Shulou(Shulou.com)06/02 Report--

This article is about how to design and implement a lightweight open API gateway. I think it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Preface

With the development of business, more and more third parties are connected, and each business system is facing the same problem: how to make the third party access safely and quickly. At this time, it is particularly important to have an API gateway service which integrates the functions of signature verification, authentication, current restriction and degradation.

Next, we will share how to design and implement a lightweight API open gateway, including interface design, database design, signature verification scheme, authentication and so on. This article focuses on the overall design, and the details of the implementation will be shared in subsequent articles.

Brief introduction of API Gateway

API gateway is particularly important in micro-services, which abstracts the common functions of various business systems, such as authentication, current limitation, degradation and so on. As a barrier outside many internal business systems.

Basic demand

Signature and verification

Authentication

Routin

Authority and resource management

overall design

The functions such as signature verification and authentication are handled in the way of responsibility chain, and the gateway routes according to the configuration and adds parameters to cooperate with the business system for processing (such as data filtering, etc.). The summary request processing process is as follows:

Interface design

The most basic function of a gateway is to forward requests. A common way is to forward requests to internal services according to the routing rules in the configuration, such as:

The request of / order/* is forwarded to the internal order system, and the request of / user/* is forwarded to the internal user system, which is often used in the basic gateway responsible for the whole business system.

What is designed in this article is an open API gateway serving third parties. Instead of using the above practice, the requested resources are put into the request body as parameters for the following reasons:

Open API services to third parties, shielding internal paths, is conducive to providing a unified and standardized interface.

The mapping of the request interface is maintained by the routing table of the gateway, and the internal interface is upgraded or even switched to the new service external interface.

Can be more fine-grained for interface access control, current restriction, statistics and so on.

Address

Open the API gateway to provide the only entry, and the specific requested resources are passed in as parameters.

Common parameter

In order to simplify the operation of signature and signature verification, as well as improve flexibility, the only entry specifies a fixed common parameter and return value, as follows:

Common request parameters

App_id: application ID. Application ID is the subject of authorization and the identity of the caller.

Method: request method, which corresponds to the internal URL and is maintained by the routing table of the gateway.

Timestamp and nonce are used to prevent replay attacks.

Biz_content: service parameter, which will be forwarded to the internal business system.

Common return parameters

Biz_content: returns the service parameter and the return value of the gateway forwarding service system.

[copyright notice]

This article is posted on Park Ruiqing's blog and is allowed to be reproduced for non-commercial use, but the reprint must retain the original author Park Ruiqing and the link: http://blog.piaoruiqing.com. If you have any negotiation or cooperation on authorization, please contact email: piaoruiqing@gmail.com.

Signature scheme

Both the caller and the server generate a 2048-bit RSA key and exchange the public key. The private key is used for signature, the public key is used for signature, and the external interface of API gateway is opened to use https, so no additional encryption is needed for the time being.

Signature algorithm

Signature rule

Signature parameter content

All parameters after removing sign.

Sorting of signature parameters

Sort incrementally by ASCII code of the parameter name (in ascending alphabetical order).

Signature generation method

The sorted parameter list is combined into a string of parameter name a = parameter value a & parameter name b = parameter value bcause. & parameter name z = parameter value z and the private key is used to generate sign.

Database design

The database is used to store key permissions and other configurations, and there is a multi-level cache between the program and the database to improve access speed. The brief ER figure is as follows:

App: the caller body, which is used to identify the requestor.

Group: group, app grouping, which can be authorized through group.

Subject: app/group.

Resource: resources that maintain the mapping between request resources and internal interfaces. Url+http_method corresponds to a unique resource_id.

Technology selection

In addition to meeting the functional requirements, the performance requirements of the gateway also need to be considered. After all, as the only entrance to each business system, the performance of the gateway may become the bottleneck of the whole business system. Business is not complex, high performance requirements, responsive programming is a good choice.

Spring WebFlux + netty: responsive Web framework.

Spring Data Reactive Redis + Lettuce: responsive redis client.

Guava: Google toolkit that uses LoadingCache as the in-process cache.

The above is how to design and implement a lightweight open API gateway. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.