Analysis, use and extension of open source API gateway apisex
2022-07-03 01:46:00 【Fried chicken and spicy chicken 123】
Want to achieve a function detailed API gateway , It is unscientific to write by yourself , however , It is necessary to understand the necessary principles .
Compile using the
I'm going to use apisix As original project , So first we should learn to be right apisix Compile and install and make it run successfully .
Project address
Apache APISIX It's a cloud native API gateway
Apache APISIX The dashboard is designed to allow users to operate as easily as possible through the front-end interface Apache APISIX
Installation steps
Reference resources API Service gateway implementation APISIX Install and deploy
The above blog has problems when installing the visual interface , Look at the official .
official dashboard Deployment documents
Let me sort out the general process , The installation process first requires apisix In itself , And a demo program . So we can consider two steps , Install first apisix, Then install its supporting interface . The following is my practice process .
install apisix
Environmental Science : already installed openResty centos 7
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum install yum-utils
yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
yum install -y etcd openresty curl git gcc luarocks lua-devel
systemctl start etcd
yum install -y https://github.com/apache/incubator-apisix/releases/download/1.1/apisix-1.1-0.el7.noarch.rpm
start-up apisix:apisix start
View the process or listen to the port 9080
ps aux|grep apisix
netstat -lntp|grep 9080
Close all kinds of firewalls
To avoid failure , But the production environment does not recommend
systemctl stop firewalld.service
systemctl disable firewalld.service
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
install apisix cli
before this , Need to install go Language environment ,nodejs The environment and yarn Environment .
Be careful :
- go The language needs to convert the package image to domestic
go env -w GOPROXY=https://goproxy.cn,direct
- node js Version of is greater than v10.14.2
according to apisix-dashboard Official installation tutorial The steps mentioned in are as follows :
git clone -b release/2.10.1 https://github.com/apache/apisix-dashboard.git && cd apisix-dashboard
This step is if your server is connected to github Overtime , You can consider downloading on this computer , Then send it to your server .
And then execute
make build
Wait for execution to complete , In this process, it will be connected to github, If the connection times out , Just try a few more times .
After success , Come to... Under the directory output Catalog , The generated results are inside
First ,conf Inside is web Configuration of , The structure is as follows :
# host: # the address on which the `Manager API` should listen.
# The default value is, if want to specify, please enable it.
# This value accepts IPv4, IPv6, and hostname.
port: 9000 # The port on which the `Manager API` should listen.
# ssl:
# host: # the address on which the `Manager API` should listen for HTTPS.
# The default value is, if want to specify, please enable it.
# port: 9001 # The port on which the `Manager API` should listen for HTTPS.
# cert: "/tmp/cert/example.crt" # Path of your SSL cert.
# key: "/tmp/cert/example.key" # Path of your SSL key.
allow_list: # If we don't set any IP list, then any IP access is allowed by default.
- # The rules are checked in sequence until the first match is found.
- ::1 # In this example, access is allowed only for IPv4 network, and for IPv6 network ::1.
# It also support CIDR like and 2001:0db8::/32
endpoints: # supports defining multiple etcd host addresses for an etcd cluster
# yamllint disable rule:comments-indentation
# etcd basic auth info
# username: "root" # ignore etcd username if not enable etcd auth
# password: "123456" # ignore etcd password if not enable etcd auth
key_file: "" # Path of your self-signed client side key
cert_file: "" # Path of your self-signed client side cert
ca_file: "" # Path of your self-signed ca cert, the CA is used to sign callers' certificates
# prefix: /apisix # apisix config's prefix in etcd, /apisix by default
level: warn # supports levels, lower to higher: debug, info, warn, error, panic, fatal
logs/error.log # supports relative path, absolute path, standard output
# such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr
# such as absolute path on Windows: winfile:///C:\error.log
logs/access.log # supports relative path, absolute path, standard output
# such as: logs/access.log, /tmp/logs/access.log, /dev/stdout, /dev/stderr
# such as absolute path on Windows: winfile:///C:\access.log
# log example: 2020-12-09T16:38:09.039+0800 INFO filter/logging.go:46 /apisix/admin/routes/r1 {"status": 401, "host": "", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "", "method": "PUT", "errs": []}
max_cpu: 0 # supports tweaking with the number of OS threads are going to be used for parallelism. Default value: 0 [will use max number of available cpu cores considering hyperthreading (if any)]. If the value is negative, is will not touch the existing parallelism profile.
secret # secret for jwt token generation.
