Shulou(Shulou.com)06/03 Report--

Starting from the present situation and problems of micro service gateway (API Gateway) in 10 billion traffic trading system, this paper expounds the relationship between micro service architecture and API gateway, straightens out the context of traffic gateway and service gateway, and shares the knowledge and experience of API gateway.

Overview of API Gateway

"any problem in computer science can be solved by adding an indirect middle tier."

-- David Wheeler

Request access: as the access point for all API interface service requests, manage all access requests.

Business aggregation: as the aggregation point for all back-end business services, all business services can be invoked here.

Mediation strategy: implement security, authentication, routing, filtering, flow control, caching and other strategies, and carry out some necessary mediation processing.

Unified management: provides configuration management tools to manage the invocation life cycle of all API services and the corresponding mediation policies.

3. Concerns of API Gateway

The API gateway is not a typical business system, but an intermediate layer that provides more additional capabilities to API services in order to make the business system focus on the business service itself.

There are two goals to consider when designing and implementing API gateways:

The main results are as follows: (1) simple development and maintenance, saving manpower cost and maintenance cost. That is, we should choose a mature and simple maintainable technology system.

(2) High performance, save equipment cost and improve system throughput. It requires us to make some specific designs and tradeoffs according to the characteristics of the API gateway.

When the concurrency is small, none of this is a problem. Once the API traffic of the system is very large, these will become key issues.

The three most important concerns of massively concurrent API gateways:

(1) maintain large-scale inbound request access capabilities (long and short connections), such as implementation based on Netty.

(2) maximize the reuse of outbound's HTTP connection capabilities, such as asynchronous HttpClient implementation based on HttpClient4.

(3) implement various strategies such as security, verification, filtering, aggregation, current restriction, monitoring and so on conveniently and flexibly.

Classification and Technical Analysis of API Gateway

1. Classification of API gateways

If you think more deeply about the above goals and concerns, then all the issues and functions that need to be considered can be divided into two categories.

One is global, which has nothing to do with specific back-end business systems and services, such as security policy, global flow control policy, traffic distribution policy and so on.

One is for the specific back-end business system, or the part where the service and the business have a certain relevance, and are generally deployed directly in front of the business service.

With the development of complex business systems of the Internet, these two types of functions have gradually formed two common gateway systems: traffic gateways and service gateways, as shown in figure 7-5.

Figure 7-5

two。 Traffic Gateway and WAF

We define a policy gateway that is global and has nothing to do with specific back-end business systems and services, that is, traffic gateways. In this way, the traffic gateway pays attention to the stability and security of global traffic, such as preventing all kinds of SQL injection, blacklist and whitelist control, and load balancing of access requests to the business system. It usually has the following general features:

Global flow control

Log statistics

Prevent SQL injection

Prevent Web attacks

Shielding tool scan

Blacklist and whitelist control.

Through this feature list, we can find that the function of the traffic gateway is very similar to that of Web Application Firewall (WAF). WAF is generally a Web application firewall developed based on the ngx_lua module of Nginx/OpenResty.

The general WAF code is simple, focusing on simplicity, high performance, and lightweight. To put it simply, security-related functions have been added to the agent capabilities of Nginx itself. Describe its principle in one sentence, that is, parse the HTTP request (protocol parsing module), rule detection (rule module), do different defense actions (action module), and record the defense process (log module).

A general WAF has the following functions:

Prevent SQL injection, partial overflow, fuzzing testing, XSS/SSRF and other Web attacks

Prevent attacks from stress testing tools such as Apache Bench

Block common scanning hacker tools, such as scanners

Prohibit the execution permission of picture attachment directory and prevent webshell upload.

Support IP whitelist and blacklist functions, and directly deny IP access to blacklist

Support URL whitelist and define URL that does not need filtering

Support User-Agent filtering, support CC attack protection, and limit the number of visits to a single URL at a specified time

Support for Cookie filtering, URL and URL parameter filtering

Logging is supported and all rejected operations are recorded in the log.

The above WAF mainly refers to the following two items:

Https://github.com/unixhot/waf

Https://github.com/loveshell/ngx_lua_waf .

Open source examples of traffic gateways can also refer to the famous open source project Kong (based on OpenResty).

