWS API Gateway
4.1 AWS API Gateway创建
$ aws apigateway create-rest-api \
–name “Example API” \
–description “Example API Gateway”
# 获取API ID
API_ID=$(aws apigateway get-rest-apis –query “items[?name==’Example API’].id” –output text)
# 创建资源
$ aws apigateway create-resource \
–rest-api-id $API_ID \
–parent-id $(aws apigateway get-resources –rest-api-id $API_ID –query “items[?path==’/’].id” –output text) \
–path-part “example”
# 获取资源ID
RESOURCE_ID=$(aws apigateway get-resources –rest-api-id $API_ID –query “items[?path==’/example’].id” –output text)
# 创建方法
$ aws apigateway put-method \
–rest-api-id $API_ID \
–resource-id $RESOURCE_ID \
–http-method GET \
–authorization-type “NONE”
# 配置集成
$ aws apigateway put-integration \
–rest-api-id $API_ID \
–resource-id $RESOURCE_ID \
–http-method GET \
–type HTTP \
–integration-http-method GET \
–uri “http://httpbin.org/get” \
–passthrough-behavior WHEN_NO_MATCH
# 部署API
$ aws apigateway create-deployment \
–rest-api-id $API_ID \
–stage-name prod
# 获取API URL
API_URL=$(aws apigateway get-stage –rest-api-id $API_ID –stage-name prod –query “invokeUrl” –output text)
# 测试API
$ curl -i $API_URL/example
4.2 AWS API Gateway安全
$ aws apigateway create-api-key \
–name “Example API Key” \
–enabled
# 获取API密钥ID
API_KEY_ID=$(aws apigateway get-api-keys –query “items[?name==’Example API Key’].id” –output text)
# 创建使用计划
$ aws apigateway create-usage-plan \
–name “Example Usage Plan” \
–description “Example usage plan” \
–api-stages “apiId=$API_ID,stage=prod” \
–throttle “burstLimit=5,rateLimit=10” \
–quota “limit=100,period=DAY”
# 获取使用计划ID
USAGE_PLAN_ID=$(aws apigateway get-usage-plans –query “items[?name==’Example Usage Plan’].id” –output text)
# 关联API密钥和使用计划
$ aws apigateway create-usage-plan-key \
–usage-plan-id $USAGE_PLAN_ID \
–key-id $API_KEY_ID \
–key-type API_KEY
# 更新方法以使用API密钥
$ aws apigateway update-method \
–rest-api-id $API_ID \
–resource-id $RESOURCE_ID \
–http-method GET \
–patch-operations “op=replace,path=/authorizationType,value=API_KEY”
# 部署API
$ aws apigateway create-deployment \
–rest-api-id $API_ID \
–stage-name prod
# 测试API
$ curl -i -H “x-api-key: $(aws apigateway get-api-keys –api-key-ids $API_KEY_ID –include-values –query “items[0].value” –output text)” $API_URL/example
5. Azure API Management
5.1 Azure API Management创建
$ az group create –name api-management-rg –location eastus
$ az apim create \
–name example-apim \
–resource-group api-management-rg \
–location eastus \
–sku-name Consumption \
–publisher-name “Example Publisher” \
–publisher-email “example@fgedu.net.cn”
# 导入API
$ az apim api import \
–name example-api \
–resource-group api-management-rg \
–service-name example-apim \
–specification-url “https://petstore.swagger.io/v2/swagger.json” \
–path example
# 部署API
$ az apim api release create \
–api-id example-api \
–resource-group api-management-rg \
–service-name example-apim \
–release-id v1 \
–notes “Initial release”
# 测试API
$ curl -i https://example-apim.azure-api.net/example/pet/1
5.2 Azure API Management策略
$ az apim policy create \
–resource-group api-management-rg \
–service-name example-apim \
–api-id example-api \
–policy “
# 配置认证策略
$ az apim policy create \
–resource-group api-management-rg \
–service-name example-apim \
–api-id example-api \
–policy “
# 配置CORS策略
$ az apim policy create \
–resource-group api-management-rg \
–service-name example-apim \
–api-id example-api \
–policy “
学习交流加群风哥微信: itpux-com
6. Google API Gateway
6.1 Google API Gateway创建
$ cat api-config.yaml
swagger: ‘2.0’
info:
title: Example API
description: Example API Gateway
version: ‘1.0.0’
host: example-api-abcdef.app.gateway.dev
schemes:
– https
paths:
/example:
get:
summary: Example endpoint
operationId: getExample
responses:
‘200’:
description: A successful response
schema:
type: object
properties:
message:
type: string
x-google-backend:
