背景:
1、近年来,微服务架构在大中型企业中的应用越来越广泛。在解决了单体架构所带来的负责性高、部署慢、创新性低的问题的同时,也带来了一些新的安全问题。在微服务的架构中,一个大的应用会被拆分成多个小的单一的服务提供出来,这些小的服务有自己的处理,有自己的数据库(也可以共用),业务系统开发的每个接口都需要独立实现和安全相关的认证、授权、限速,不但重复开发而且无法统一管理,容易产生遗漏。Kong是由Mashape开发的并且于2015年开源的一款API网关框架,使用kong以后,应用系统只需要专注自己的业务实现,通过的缓存、日志记录、认证、授权等均有kong来实现,同时kong也可以用于传统业务接口的保护,如短信轰炸、账户爆破、卡号证件号遍历等等。,笔者所在的单位也在积极拓展微服务架构,身为高级安全工程(背锅侠),如何解决api安全,是笔者的工作之一。
2、近日,某监管部门发文提示,某机构驻场人员通过伪造esb报文,向esb发送请求,esb未对报文的来源及有效性做校验,直接调用转账接口进行转账,造成资金损失。笔者思考,利用kong的api key认证模式能够解决该风险。
kong的工作模式
CLIENT
KONG SERVERS
当Kong运行时,每个对API的请求将先被Kong命中,然后这个请求将会被代理到最终的API。在requests和responses之间,Kong将会执行已经事先安装和配置好的任何插件,授权您的API。Kong是每个API请求的入口点(point)。
Kong的安装
环境:虚拟机centos7 硬盘20G以上
参考
1、安装依赖
安装pcre zlib openssl
sudo yum install -y pcre pcre-devel
sudo yum install -y zlib zlib-devel
sudo yum install -y openssl openssl-devel
安装postgresql(同样也可以使用cassandra)
sudo yum install -y https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-7-x86_64/pgdg-centos95-9.5-2.noarch.rpm
sudo yum install -y postgresql95-server postgresql95-contrib
sudo /usr/pgsql-9.5/bin/postgresql95-setup initdb
sudo systemctl enable postgresql-9.5.service
sudo systemctl start postgresql-9.5.service
suso systemctl status postgresql-9.5.service
配置postgresql sudo passwd postgres(修改密码为postgresql)
新建用户kon gsudo adduser kong
切换centos用户su postgres
进入控制台psql
修改管理员postgres密码\password postgres(这里也修改为postgresql)
创建数据库用户
create user kong with password ‘123456’;
// 为新用户建立数据库
create database kong owner kong;
// 把新建的数据库权限赋予 kong
grant all privileges on database kong to kong;
退出\q
登录 psql -U kong -d kong -h 127.0.0.1 -p 5432
这个时候会登录失败,修改
/var/lib/pgsql/9.5/data/pg_hba.conf
If you want to allow non-local connections, you need to add more
“host” records.
In that case you will also need to make PostgreSQL
listen on a non-local interface via the listen addresses
configuration parameter, or via the -i or -h command line switches.
TYPE DATABASE
USER
ADDRESS
“local” is
local
IPv4 local
host
IPv6 local
host
for Unix domain
connections:
connections:
socket
Allow replication connections from
replication privilege.
-
connections only 127.0.0.1/32 localhost, by a 127.0.0.1/32
-
: 1/128
user
with
local
host
iost
replication
replication
replication
postgres
postgres
postgres
METHOD
trust
trust
trust
the
trust
trust
trust
2、安装kong
下载
安装
rpm -ivh kong-community-edition-0.13.1.el7.noarch.rpm
修改配置文件
sudo vi /etc/kong/kong.conf,添加自己开始设置的postgres的配置信息
database = postgres
pg_host =
127.0.0.1
pg_port —
- 5432
pg_user = kong
pg_password =
123456
pg_database = kong
pg_ssl = off
Determines which of PostgreSQL or Cassandra
this node will use as its datastore.
Accepted values are ‘postgres’ and
cassandra
The PostgreSQL host to connect to.
The port to connect to.
The username to authenticate if required.
The password to authenticate if required.
The database name to connect to.
Toggles client-server TLS connections
between Kong and PostgreSQL.
添加环境变量export KONG_SERF_PATH=”/usr/local/bin/serf”
启动kong kong start –c kong.conf
这个时候会报错,按照提示 kong migrations up
再次启动
kong的默认端口为8000 管理端口为8001
3、安装kong 图形化界面
yum install npm
npm install -g kong-dashboard
kong-dashboard start –kong-url http://127.0.0.1:8001
默认开放8080号端口,访问
192.168.1.101
Home
APIs
Consumers
Plugins
SNIs
Certificates
Upstreams
Search
Welcome to Kong Dashboard
Kong dashboard is a central hub for you to manage your Kong setup.
Learn Kong
This Dashboard will let you interact with
your Kong API to create or edit APIs,
Consumers and Plugins.
Wondering what all that means? Have a
look at the Kong documentation.
DOCUMENTATION
Get started
Not sure where to start?
How about listing your current APIs or
Consumers, creating a new API or a new
Consumer?
CREATE AN API
Contribute
Kong Dashboard is an open source
project hosted on github.
Special thanks to 5 top contributors:
marceldiass
balexandre
nkCoding
GITHUB PAGE
4、安装lnmp
wget http://soft.vpser.net/lnmp/lnmp1.5.tar.gz
解压 tar -xzvf lnmpl.5.tar.gz
进入解压目录执行./install.sh lnmp 自动化安装
创建数据库farmsec 表 student 在/home/wwwroot/default/douwaf-api
目录下创建文件下farsec,创建文件users.php内容为
us