Shulou(Shulou.com)06/03 Report--

Background introduction

Previously, the interface of api on the project used the reverse proxy interface built by our own nginx. I felt that the functionality was poor, so I found another way to find kong as the interface gateway service.

working principle

Kong will put all the data corresponding to the back-end interfaces in the cassandra database, exposing only its own interfaces, which makes it much more transparent and convenient for front-end developers, and it is also much more convenient for back-end operation and maintenance personnel to manage.

System environment introduction system version: CentOS release 6.7 (Final) kong version: 0.9.9gcc version: 4.8.2 (GCC) npm version: 3.8.6node version: 5.11.1python version: Python 2.7.8cassandra version: dsc22.noarchjdk version: > 1.7.25Kong deployment installation $wget https://bintray.com/mashape/kong-rpm-el6-0.9.x/rpm-O bintray-mashape-kong-rpm-el6- 0.9.x.repo$ mv bintray-mashape-kong-rpm-el6-0.9.x.repo / etc/yum.repos.d/$ yum install kong launch kong$ kong start-c

Check whether kong is started normally. If the configuration file is not modified by default, PostgreSQL will not be connected. Ignore it here and continue to install cassandra.

If you start normally, you will output: [OK] Started

Listening port of kong:

8000: the proxy layer for API requests. 8001: configuration management API for restful. 8443: proxy HTTPS7946: used to communicate with other Kong nodes, supporting TCP/UDP traffic 7373: for local cluster agent communication stop kong$ kong stop reload kong$ kong reload restart kong$ kong restartcassandra deployment

I won't demonstrate the installation here, yum will be fine, and the green version will be fine. Java1.7 or 1.8 is fine. Note that cassandra3.0 must be a jdk1.8 version. Here we introduce the installation of 2.x because the supported version of kong is 2.x.

Yum source add vim / etc/yum.repos.d/ datastax.repos [datastax] name = DataStax Repo for Apache Cassandrabaseurl = http://rpm.datastax.com/communityenabled = 1gpgcheck = 0yum Lookup package yum search dsc loaded plug-in: fastestmirrorLoading mirror speeds from cached hostfile=== Npica S Matched: dsc = = dsc1.1.noarch: Meta RPM for installation of the DataStax DSC platformdsc12.noarch: Meta RPM for installation of the DataStax DSC platformdsc20.noarch: Meta RPM for installation of the DataStax DSC platformdsc21.noarch: Meta RPM for installation of the DataStax DSC platformdsc22 .noarch: Meta RPM for installation of the DataStax DSC platformdsc30.noarch: Meta RPM for installation of the DataStax DSC platform although it has 3.0 But at present, kong only supports 2.2.x, so here I will install version 2.2 and install yum install dsc22 verification cassadnra.

This error is expected to be reported.

CqlshTraceback (most recent call last): File "/ usr/bin/cqlsh.py", line 160, in from cqlshlib import cql3handling, cqlhandling, pylexotron, sslhandlingImportError: No module named cqlshlibpython2.7 deployment

Cqlsh is a client-side query tool for cassandra

Cqlsh customers' tools need python2.7 support. Centos6.x is the python2.6 version by default. Here I newly installed python2.7.

First install the additional packages SSL, bz2, zlib required by the python tool

Yum install-y zlib-devel bzip2-devel openssl-devel xz-libs wget download the python2.7 source package and install $wget http://www.python.org/ftp/python/2.7.8/Python-2.7.8.tar.xz$ xz- d Python-2.7.8.tar.xz$ tar-xvf Python-2.7.8.tar$ cd Python-2.7.8 $. / configure-- prefix=/usr/local$ make$ make altinstall check the Python version and repair yum$ python2.7 -VPython 2.7.8$ mv / usr/bin/python / usr/bin/python2.6.6$ ln-s / usr/local/bin/python2.7 / usr/bin/python change the yum environment variable

Because yum uses python2.6, it is necessary to change the environment of yum, otherwise yum will not be able to use

$which yum / usr/bin/yum# modify python in yum to change the first line #! / usr/bin/python to #! / usr/bin/python2.6 install pip$ curl https://bootstrap.pypa.io/get-pip.py | python2.7

To solve the problem of cqlsh error, the following steps may take a long time. I suggest you be patient and so on.