address: https://httpbin.org/get
# 部署API配置
$ gcloud api-gateway api-configs create example-api-config \
–api=example-api \
–openapi-spec=api-config.yaml \
–project=my-project-id
# 创建API网关
$ gcloud api-gateway gateways create example-gateway \
–api=example-api \
–api-config=example-api-config \
–location=us-central1 \
–project=my-project-id
# 测试API
$ curl -i https://example-gateway-abcdef-uc.a.run.app/example
6.2 Google API Gateway安全
$ gcloud services enable apigateway.googleapis.com
# 创建API密钥
$ gcloud api-gateway api-keys create \
–display-name=”Example API Key” \
–project=my-project-id
# 获取API密钥
API_KEY=$(gcloud api-gateway api-keys list –project=my-project-id –format=”value(keyString)”)
# 更新API配置以使用API密钥
$ cat api-config-with-key.yaml
swagger: ‘2.0’
info:
title: Example API
description: Example API Gateway
version: ‘1.0.0’
host: example-api-abcdef.app.gateway.dev
schemes:
– https
securityDefinitions:
api_key:
type: apiKey
name: key
in: query
security:
– api_key: []
paths:
/example:
get:
summary: Example endpoint
operationId: getExample
responses:
‘200’:
description: A successful response
schema:
type: object
properties:
message:
type: string
x-google-backend:
address: https://httpbin.org/get
# 部署更新后的API配置
$ gcloud api-gateway api-configs create example-api-config-v2 \
–api=example-api \
–openapi-spec=api-config-with-key.yaml \
–project=my-project-id
# 更新API网关
$ gcloud api-gateway gateways update example-gateway \
–api=example-api \
–api-config=example-api-config-v2 \
–location=us-central1 \
–project=my-project-id
# 测试API
$ curl -i https://example-gateway-abcdef-uc.a.run.app/example?key=$API_KEY
学习交流加群风哥QQ113257174
7. Spring Cloud Gateway
7.1 Spring Cloud Gateway配置
$ curl https://start.spring.io/starter.zip \
-d dependencies=gateway,webflux \
-d type=maven-project \
-d groupId=com.example \
-d artifactId=api-gateway \
-d version=1.0.0-SNAPSHOT \
-o api-gateway.zip
$ unzip api-gateway.zip
$ cd api-gateway
# 配置application.yml
$ cat src/main/resources/application.yml
spring:
cloud:
gateway:
routes:
– id: example_route
uri: http://httpbin.org
predicates:
– Path=/example/**
filters:
– RewritePath=/example/(?
– name: RequestRateLimiter
args:
redis-rate-limiter.replenishRate: 10
redis-rate-limiter.burstCapacity: 20
key-resolver: “#{@userKeyResolver}”
# 创建KeyResolver
$ cat src/main/java/com/example/apigateway/config/KeyResolverConfig.java
package com.example.apigateway.config;
import org.springframework.cloud.gateway.filter.ratelimit.KeyResolver;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import reactor.core.publisher.Mono;
@Configuration
public class KeyResolverConfig {
@Bean
public KeyResolver userKeyResolver() {
return exchange -> Mono.just(exchange.getRequest().getRemoteAddress().getAddress().getHostAddress());
}
}
# 运行应用
$ mvn spring-boot:run
# 测试API
$ curl -i http://fgedudb:8080/example/get
7.2 Spring Cloud Gateway过滤器
$ cat src/main/java/com/example/apigateway/filter/CustomFilter.java
package com.example.apigateway.filter;
import org.springframework.cloud.gateway.filter.GatewayFilter;
import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;
@Component
public class CustomFilter extends AbstractGatewayFilterFactory
public CustomFilter() {
super(Config.class);
}
@Override
public GatewayFilter apply(Config config) {
return (exchange, chain) -> {
System.out.println(“Pre-filter: ” + config.getMessage());
return chain.filter(exchange).then(Mono.fromRunnable(() -> {
System.out.println(“Post-filter: ” + config.getMessage());
}));
};
}
public static class Config {
private String message;
public String getMessage() {
return message;
}
public void setMessage(String message) {
this.message = message;
}
}
}
# 配置过滤器
$ cat src/main/resources/application.yml
spring:
cloud:
gateway:
routes:
– id: example_route
uri: http://httpbin.org
predicates:
– Path=/example/**
filters:
– RewritePath=/example/(?