3. Service gateway

We define a policy gateway for a specific back-end business system, or a policy gateway with a certain relationship between services and business, that is, business gateways. For example, the flow control policy for a certain system, service or user classification, the caching policy for a certain type of service, the authorization verification method for a specific system, the request filtering for judging certain user conditions, the data aggregation encapsulation for specific API, and so on.

The service gateway is generally deployed behind the traffic gateway and in front of the business system, which is closer to the business system than the traffic gateway. In most cases, the API gateway, in a narrow sense, refers to the service gateway. If the scale of the system is small, we will combine the two into one and use a gateway to handle all the work.

Analysis and investigation of Open Source Gateway introduction of common open source gateways

Common open source gateways are shown in figure 7-6.

Figure 7-6

At present, the common open source gateways are generally classified into the following categories according to language.

Nginx+Lua:Open Resty, Kong, Orange, Abtesting Gateway, etc.

Java:Zuul/Zuul 2, Spring Cloud Gateway, Kaazing KWG, gravitee, Dromara soul, etc.

Go:Janus 、 fagongzi 、 Grpc-Gateway

.NET: Ocelot

Node.js:Express Gateway 、 MicroGateway .

According to the scope of use, maturity, etc., there are 4 mainstream: OpenResty, Kong, Zuul/Zuul 2, Spring Cloud Gateway. In addition, the fagongzi API gateway has also received a lot of attention recently.

1. Nginx+Lua gateway

OpenResty

Project address: http://openresty.org/

OpenResty is based on Nginx and integrates various tool libraries and available third-party modules of Lua and Lua, so that we can obtain the dynamic scalability provided by Lua on the basis of the existing efficient HTTP processing of Nginx. Therefore, we can make all kinds of Lua scripts that meet our needs and implement the gateway system on the basis of them.

Kong

Project address: https://konghq.com/ and https://github.com/kong/kong

Based on OpenResty, Kong is a cloud-native, fast, scalable, distributed micro-service abstraction layer (MicroserviceAbstraction Layer), also known as API Gateway (API Gateway) and API middleware (API Middleware) in Service Mesh.

Kong opened source in 2015, and its core value lies in its high performance and scalability. According to the statistics of the global top 5000 organizations, Kong is the most widely used gateway in the production environment that is still being maintained.

The core advantages are as follows.

Scalable: horizontal scaling can be easily achieved by adding nodes, which means that large system loads can be supported with very low latency.

Modularity: the capabilities of Kong can be extended by adding new plug-ins that can be installed and configured through RESTful Admin API.

Run on any infrastructure: Kong can run anywhere, such as deploying Kong in a cloud or hybrid environment, or a single / global data center.

ABTestingGateway

Project address: https://github.com/CNSRE/ABTestingGateway

ABTestingGateway is a gateway that can dynamically set the diversion policy and pay attention to the areas related to grayscale publishing. Based on Nginx and ngx-lua development, using Redis as the diversion strategy database, the dynamic scheduling function can be realized.

ABTestingGateway is part of Sina Weibo's internal dynamic routing system, dygateway, and is currently open source. In the previous grayscale systems based on Nginx, the shunting logic is often implemented by if and rewrite instructions in the rewrite stage. The advantage is high performance, but the disadvantages are limited function, easy to make mistakes, and the forwarding rules are fixed and can only be statically shunted. ABTestingGateway uses ngx-lua. By enabling lua-shared-dict and lua-resty-lock as system cache and cache locks, the system achieves a performance similar to that of native Nginx forwarding.

The functional features are as follows.

Multiple triage methods are supported, including iprange, uidrange, uid Mantissa and specified uid shunt.

Multi-level shunting is supported, and the shunting policy is set dynamically, which takes effect immediately without restarting.

Expansibility provides a development framework, and developers can flexibly add new diversion methods to achieve secondary development.

High performance, stress test data close to native Nginx forwarding

The grayscale system configuration is written in the Nginx configuration file, which is convenient for administrators to configure.

Suitable for a variety of scenarios: grayscale release, AB testing and load balancing.

It is understood that Oceanus inside Meituan is also implemented based on Nginx and ngx-lua extensions, which mainly provides functions such as service registration and discovery, dynamic load balancing, visual management, customized routing, security anti-scraping, Session ID reuse, circuit breaker degradation, one-click closure and performance statistics.

two。 Gateway based on Java language

Zuul/Zuul2

Project address: https://github.com/Netflix/zuul

Zuul is Netflix's open source API gateway system. Its main design goals are dynamic routing, monitoring, resiliency and security.