# NOTE: Highly recommended to modify this value to protect `manager api`.
# if it's default value, when `manager api` start, it will generate a random string to replace it.
expire_time: 3600 # jwt token expire time, in second
users: # yamllint enable rule:comments-indentation
- username: admin # username and password for login `manager api`
password: admin
- username: user
password: user
Several points to be concerned , First allow_list, It's about who can access the presentation layer , Can represent all accessible , The account and password are users Part of the configuration .
Use command
Start the project .
visit :http://ip:9000/user/login?redirect=/ that will do , The default password is admin/admin perhaps user/user
Function is introduced
The dashboard - Import Grafana
Grafana It's data visualization , Dashboard and graphics editor , yes Graphite and InfluxDB Dashboard and graphics editor , It's also open source 、 A full-featured measurement dashboard and graphic editor , Support Graphite,InfluxDB and OpenTSDB.
grafana Is an open source timing statistics and monitoring platform , Support, for example elasticsearch、graphite、influxdb And so on , And is famous for its powerful interface editor .
Official website
It is equivalent to having realized various customized dashboards , Then just import .
It seems that the configuration of the official website requires a bunch of nodes , But I have only one simple filling here http Link operation .
I don't know how to use it yet , It seems that I need to do independent installation by myself .
vim /etc/yum.repos.d/grafana.repo
# Put... In it
# Execute... After saving
yum -y install grafana
systemctl enable grafana-server
systemctl start grafana-server
Let's see grafana-server The content of
Description=Grafana instance
After=postgresql.service mariadb.service mysqld.service
ExecStart=/usr/sbin/grafana-server \
--config=${CONF_FILE} \
--pidfile=${PID_FILE_DIR}/grafana-server.pid \
--packaging=rpm \
cfg:default.paths.logs=${LOG_DIR} \
cfg:default.paths.data=${DATA_DIR} \
cfg:default.paths.plugins=${PLUGINS_DIR} \
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
Import data and console : In minutes Grafana( Graphic, )
At present, there is no need for data visualization , It's not the point , Don't think about it .
route (Route) Is the entry point of the request , It defines the matching rules between client requests and services . Routing can be associated with services (Service)、 The upstream (Upstream) relation , A service can correspond to a group of routes , A route can correspond to an upstream object ( A set of back-end service nodes ), therefore , Each request matching the route will be proxied by the gateway to the upstream service of the route binding .
The upstream
The upstream list contains the upstream services that have been created ( That is, back-end services ), Load balancing and health check can be performed on multiple target nodes of upstream services .
The service is configured by the plug-in common in the routing 、 Combination of upstream target information . Services and routing 、 Upstream Association , A service can correspond to a group of upstream nodes 、 Can be bound by multiple routes
The consumer is the consumer of the route , Forms include developers 、 end user 、API Call, etc . When creating a consumer , At least one authentication plug-in needs to be bound
Include authentication 、 Safety protection 、 flow control 、 No server architecture 、 Observability and several other types .
plug-in unit
There are several types of plug-ins :
Official plug-in documentation
- Authentication
- authz-casbin
- Casbin
- Is a powerful 、 Efficient open source access control framework , Its privilege management mechanism supports multiple access control models
- Official website address
- be based on lua-casbin Of Apache APISIX plug-in unit , Support powerful authorization based on various access models
- Casbin
- authz-keycloak
- And Keycloak Authorization plug-in used with identity server .Keycloak Is in accordance with OAuth/OIDC and UMA The identity server . Although it's related to Keycloak Developed together , But it should also work with any OAuth/OIDC and UMA Compatible identity providers
- basic-auth
- An authentication plug-in that needs to be used consumer. Add basic authentication to aservice or route.
