参考链接:
https://blog.csdn.net/qq_37865420/article/details/105787160
https://zhuanlan.zhihu.com/p/426251773
一、knox的安装部署
1.解压缩
unzip knox-{
VERSION}.zip
2.启动嵌入的LDAP
cd {
GATEWAY_HOME}
bin/ldap.sh start
3.创建Master 密钥
cd {
GATEWAY_HOME}
bin/knoxcli.sh create-master --master 123456
4.启动和关闭konx
cd {
GATEWAY_HOME}
bin/gateway.sh start
bin/gateway.sh stop
如果由于某种原因使网关停止运行(而不是使用上述命令),导致knox启动不起来,则可能需要清除跟踪PID:
cd {
GATEWAY_HOME}
bin/gateway.sh clean
注:此命令同时也会清除所有.out与.err从文件{
GATEWAY_HOME}/logs目录,以便使用该谨慎。
5.访问Knox webui
https://192.x.x.x:8443/gateway/manager/admin-ui/
自带ldap默认用户密码
admin/admin-passwrod
guest/guest-passwrod
二通过knox访问各个服务组件
1.添加白名单
修改knox/conf/gateway-site.xml:
需要将Knox用到的主机和Ip加入到白名单中
<property>
<name>gateway.dispatch.whitelist</name>
<value>^https?:\/\/(henghe-039|henghe-040|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
<description>The whitelist to be applied for dispatches associated with the service roles specified by gateway.dispatch.whitelist.services.
If the value is DEFAULT, a domain-based whitelist will be derived from the Knox host.</description>
</property>
白名单正则,代表全部主机
<name>gateway.dispatch.whitelist</name>
<value>^.*$</value>
修改完需要重启服务,才会生效
knox/conf/topologies/sandbox.xml: 支持的服务UI,热部署,更改不需要重启就会生效
2.所有服务的knox的配置
修改knox/conf/topologies/sandbox.xml
<?xml version="1.0" encoding="utf-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<!--
session timeout in minutes, this is really idle timeout,
defaults to 30mins, if the property value is not defined,,
current client authentication would expire if client idles contiuosly for more than this value
-->
<name>sessionTimeout</name>
<value>30</value>
</param>
<param