The internal principle of Zuul can be simply seen as a collection of many different functional filter (by contrast, ESB can also be seen as a collection of pipes and filters). These filters (filter) can be written using Groovy or other JVM-based scripting (of course, Java can also be written), placed in a specified location, and then polled by Zuul Server, dynamically loaded when changes are detected and take effect in real time. Zuul currently has two versions, 1.x and 2.x, which are very different.

Zuul 1.x is based on synchronous Spring Boot/SpringCloud O, which is also part of the SpringCloud family bucket and can be easily configured and used with Spring Boot/SpringCloud.

In Zuul 1.x, the type and processing flow of Filter are shown in figure 7-7. The most important filters are pre, routing, and post, which act on request processing before calling business service API, direct response, and response processing after calling business service API, respectively.

The biggest improvement of Zuul 2.x is the implementation of asynchronous I _ max O access request based on Netty Server and the request to back-end business service API based on Netty Client. This allows for higher performance and lower latency. The Filter type is also adjusted to explicitly name the original three core Filter Inbound Filter, Endpoint Filter, and Outbound Filter, as shown in figure 7-8.

Figure 7-7

Figure 7-8

Core functions of Zuul 2.x: service discovery, load balancing, connection pooling, state classification, retry, request credentials, HTTP/2, TLS, proxy protocol, GZip, WebSocket.

SpringCloud Gateway

Project address: https://github.com/spring-cloud/spring-cloud-gateway/

Based on Java 8, Spring 5.0, Spring Boot 2.0, and Project Reactor, Spring Cloud Gateway developed earlier than Zuul 2 and is now part of the Spring Cloud family bucket.

Spring Cloud Gateway can be seen as an upgrade and replacement of Zuul 1.x, which uses Netty earlier than Zuul 2 to implement asynchronous Ihamdo O, thus implementing a simple, more efficient API gateway that works closely with Spring Cloud than Zuul 1.x.

There is a clear distinction between Router and Filter in Spring Cloud Gateway, with a lot of out-of-the-box features that can be used through Spring Boot configuration or hand-coded chained calls.

For example, there are 10 kinds of Router built in, which can be directly configured to route according to Header, Path, Host or Query.

Core features:

Match the route through the request parameter

Routing through assertions and filters

Integration with Hystrix fuse

Integrate with Spring Cloud DiscoveryClient

It is very convenient to implement assertions and filters

Request current limit

Path rewriting.

GraviteeGateway

Project address: https://gravitee.io/ and https://github.com/gravitee-io/gravitee-gateway

KaazingWebSocket Gateway

Project address:

Https://github.com/kaazing/gateway and https://kaazing.com/products/websocket-gateway/

Kaazing WebSocket Gateway is a gateway dedicated to WebSocket and claims to provide world-class enterprise-class WebSocket service capabilities. The specific features are as follows:

Standard WebSocket support for full-duplex two-way data delivery

Linear scaling, stateless architecture means that more machines can be deployed to expand service capabilities

Authentication, authentication, single sign-on support, cross-domain access control

SSL/TLS encryption support

WebSocket keepalive and TCP half-switch and half-off detection

High availability through load balancing and clustering

Docker support

Support such as JMS/AMQP

IP whitelist

Automatic reconnection and reliable message acceptance guarantee

Fanout processing strategy

Real-time cache and so on.

Dromara soul

Project address: https://github.com/Dromara/soul.

Soul is an asynchronous, high-performance, cross-language, responsive API gateway that provides unified HTTP access.

Supports various languages and seamlessly integrates Dubbo and SpringCloud

Rich plug-ins support authentication, current limit, circuit breaker, firewall, etc.

A variety of rules are dynamically configured in the gateway to support various policy configurations.

Plug-ins are hot-swappable and easy to expand

Support for cluster deployment and support for AploB Test.

3. Gateway based on Go language

Fagongzi

Project address: https://github.com/fagongzi/gateway

Fagongzi Gateway is a full-featured API gateway implemented by Go, with a Web UI management interface implemented by Rails.