$pip install cqlshlib$pip install cql$pip install cassandra-driver$pip install cqlsh tests the database again $cqlsh Connected to Test Cluster at 127.0.0.1 Cassandra 9042. [cqlsh 5.0.1 | Cassandra 2.2.8 | CQL spec 3.3.1 | Native protocol v4] Use HELP for help.cqlsh > create schema testschema. With replication = {'class':'SimpleStrategy',' replication_factor':1}; cqlsh > describe keyspaces;system testschema system_tracescqlsh > use testschema;cqlsh:testschema > create table user (. User_id varchar primary key,... First varchar,... Last varchar,... Age int.); User_id varchar primary key,... First varchar,... Last varchar,... Age int...); cqlsh:testschema > cqlsh:testschema > insert into user (user_id, first, last, age) values ('rfroncois',' ronn', 'francois', 20); cqlsh:testschema > select * from user; user_id | age | first | last-+- rfroncois | 20 | ronn | francoisKong configuration

The editor found a total of three configuration files for kong

/ etc/kong/kong.conf.default/usr/local/kong/kong.conf/usr/local/share/lua/5.1/kong/templates/kong_defaults.lua

At the beginning, the editor installed the database and kong, and when starting kong, he modified the configuration of / etc/kong/kong.conf.default to connect the database type to cassandra, but failed to connect to the PostgreSQL database at startup, and the modified configuration file was reset every time the kong service was restarted. It's really weird. I guess this configuration file is not the main configuration file.

/ usr/local/share/lua/5.1/kong/templates/kong_defaults.lua- > main configuration file, so let's take a look at the details of this file.