– name: Custom
args:
message: “Hello from custom filter”
# 运行应用
$ mvn spring-boot:run
# 测试API
$ curl -i http://fgedudb:8080/example/get
8. API网关部署
8.1 Kubernetes部署
$ helm repo add kong https://charts.konghq.com
$ helm repo update
$ helm install kong kong/kong \
–set ingressController.installCRDs=false \
–set service.externalPort=80 \
–set service.internalPort=8000 \
–set admin.service.port=8001
# 查看Kong部署
$ kubectl get pods
$ kubectl get services
# 配置Kong Ingress
$ cat kong-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: kong
spec:
rules:
– host: fgedu.net.cn
http:
paths:
– path: /example
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
# 应用Ingress配置
$ kubectl apply -f kong-ingress.yaml
# 测试API
$ curl -i -H “Host: fgedu.net.cn” http://$(kubectl get service kong-kong-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}’)/example
8.2 Docker Compose部署
$ cat docker-compose.yml
version: ‘3’
services:
kong:
image: kong:latest
ports:
– “8000:8000”
– “8443:8443”
– “8001:8001”
– “8444:8444”
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-database
KONG_PG_PASSWORD: kong
KONG_CASSANDRA_CONTACT_POINTS: kong-database
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
depends_on:
– kong-database
kong-database:
image: postgres:13
environment:
POSTGRES_DB: kong
POSTGRES_USER: kong
POSTGRES_PASSWORD: kong
volumes:
– kong-db:/var/lib/postgresql/data
volumes:
kong-db:
# 启动服务
$ docker-compose up -d
# 初始化数据库
$ docker exec -it $(docker-compose ps -q kong) kong migrations bootstrap
# 测试Kong
$ curl -i http://fgedudb:8001/
# 添加服务和路由
$ curl -X POST http://fgedudb:8001/services \
–data “name=example-service” \
–data “url=http://httpbin.org”
$ curl -X POST http://fgedudb:8001/services/example-service/routes \
–data “paths[]=/example” \
–data “methods[]=GET”
# 测试API
$ curl -i http://fgedudb:8000/example/get
更多学习教程公众号风哥教程itpux_com
9. API网关安全
9.1 认证与授权
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=jwt” \
–data “config.uri_param_names[]=token” \
–data “config.secret_is_base64=false” \
–data “config.key_claim_name=iss”
# 创建消费者
$ curl -X POST http://fgedudb:8001/consumers \
–data “username=user1”
# 添加JWT密钥
$ curl -X POST http://fgedudb:8001/consumers/user1/jwt \
–data “algorithm=HS256” \
–data “key=my-secret-key”
# 生成JWT令牌
$ JWT_TOKEN=$(node -e “const jwt = require(‘jsonwebtoken’); console.log(jwt.sign({ iss: ‘user1’ }, ‘my-secret-key’));”)
# 测试JWT认证
$ curl -i http://fgedudb:8000/example/get?token=$JWT_TOKEN
# OAuth2认证配置
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=oauth2” \
–data “config.scopes=read,write” \
–data “config.token_expiration=3600” \
–data “config.enable_authorization_code=true” \
–data “config.enable_client_credentials=true” \
–data “config.enable_password_grant=true” \
–data “config.enable_implicit_grant=true” \
–data “config.redirect_uri=http://fgedudb:3000/callback”
# 创建OAuth2应用
$ curl -X POST http://fgedudb:8001/consumers/user1/oauth2 \