Features: flow control, circuit breaker, load balancer, service discovery, plug-in mechanism, routing (shunting, replication traffic), API aggregation, API parameter verification, API access control (blacklist and whitelist), API default return value, API custom return value, API result Cache, JWT authentication, API Metric import Prometheus, API failed retry, backend Server health check, open management API (gRPC, RESTful), support for WebSocket protocol.

Janus

Project address: https://github.com/hellofresh/janus

Janus is a lightweight API gateway and management platform that controls who, when, and how to access these REST API. It also records all access interaction details and errors. One of the benefits of using Go to implement an API gateway is that it generally requires only a single binary to run without complex dependencies. Functional features:

Hot load configuration, no need to restart the gateway process

Graceful closure of HTTP connections

Support for OpenTracing for distributed tracking

Support for HTTP/2

Circuit breakers can be implemented for each API

Retry mechanism

Flow control, which can be targeted at each user or key

CORS filtering, which can be targeted at specific API

Support for a variety of authentication protocols out of the box, such as JWT, OAuth 2.0, and Basic Auth

Docker Image support.

4. .NET

Ocelot

Project address: https://github.com/ThreeMammals/Ocelot

Features: routing, request aggregation, service discovery (based on Consul or Eureka), service Fabric, WebSockets, authentication and authentication, flow control, cache, retry strategy and QoS, load balancing, log and tracking, request header, Query string conversion, custom intermediate processing, configuration and management REST API.

5. Node.js

Express Gateway

Project address:

Https://github.com/ExpressGateway/express-gateway and https://www.express-gateway.io/

Express Gateway is a REST API gateway developed based on Node.js and implemented with Express and Express middleware.

Functional features:

Dynamic centralized configuration

API Consumer and credential Management

Plug-in mechanism

Distributed data storage

Command line tool CLI.

MicroGateway

Project address:

Https://github.com/strongloop/microgateway and https://developer.ibm.com/apiconnect

StrongLoop is a subsidiary of IBM, and the MicroGateway gateway is built on Node.js/Express and Nginx as IBM API Connect and part of IBM's cloud ecology. MicroGateway is a developer-focused, extensible gateway framework that enhances our access to microservices and API.

Core features:

Security and control, based on Swagger (OpenAPI) specification

Built-in a variety of gateway policies, API Key authentication, traffic control, OAuth 2.0, JavaScript script support

Implement gateway policies (security, routing, integration, etc.) using Swagger extensions (API Assembly)

Easily customize gateway policies.

In addition, MicroGateway has several features:

By integrating Swagger, the verification capability based on Swagger API definition is realized.

Use datastore to maintain the API data model that needs to be processed

Using a streaming engine to handle multiple strategies gives API designers more control over the lifecycle of API.

The core architecture is shown in figure 7-9.

Figure 7-9

Comparative Analysis of four Open Source Gateways

1. Comparison of important features of OpenResty/Kong/Zuul 2/SpringCloud Gateway

The comparison of the indicators is shown in Table 7-1.

Take the current limiting function as an example:

Spring Cloud Gateway currently provides Ratelimiter implementation based on Redis, which uses the token bucket algorithm and is configured through the YAML file.

Zuul2 can configure cluster current limit and single server current limit through configuration file, and can also realize current limit extension through Filter.

OpenResty can use resty.limit.count, resty.limit.conn, resty.limit.req to realize current limiting function, and can realize leaky bucket or token pass algorithm.

Kong has basic current-limiting components, which can be used for Lua development based on the source code of the basic components.

The analysis of some function points of Zuul/Zuul 2/Spring Cloud Gateway can refer to the article of Spring Cloud Gateway author Spencer Gibb: https://spencergibb.netlify.com/preso/detroit-cf-api-gateway-2017-03/.

2. Comparison of OpenResty/Kong/Zuul 2/SpringCloudGateway performance test

Three machines with 4Core and 16GB memory are used as API service providers, Gateway and presses, and wrk is used as a performance test tool to test the performance of OpenResty/Kong/Zuul 2/SpringCloud Gateway under simple tabloids, as shown in figure 7-10.

Figure 7-10

In the figure, the vertical axis is QPS, the horizontal axis is a Gateway data, and each line is different gateway data in a scenario. The test results are as follows:

The measured condition is the performance SCG~Zuul 2.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.