How to design and implement a lightweight open API gateway.
The article addresses: blog.piaoruiqing.com/2019/08/05/…
preface
With the development of services, more and more third parties are connected to each service system. Each service system faces the same problem: how to ensure secure and fast access by third parties. In this case, it is particularly important to have an API gateway service that integrates signature verification, authentication, traffic limiting, and degradation functions.
Next, I will share how to design and implement a lightweight API open gateway, including interface design, database design, signature verification scheme, authentication, etc. This article focuses on the overall design, and implementation details will be shared in subsequent articles.
Introduction to API Gateway
API gateway is particularly important in microservices, because it abstracts the functions common to all business systems, such as authentication, traffic limiting and degradation. Act as a barrier to many internal business systems.
Basic needs
- Signature and verification
- authentication
- routing
- Permission and resource management
The overall design
Functions such as verification and authentication are handled in the way of responsibility chain. The gateway routes routes according to the configuration and attaches parameters to cooperate with the service system for processing (such as data filtering). The brief request processing flow is as follows:
Interface design
The basic function of a gateway is to forward requests to internal services based on the configured routing rules. For example:
Forwarding /order/* requests to the internal order system and /user/* requests to the internal user system is often used in the base gateway that is responsible for the entire business system.
In this paper, an open API gateway is designed to serve a third party. Instead of using the above method, the requested resources are put into the request body as parameters. The reasons are as follows:
- Open apis serve third parties, shielding internal paths, and providing unified and standardized interfaces.
- The mapping of the request interface is maintained by the routing table of the gateway. The internal interface is upgraded or even switched to the new service.
- Fine-grained interface permission control, traffic limiting, and statistics.
address
The open API gateway provides a unique entry to the outside world, passing in the requested resource as a parameter.
Public parameters
In order to simplify the operation of signature and signature verification and improve the flexibility, fixed public parameters and return values are agreed in the unique entry, as follows:
Common request parameters
| The parameter name | Whether must | type | The sample | note |
|---|---|---|---|---|
| app_id | is | string | Application ID | |
| method | is | string | aaa.bbb.ccc | Request method |
| charset | is | string | UTF-8 | coding |
| format | is | string | JSON | Business parameter format |
| sign_type | is | string | RSA2 | Signature type |
| sign | is | string | The signature | |
| timestamp | is | number | 1564929661796 | Timestamp, in milliseconds |
| nonce | is | string | 63DCB93D270E44D49499F9E5D55705FE | Random string (UUID recommended) |
| version | is | string | 1.0 | Interface version |
| biz_content | is | string | {“start_time”:”1564929661796″, … } | Request business parameters |
app_id: Application ID. The application ID is the principal of authorization and the identity of the callermethod: Request method, which corresponds to the internal URL and is maintained by the gateway routing table.timestampandnonceUsed to defend against replay attacks.biz_content: business parameter, which will be forwarded to the internal business system.
Public return parameter
| The parameter name | Whether must | type | The sample | note |
|---|---|---|---|---|
| code | is | number | 0 | Error code |
| message | no | string | The error message | |
| charset | is | string | UTF-8 | coding |
| format | is | string | JSON | Return parameter format |
| sign_type | is | string | RSA2 | Signature type |
| sign | is | string | The signature | |
| timestamp | is | number | Timestamp, in milliseconds | |
| biz_content | is | string | {“id”:”1564929661796″, … } | Return business parameters |
biz_content: Returns the service parameter, which the gateway forwards to the service system.
This article was published on
Park Seo-kyung’s blog, allow non-commercial reprint, but reprint must retain the original author
PiaoRuiQingAnd links:
blog.piaoruiqing.comFor negotiation or cooperation on authorization, please contact:
[email protected].
Signature scheme
Both the caller and the server generate a 2048-bit RSA secret key and exchange the public key. The private key is used for signature, and the public key is used for signature check. The external interface of the open API gateway uses HTTPS, so no additional encryption is required.
Signature algorithm
| Signature algorithm Name | Standard signature algorithm name | note |
|---|---|---|
| RSA2 | SHA256WithRSA | The length of the RSA key must be at least 2048 characters |
Signature rule
Signature Parameter Content
All parameters after sign are removed.
Sorting of signature parameters
Sort by the ASCII increment of the parameter name (alphabetically ascending).
Signature Generation mode
The sorted parameter list is combined into parameter name A = Parameter value A & Parameter name b= Parameter value b&… & Parameter name z= string of parameter value z and use the private key to generate sign.
Database design
Databases are used to store configurations such as key permissions, and there are multiple levels of caching between programs and databases to speed up access. The brief ER diagram is as follows:
app: caller body, used to identify the requester.group: group,appGroup, can passgroupUnified authorization.subject: the main body (app/group).resource: resources, maintains the mapping between requested resources and internal interfaces,url+http_methodCorresponds to a unique resource_id.
Technology selection
In addition to meeting functional requirements, gateways also need to be considered in terms of performance requirements. After all, as the only access for each service system, gateway performance may become the bottleneck of the entire service system. Business is not complex, high performance requirements, responsive programming is a good choice.
Spring WebFlux+netty: Responsive Web framework.Spring Data Reactive Redis+Lettuce: responsive Redis client.Guava: Google Toolkit, useLoadingCacheAs an in-process cache.
conclusion
Gateway as a barrier and entrance outside the internal system, in addition to the basic function and performance requirements, monitoring, statistics, logging and other issues need to be taken into account. There are many open source gateway products, but we must consider our own business when choosing the gateway, and refer to various mature solutions for practice under the premise of their own suitability.
If this article is helpful to you, please give a thumbs up (~ ▽ ~)”
Series of articles:
- Open API Gateway Practice # 1 — Design an API gateway
- Open API Gateway Practice ii – Replay attack and Defense
- Open API Gateway Practice iii – Limiting traffic
Welcome to our official account:
This article was published on
Park Seo-kyung’s blog, allow non-commercial reprint, but reprint must retain the original author
PiaoRuiQingAnd links:
blog.piaoruiqing.comFor negotiation or cooperation on authorization, please contact:
[email protected].