- authz-casbin
then consumer Add its key to the request header to verify its request
- hmac-auth
- An authentication plug-in that needs to be used consumer. take HMAC Add authentication to aservice or route
- jwt-auth
- An authentication plug-in that needs to be used consumer. take JWT Add authentication to service or route
- then consumer Add its key to the query string parameter 、 Request header or cookie Verify its request
- key-auth
- An authentication plug-in , It should consumer Working together
- Authenticate the key ( Sometimes it's also called API secret key ) Add to service or route . The consumer then adds their key to the query string parameter or header to verify their request
- ldap-auth
- An authentication plug-in , It can be done with consumer. take Ldap Add authentication to aservice or route
- openid-connect
- OAuth 2 / Open ID Connect(OIDC) Plug in APISIX Provide authentication and introspection
- wolf-rbac
- Authentication and Authorization (rbac) plug-in unit . It needs to work with consumer. You also need to add wolf-rbac One service or route.rbac Function by wolf Provide
- wolf file
- Safety protection
- api-breaker
- The plug-in implements API Fusing function , To help us protect our upstream business services
- consumer-restriction
- according to consumer-restriction Select different objects to make corresponding access restrictions
- cors
- fault-injection
- Fault injection plug-in , This plug-in can be used with other plug-ins , And it will be executed before other plug-ins . The abort Attribute will directly set the user specified http The code is returned to the client , And terminate the subsequent plug-ins . The delay Property will delay the request and execute subsequent plug-ins
- ip-restriction
- It can be done by putting ip-restrictionIP Address is whitelisted or blacklisted to restrict access to services or routes . have access to CIDR Single in representation IP、 Multiple IP Or range , for example
- referer-restriction
- Restrict access to services or routes by whitelisting request header references
- request-validation
- The plug-in verifies the request before forwarding it to the upstream service . Verify that the plug-in uses json-schema To verify the pattern . The plug-in can be used to verify title and body data .
- ua-restriction
- You can use and headers ua-restriction Restrict access to services or routes .allowlistdenylist User-Agent
- uri-blocker
- This plug-in helps us intercept user requests , We just need to indicate block_rules
- api-breaker
- flow control
- limit-conn
- Restrict request concurrency plug-ins
- limit-count
- Limit the request rate by a fixed number of requests within a given time window
- limit-req
- Use “ Leaky bucket ” Method to limit the request rate
- traffic-split
- The traffic splitting plug-in allows users to gradually guide the percentage of traffic between each upstream .
- Be careful : Due to the shortcomings of the weighted loop algorithm ( Especially when wrr When the status is reset ), The ratio between each upstream may not be accurate
- limit-conn
- No server architecture
- azure-functions
- A built-in Apache APISIX Server free plug-in in , Used with Azure Serverless Function Seamless integration , As a dynamic upstream, it will be specific URI All requests are proxied to Microsoft Azure cloud , This is one of the most commonly used public cloud platforms in production environments . If enabled , This plug-in will terminate the specific URI Continuous request for , And use the appropriate authorization details set by the user on behalf of the client 、 Request header 、 Request body 、 Parameter direction azure faas( New upstream ) Make a new request ( All three components are passed from the original request ) And will respond to the text 、 The status code and header are returned to the call APISIX The original client of the proxy's request
- serverless-post-function
- Specify to run at the end of the phase
- serverless-pre-function
- Specify when the phase starts
- azure-functions
- Observability
- datadog
- Built in Apache APISIX The monitoring plug-in of , Used with Datadog Seamless integration ,Datadog It is one of the most commonly used monitoring and observability platforms for Cloud Applications . If enabled , This plug-in supports multiple powerful types of metrics capture for each request and response cycle , This basically reflects the behavior and health status of the system
- error-log-logger
- One will APISIX Log data push error.log Deliver to TCP Server or Apache SkyWalking Plug in for
- The plug-in will provide the ability to send log data of level selection to monitoring tools and others TCP Server and through HTTP Of SkyWalking The ability of
- http-logger
- A push log data request to HTTP/HTTPS Server plug-ins
- kafka-logger
- A plug-in , Used as a ngx_lua nginx Modular Kafka Client driver
- This plug-in provides the request log data as JSON Objects are pushed externally Kafka The ability to cluster
- prometheus
- The plug-in will add /apisix/prometheus/metrics With public indicators