–data “name=my-app” \
–data “redirect_uris[]=http://fgedudb:3000/callback”
# 测试OAuth2流程
# 1. 获取授权码
# 2. 交换令牌
# 3. 使用令牌访问API
9.2 限流与熔断
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=rate-limiting” \
–data “config.minute=10” \
–data “config.hour=100” \
–data “config.day=1000” \
–data “config.policy=local”
# 测试限流
$ for i in $(seq 1 15); do curl -i http://fgedudb:8000/example/get; done
# 配置熔断插件
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=circuit-breaker” \
–data “config.break_duration=60” \
–data “config.healthy_threshold=3” \
–data “config.unhealthy_threshold=3” \
–data “config.consumer_whitelist=user1”
# 测试熔断
# 1. 使后端服务故障
# 2. 连续请求触发熔断
# 3. 观察熔断效果
9.3 HTTPS配置
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj “/CN=fgedu.net.cn”
# 配置Kong HTTPS
$ curl -X POST http://fgedudb:8001/certificates \
–form “cert=@cert.pem” \
–form “key=@key.pem” \
–form “snis[]=fgedu.net.cn”
# 测试HTTPS
$ curl -k -i https://fgedudb:8443/example/get
# 配置HTTP重定向到HTTPS
$ curl -X POST http://fgedudb:8001/services/example-service/plugins \
–data “name=redirect-https”
# 测试重定向
$ curl -i http://fgedudb:8000/example/get
author:www.itpux.com
10. 最佳实践
10.1 API网关设计最佳实践
- 合理规划API路由:基于业务领域划分路由
- 实施分层API设计:公开API和内部API分离
- 使用版本控制:支持多版本API共存
- 实施缓存策略:提高API响应速度
- 优化请求和响应:减少数据传输量
- 实施错误处理:统一错误格式和处理逻辑
- 使用异步处理:处理长时间运行的操作
- 实施请求验证:确保数据质量
- 使用适当的认证方法:根据场景选择合适的认证方式
- 实施细粒度授权:基于角色和权限控制访问
10.2 API网关部署最佳实践
$ kubectl apply -f kong-ha.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kong
spec:
replicas: 3
selector:
matchLabels:
app: kong
template:
metadata:
labels:
app: kong
spec:
containers:
– name: kong
image: kong:latest
env:
– name: KONG_DATABASE
value: postgres
– name: KONG_PG_HOST
value: kong-database
– name: KONG_PG_PASSWORD
value: kong
ports:
– containerPort: 8000
– containerPort: 8443
– containerPort: 8001
# 配置水平自动伸缩
$ kubectl autoscale deployment kong –cpu-percent=50 –min=3 –max=10
# 监控配置
$ kubectl apply -f kong-monitoring.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: kong
namespace: monitoring
spec:
selector:
matchLabels:
app: kong
endpoints:
– port: admin
interval: 15s
# 健康检查
$ kubectl apply -f kong-healthcheck.yaml
apiVersion: v1
kind: Service
metadata:
name: kong
annotations:
prometheus.io/scrape: “true”
prometheus.io/port: “8001”
spec:
selector:
app: kong
ports:
– name: proxy
port: 80
targetPort: 8000
– name: admin
port: 8001
targetPort: 8001
type: LoadBalancer
10.3 API网关监控最佳实践
- 实施全面监控:监控API调用量、响应时间、错误率
- 设置合理告警:基于关键指标设置告警阈值
- 实施分布式追踪:追踪API调用链路
- 收集详细日志:记录API调用详情和错误信息
- 分析API使用情况:了解API使用模式和热点
- 实施性能测试:定期测试API性能
- 监控后端服务:监控后端服务健康状态
- 实施安全监控:监控异常访问和攻击
- 使用仪表盘:可视化监控数据
- 定期报告:生成API使用和性能报告
生产环境建议
- 选择适合自己需求的API网关解决方案
- 实施高可用部署:多实例、负载均衡
- 配置合理的资源限制:根据流量调整
- 实施全面的安全措施:认证、授权、HTTPS
- 建立完善的监控和告警系统
- 定期进行安全审计和漏洞扫描
- 培训团队掌握API网关管理技能
- 文档化API设计和配置
- 测试API网关性能和可靠性
- 制定故障处理预案
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