Return [--installation path prefix = / usr/local/kong/-- log level log_level = notice-- default plug-in custom_plugins = NONE-- sends anonymous usage data, such as error stack trace, to help improve kong. Default: onanonymous_reports = on-- listening address, client access address. Default: 0.0.0.0:8000proxy_listen = 0.0.0.0ssl,kong 8000Murray-if ssl,kong is enabled, the address and port requested by https will be accepted. Default: 0.0.0.0:8443proxy_listen_ssl = 0. 0. 0. 0. 0. 0. 0. 14. 014. 8443-the address of the management interface. It is necessary to keep it secret. Default:0.0.0.0:8001admin_listen = the number of 0.0.0.0:8001--nginx processes. If it is not set, it will be automatically detected. The default auto is equal to the number of cpu cores. Default: autonginx_worker_processes = autonginx_optimizations = on-- determines whether nginx runs as a daemon or a foreground process. Default: onnginx_daemon = the memory cache size of the on-- database entity. The accepted units are k and m, and the minimum recommended values are several mbs. Default: 128mmem_cache_size = 128mMui-determines whether nginx should listen for https traffic at proxy_listen_ssl addresses. If disabled, nginx will bind itself only on proxy_listen, and all ssl settings will be ignored. Default: onssl = off if the absolute path to the ssl,proxy_listen_ssl address is enabled. If not specified and ssl is enabled, kong generates a default certificate and key. Default: nonessl_cert = NONE-- if the absolute path of the ssl key for the ssl,proxy_listen_ssl address is enabled. Default: nonessl_cert_key = NONE-- determines which postgresql or cassandra the node will use as its datastore. The accepted database types are postgres and cassandra. All kong nodes belonging to the same cluster must connect to the same database. Default: postgresdatabase = host pg_host of the cassandra--postgres server = port pg_port of the 127.0.0.1--postgres server = 5432-database connection. There must be a password for pg_database = kong--postgres user pg_user = kong--postgres user pg_password = NONE-- enable S ​​ SL to connect to the server pg_ssl = off-- if pg_ssl is enabled, switch server certificate verification pg_ssl_verify = off-- points to your cassandra cluster with a comma-separated contact list. Cassandra_contact_points = 127.0.0.1 muri-the port your node is listening on. Cassandra_port = 9042 color-the key space is used in your cluster. If not, it will be created. Cassandra_keyspace = kong-- if this is the first time to create a keyspace, specify a replication policy. Cassandra_repl_strategy = SimpleStrategy-- specifies the replication factor for the simple policy. Cassandra_repl_factor = 1mer-specifies the data center for the network topology policy. Cassandra_data_centers = the consistency setting that dc1:2,dc2:3-- uses when reading / writing to the cassandra cluster. Cassandra_consistency = ONE-- read / write timeout in milliseconds. Cassandra_timeout = 5000ml-enable ssl to connect to the node. Cassandra_ssl = off-- if cassandra_ssl is enabled, toggle server certificate authentication cassandra_ssl_verify = off-- username cassandra_username = kong-- password cassandra_password = NONEcluster_listen = 0.0.0.0:7946cluster_listen_rpc = NONEcluster_encrypt_key = NONEcluster_profile = wancluster_ttl_on_failure = 3600dnsmasq = ondnsmasq_port = 8053dns_resolver = NONE-- when disabled Each request will be run in a separate lua virtual machine instance: all lua modules will be loaded from scratch. This is useful when developing plug-ins using editing and refresh methods. According to officials, turning off this directive has a serious impact on performance and removes the absolute path to the certificate authority file that configures lua cosockets in the format lua_code_cache = on--pem after 0.11.0. When pg_ssl_verify or cassandra_ssl_verify is enabled, this certificate is used to verify the database connection for kong. Lua_ssl_trusted_certificate = NONE-- sets the authentication depth in the server certificate chain used by lua cosockets set by lua_ssl_trusted_certificate. Lua_ssl_verify_depth = 1Mel-sets the lua module search path (lua_path). It is useful when developing or using custom plug-ins that are not stored in the default search path. Lua_package_path =? / init.lua;./kong/?.lua-- sets the lua c module search path (lua_cpath). Lua_package_cpath = NONEserf_path = serf]] start kong again to see if it still reports an error [root@localhost templates] # kong startKong startedkong operation demonstration on the command line 1) .port:8000 client calls the api port, and the gateway opens the port to the public. For example, if you create a new api and access path= / test, you can access http://10.110.2.3:8000/test 2) .port:8001 kong admin api management port, through which you can manage api, consumer and plugin. For example, you can view the api configuration information called test, access http://10.110.2.3:8001/apis/test, and view all api information. Access to http://10.110.2.3:8001/apis 3) .Kong management platform, access to http://10.110.2.3:8888/#/ this port opening must install kong dashboard. Through this port, you can use graphical interfaces to manage api, consumer, plugin, and so on.

Kong adds api call

The access path of the original API call:

Http://192.168.1.100:5105/notice/getNotice

Add an invocation rule statement:

#-url specifies a local kong access connection

#-d name specifies the rule name of the added api

#-d upstream_rul specifies the host and port that accesses the original api

#-d request_path specifies the request path

Curl-I-X POST-- url http://localhost:8001/apis/-d 'name=getAannouncementList'-d 'upstream_url= http://192.168.1.100:5105/'-d 'request_path=/notice/getNotice'

Curl-I-X POST-- url http://localhost:8001/apis/-d 'name=testapi'-d 'upstream_url= http://192.168.1.100:5105/'-d 'request_path=/notice/getNotice'

Access statements after adding api rules:

Http://192.168.5.250:8000/notice/getNotice

User authentication settings for an access rule

Set the statement syntax:

#-url needs to set that access rule. Apis is followed by the name keyword set in the api access rule set above, and the rest is in a fixed format.

#-data sets permission access keyword

Curl-I-X POST-- url http://192.168.5.250:8001/apis/getAannouncementList/plugins/-- data 'name=key-auth'

Curl-I-X POST-- url http://192.168.5.250:8001/apis/testapi/plugins/-- data 'name=key-auth'

Add one user:

Set the statement syntax:

#-format specified by url

#-user name added to data username setting

Curl-I-X POST-url http://192.168.5.250:8001/consumers/-data "username=inhomeApp"

Curl-I-X POST-url http://192.168.5.250:8001/consumers/-data "username=test"

Add a certificate for the consumer:

Set the statement syntax:

#-the penultimate request path of url is the user name to be granted

#-password set by data key

Curl-I-X POST-- url http://192.168.5.250:8001/consumers/inhomeApp/key-auth/-- data 'key=inhomeApp_randomNum123456'

Curl-I-X POST-- url http://192.168.5.250:8001/consumers/test/key-auth/-- data 'key=test_randomNum123456'

Access the api request through key--

Curl-I-X GET-- url http://192.168.5.250:8000/notice/getNotice-- header "Host: 192.168.5.250 header 8000"-- header "apikey: test_randomNum123456"

Or

Http://192.168.5.250:8000/notice/getNotice?apikey=test_randomNum123456

Delete an api rule

Curl-I-X DELETE-- url http://192.168.5.250:8001/apis/getAannouncementList

View all api rule information for kong

Http://192.168.5.250:8001/apis

Set up kong UI Admin and configure node

Download node Green version, version 5.11.1

Https://nodejs.org/en/blog/release/v5.11.1/

After decompression, append the bin directory in node to the PATH environment variable.

Upgrade GCC version to 4.8. download the 4.8source package and extract wget http://ftp.gnu.org/gnu/gcc/gcc-4.8.2/gcc-4.8.2.tar.bz2 tar-jxvf gcc-4.8.2.tar.bz2

Of course, all the gcc versions are available for download in http://ftp.gnu.org/gnu/gcc, and the latest version already has 4.9.2.

Download dependencies for compiling requirements

Reference [1] says: this magical script file will help us download, configure and install dependent libraries, which can save us a lot of time and energy.

Cd gcc-4.8.0. / contrib/download_prerequisites create a directory for compiled files to store mkdir gcc-build-4.8.2 cd gcc-build-4.8.2 to generate Makefile files

.. / configure-enable-checking=release-enable-languages=c,c++-disable-multilib

Compile (Note: this step is very time-consuming)

Make-J4

The-j4 option is make's optimization of multicore processors. If it is not successful, use make.

Error / home/imdb/gcc-4.8.2/gcc-build-4.8.2/x86_64-unknown-linux-gnu/32/libgcc' make [4]: * [multi-do] error 1 make [4]: Leaving directory / home/imdb/gcc-4.8.2/gcc-build-4.8.2/x86_64-unknown-linux-gnu/libgcc' make [3]: * [all-multi] error 2 make [3]: * waiting for unfinished tasks … . Make [3]: Leaving directory/home/imdb/gcc-4.8.2/gcc-build-4.8.2 / x86 copyright 64: Leaving directory/home/imdb/gcc-4.8.2/gcc-build-4.8.2 / x86 copyright 64: libgccc' make [2]: * [all-stage1-target-libgcc] error 2 make [2]: Leaving directory/home/imdb/gcc-4.8.2/gcc-build-4.8.2' make [1]: * [stage1-bubble] error 2 make [1]: Leaving directory/home/ Imdb/gcc-4.8.2/gcc-build-4.8.2' make: * [all] error 2

Solution: sudo yum-y install glibc-devel.i686 glibc-devel

Installation

Sudo make install

Install Kong Dashboard

Official document https://github.com/PGBI/kong-dashboard

There is an important thing in it, which is very important. It took the editor three times to cross the hole.

Compatibility matrix

Kong-Dashboard versionsKong versionsNode versions1.x.x0.6.x, 0.7.x, 0.8.x, 0.9.x2.x.x0.10.x3.x.x0.9.x, 0.10.x, 0.11.x > = 6.0.0 command line install Install Kong Dashboard

Npm install-g kong-dashboard@v1Start Kong Dashboard

Kong-dashboard startTo start Kong Dashboard on a custom port

Kong-dashboard start-p [port] To start Kong Dashboard with basic auth

Kong-dashboard start-a user=password

In this way, the startup will run in the background, and the terminal process will still be broken.