- These indicators are measured by a separate Prometheus The server address is public . By default , The address is You can go to Change it conf/config.yaml
- request-id
- For adoption APISIX Each request of the proxy adds a unique ID (UUID). This plug-in can be used to track API request .header_name If the request already exists , The plug-in will not add requests ID
- skywalking
- SkyWalking Use its native Nginx LUA Tracker from service and URI Angle provides tracking 、 Topology analysis and indicators
- skywalking-logger
- through HTTP A plug-in that pushes access log data to the server
- sls-logger
- A use RF5424 take Log Push data requests to Alibaba cloud Log Server Plug in for
- syslog
- A push log data request to Syslog Plug in for
- tcp-logger
- A push log data request to TCP Server plug-ins
- udp-logger
- A push log data request to UDP Server plug-ins
- zipkin
- One OpenTracing plug-in unit
- datadog
- other
- batch-requests
- You can accept multiple requests and apisix adopt http The Conduit Send them , And return the aggregate response to the client , When the client needs to access multiple API Can significantly improve performance when
- client-control
- Dynamic control Nginx To process client requests
- ext-plugin-post-req
- Perform most built-in Lua After the plug-in , Run specific external plug-ins in the plug-in runner
- ext-plugin-pre-req
- Perform most built-in Lua Before plug in , Run specific external plug-ins in the plug-in runner
- grpc-transcode
- http(s) turn grpc
- gzip
- Dynamic setting Nginx Of gzip Behavior
- proxy-cache
- It provides the ability to cache upstream response data , And it can be used with other plug-ins . The plug-in supports disk based caching , Memory based caching will be supported in the future
- proxy-mirror
- Provides the ability to mirror client requests
- Be careful : The response returned by the mirror request is ignored
- proxy-rewrite
- An upstream proxy information rewrite plug-in
- real-ip
- The dynamic change APISIX See the client IP And port
- response-rewrite
- Response rewrite plug-in , Rewrite the content returned by the upstream and Apache APISIX In itself
- batch-requests
The rational use of plug-ins can solve most of the problems , such as proxy-mirror and Proxy-cache The request to mirror the client , Then we can take these requests for additional analysis , For example, doing anti crawler and data security related content .
The certificate is used by the gateway to process encryption requests , It will be associated with SNI relation , And bind with the host name in the route .
Modify customization
Modification of front-end interface
The code structure of the front-end project is as follows
among web Inside the directory is the front page of the project
The whole project is made up of vue To write , have access to yarn structure , So the project can be used in debug mode yarn build Command to run .
Official commissioning documents
It is worth noting that , My side is in the last step , Use yarn start It seems that you can't log in successfully , Only use yarn start:e2e Instructions .
The purpose of debugging is not to compile , See the effect while changing , because yarn Will detect file changes and then compile in real time .
The structure of debugging is
# Enter into web Catalog , The project is running in 8000 port
yarn start:e2e
# Exit to dashboard Project directory
# Open the interface service , Running on the 9000 port
make api-run
And then visit 8000 Application of port , Log in . Let's take a look at real-time compilation :
Then I'll modify defaultSettings.ts:
You can see that it triggers real-time compilation . At this time, dynamic debugging can be carried out .
The page has also changed (123 I just added it )
This is just a simple example , More modifications will be shared with you in the next article .
apisix Modification of capability level
github above APISIX There are many different versions , So master the first hand github Switching branches is particularly important . As far as I'm concerned ,
This version of the code should be up-to-date
There are more plug-ins than the stable version . My previous source code was in gitee Downloaded above , As a result, the version is too old , Code follows github It's not the same , So I returned to github. Slow down, just slow down .
from github Download the apisix The code for is as follows :
The core code is apisix Directory ,
It's full of lua Script , Its overall architecture is the same as that previously analyzed Orange almost , They are all extended functions composed of plug-in systems , But the basic implementation is different . The main extensions we make on open source projects are extensions . To extend a plug-in, you have to understand its plug-in call process and implementation method . This part will be described in the next article .
Last , My friend and I set up a Penguin Group to learn test opening technology together ( gossip , Water group , No advertising ):826471103, Friends interested in blog content development can add groups , Avoid missing follow-up content .
