How to design and implement a lightweight open API gateway.

The article addresses: blog.piaoruiqing.com/2019/08/05/…

preface

With the development of services, more and more third parties are connected to each service system. Each service system faces the same problem: how to ensure secure and fast access by third parties. In this case, it is particularly important to have an API gateway service that integrates signature verification, authentication, traffic limiting, and degradation functions.

Next, I will share how to design and implement a lightweight API open gateway, including interface design, database design, signature verification scheme, authentication, etc. This article focuses on the overall design, and implementation details will be shared in subsequent articles.

Introduction to API Gateway

API gateway is particularly important in microservices, because it abstracts the functions common to all business systems, such as authentication, traffic limiting and degradation. Act as a barrier to many internal business systems.

Basic needs

  1. Signature and verification
  2. authentication
  3. routing
  4. Permission and resource management

The overall design

Functions such as verification and authentication are handled in the way of responsibility chain. The gateway routes routes according to the configuration and attaches parameters to cooperate with the service system for processing (such as data filtering). The brief request processing flow is as follows:

Interface design

The basic function of a gateway is to forward requests to internal services based on the configured routing rules. For example:

Forwarding /order/* requests to the internal order system and /user/* requests to the internal user system is often used in the base gateway that is responsible for the entire business system.

In this paper, an open API gateway is designed to serve a third party. Instead of using the above method, the requested resources are put into the request body as parameters. The reasons are as follows:

  1. Open apis serve third parties, shielding internal paths, and providing unified and standardized interfaces.
  2. The mapping of the request interface is maintained by the routing table of the gateway. The internal interface is upgraded or even switched to the new service.
  3. Fine-grained interface permission control, traffic limiting, and statistics.

address

The open API gateway provides a unique entry to the outside world, passing in the requested resource as a parameter.

Public parameters

In order to simplify the operation of signature and signature verification and improve the flexibility, fixed public parameters and return values are agreed in the unique entry, as follows:

Common request parameters

The parameter name Whether must type The sample note
app_id is string Application ID
method is string aaa.bbb.ccc Request method
charset is string UTF-8 coding
format is string JSON Business parameter format
sign_type is string RSA2 Signature type
sign is string The signature
timestamp is number 1564929661796 Timestamp, in milliseconds
nonce is string 63DCB93D270E44D49499F9E5D55705FE Random string (UUID recommended)
version is string 1.0 Interface version
biz_content is string {“start_time”:”1564929661796″, … } Request business parameters
  • app_id: Application ID. The application ID is the principal of authorization and the identity of the caller
  • method: Request method, which corresponds to the internal URL and is maintained by the gateway routing table.
  • timestampandnonceUsed to defend against replay attacks.
  • biz_content: business parameter, which will be forwarded to the internal business system.

Public return parameter

The parameter name Whether must type The sample note
code is number 0 Error code
message no string The error message
charset is string UTF-8 coding
format is string JSON Return parameter format
sign_type is string RSA2 Signature type
sign is string The signature
timestamp is number Timestamp, in milliseconds
biz_content is string {“id”:”1564929661796″, … } Return business parameters
  • biz_content: Returns the service parameter, which the gateway forwards to the service system.
[Copyright Notice]


This article was published on
Park Seo-kyung’s blog, allow non-commercial reprint, but reprint must retain the original author
PiaoRuiQingAnd links:
blog.piaoruiqing.comFor negotiation or cooperation on authorization, please contact:
[email protected].

Signature scheme

Both the caller and the server generate a 2048-bit RSA secret key and exchange the public key. The private key is used for signature, and the public key is used for signature check. The external interface of the open API gateway uses HTTPS, so no additional encryption is required.

Signature algorithm

Signature algorithm Name Standard signature algorithm name note
RSA2 SHA256WithRSA The length of the RSA key must be at least 2048 characters

Signature rule

Signature Parameter Content

All parameters after sign are removed.

Sorting of signature parameters

Sort by the ASCII increment of the parameter name (alphabetically ascending).

Signature Generation mode

The sorted parameter list is combined into parameter name A = Parameter value A & Parameter name b= Parameter value b&… & Parameter name z= string of parameter value z and use the private key to generate sign.

Database design

Databases are used to store configurations such as key permissions, and there are multiple levels of caching between programs and databases to speed up access. The brief ER diagram is as follows:

  • app: caller body, used to identify the requester.
  • group: group,appGroup, can passgroupUnified authorization.
  • subject: the main body (app/group).
  • resource: resources, maintains the mapping between requested resources and internal interfaces,url+http_methodCorresponds to a unique resource_id.

Technology selection

In addition to meeting functional requirements, gateways also need to be considered in terms of performance requirements. After all, as the only access for each service system, gateway performance may become the bottleneck of the entire service system. Business is not complex, high performance requirements, responsive programming is a good choice.

  • Spring WebFlux + netty: Responsive Web framework.
  • Spring Data Reactive Redis + Lettuce: responsive Redis client.
  • Guava: Google Toolkit, useLoadingCacheAs an in-process cache.

conclusion

Gateway as a barrier and entrance outside the internal system, in addition to the basic function and performance requirements, monitoring, statistics, logging and other issues need to be taken into account. There are many open source gateway products, but we must consider our own business when choosing the gateway, and refer to various mature solutions for practice under the premise of their own suitability.

If this article is helpful to you, please give a thumbs up (~ ▽ ~)”

Series of articles:

  • Open API Gateway Practice # 1 — Design an API gateway
  • Open API Gateway Practice ii – Replay attack and Defense
  • Open API Gateway Practice iii – Limiting traffic

Welcome to our official account:

[Copyright Notice]


This article was published on
Park Seo-kyung’s blog, allow non-commercial reprint, but reprint must retain the original author
PiaoRuiQingAnd links:
blog.piaoruiqing.comFor negotiation or cooperation on authorization, please contact:
[email protected].