Nohup kong-dashboard start-p 8080-a xin=sir > kong-dashboard.log & Source code installation download code git clone https://github.com/PGBI/kong-dashboard.gitcd kong-dashboardgit checkout 1.0 build npm installnpm run build startup npm start launch on a port or set permissions npm start-- [- p port] [- a user=password] configure kong UI admin to visit UI Admin

Http://192.168.5.250:8080/#/

Configure UI Admin

If kong has a user name and password, select Basic auth, and configure the address (management address of kong, default is http://kong server machine or bound domain name: 8001). Do not add any more "/" as shown below, otherwise a prompt such as not found api will appear when you click API, and of course, make sure that kong server is running properly.

Create API

When adding API and using the newly added API, you need to note that if you need to point to api with address, you need to check strip-request path. If you use the method with requested address in head, you need to include X-Host-Override post.demo (i.e. request host) in head.

Visit kong:8000/version/getVersion and you can see what you want to see.

Set up permission authentication for an api

Create a user

Access url through key

Http://192.168.5.250:8000/notice/getNotice?testname=keyauth is not surprised to see what you want to see.

Blacklist and whitelist settings

Set current restriction policy

Configurable items:

Year: year

Month: month

Day: God

Minute: minutes. Here we configure 3, which means no more than 3 calls per minute.

Second: seconds

The dimension of the calculation frequency: month / day / minute / second. If multiple dimensions are configured at the same time, it will take effect at the same time.

Verification: request for one minute in a row, fourth time, error

{

"message": "API rate limit exceeded"

}

Set current limit rules according to year, month, day, hour, minute and second, and multiple restrictions take effect at the same time.

For example: no more than 10 calls per day, no more than 3 calls per minute.

When you visit more than three times in one minute, you will report an error for the fourth time.

When you visit more than 10 times a day, you will report an error for the eleventh time.

Set access permissions for kong-dashboard

Startup mode:

[root@Kong] # kong-dashboard start-a xinsir=521

Fault declaration

Question 1:

The problem that may occur is that when using source code to install, access port 8080 after startup. If Not Found appears, this is mostly due to the lack of building npm.

Question 2:

After the cassandra database is started, the down is dropped automatically, and the log error report says that the jdk needs to be greater than 1.7. 25 this upgrade jdk is fine.

Kong service monitor / status {"server": metrics about the nginx http/s server. {"connections_handled": 2588, total number of connections handled. In general, the parameter value is the same as the accepted value unless a certain resource limit is reached. "connections_reading": 0, the current number of connections for the kong read request header. "connections_active": 4, the current number of active client connections, including waiting for connections. "total_requests": 2585, the total number of client requests. "connections_accepted": 2588, total number of client connections accepted. "connections_writing": 1, the current number of connections that nginx writes back to the client. "connections_waiting": 3 the number of idle client connections currently waiting for a request. }, "database": metrics about database collections. {"oauth3_credentials": 0, "jwt_secrets": 0, "response_ratelimiting_metrics": 0, "keyauth_credentials": 0, "oauth3_authorization_codes": 0, "acls": 0, "apis": 1, "basicauth_credentials": 0, "consumers": 0 "ratelimiting_metrics": 0, "oauth3_tokens": 0, "nodes": 1, "hmacauth_credentials": 0, "plugins": 0}} / cluster retrieve cluster status Returns information for each node in the cluster. {"data": [{"address": "192.168.1.205 Kong_0.0.0.0:7946_a102f6e6cede4540b1cc6a7a46276986", node address "name": "Kong_0.0.0.0:7946_a102f6e6cede4540b1cc6a7a46276986", node name "status": "alive" node status}], "total": number of nodes}

Use zabbix to obtain parameters for page monitoring.

Safely call the api interface using https mode

First go to Aliyun to buy a free SSL certificate.

Find security (Cloud Shield) in the product and select the SSL certificate

Select purchase Certificate

Choose Symantec's free SSL certificate, which is valid for 1 year.

Get a pem certificate and key file after purchase

In the ssl under the kong directory, there is a default self-signed certificate and key, which is not safe. After backing it up, put the pem and key downloaded on Ali Cloud into ssl, change the pem suffix to crt, and change the file name to the default kong-default.

Modify the nginx-kong.conf file

Restart kong and nginx

Previously set the api path to

Http://192.168.5.250:8000/notice/getNotice

After configuring https, it is (domain name bound)

Https://api.example.com:8443/notice/getNotice

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.