13 基於閘道器服務的IP白名單限制訪問(Whitelist IP Restriction)
用Kong配置一個book服務
在安裝並啟動Kong之後,使用Kong的管理API埠8001新增一個名稱為book的服務
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
新增一個路由(paths[]的值必須與book服務中的/v1/books一致)HTTP/1.1 201 Created Date: Sat, 12 May 2018 12:27:47 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "host": "contoso.com", "created_at": 1526099267, "connect_timeout": 60000, "id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510", "protocol": "http", "name": "book", "read_timeout": 60000, "port": 80, "path": "/v1/books", "updated_at": 1526099267, "retries": 5, "write_timeout": 60000 }
使book服務暴露出來以供使用者訪問,book服務沒必要新增多個路由。
注意啦,注意啦,注意啦,重要引數我只重複3遍
跨源資源共享(CORS)中的服務路由不允許配置--data 'hosts[]=contoso.com'引數值
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created Date: Sat, 12 May 2018 12:30:05 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1526099405, "strip_path": true, "hosts": null, "preserve_host": false, "regex_priority": 0, "updated_at": 1526099405, "paths": [ "/v1/books" ], "service": { "id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510" }, "methods": null, "protocols": [ "http", "https" ], "id": "42251e97-2921-45ea-bb19-0416019ea67a" // {route_id} = id }
我們可以這樣檢查一下book服務和它的路由配置的是否正確
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8000/v1/books
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 244 Connection: keep-alive Date: Sat, 12 May 2018 12:33:12 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 27 X-Kong-Proxy-Latency: 61 Via: kong/0.13.1 [ { "id": 1, "title": "Fashion That Changed the World", "author": "Jennifer Croll" }, { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" }, { "id": 3, "title": "The Fashion Image", "author": "Thomas Werner" } ]
為book服務啟用跨源資源共享(CORS)外掛引數配置
URL格式:http://localhost:8001/services/{name of servie}/plugins
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=cors" \
--data "config.origins=http://contoso.com" \
--data "config.methods=GET, POST" \
--data "config.headers=Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Auth-Token" \
--data "config.exposed_headers=X-Auth-Token" \
--data "config.credentials=true" \
--data "config.max_age=3600"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:39:35 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1526128775000,
"config": {
"methods": [
"GET",
"POST"
],
"exposed_headers": [
"X-Auth-Token"
],
"max_age": 3600,
"headers": [
"Accept",
"Accept-Version",
"Content-Length",
"Content-MD5",
"Content-Type",
"Date",
"X-Auth-Token"
],
"credentials": true,
"origins": [
"http://contoso.com"
],
"preflight_continue": false
},
"id": "e352e234-e5ab-4ba8-ad00-3796e176a720",
"enabled": true,
"service_id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510",
"name": "cors"
}
為book服務的路由{route_id}啟用跨源資源共享(CORS)外掛引數配置{route_id} 引數的值是使用不帶引數--data 'hosts[]=contoso.com'建立的路由id值
URL格式:http://localhost:8001/routes/{route_id}/plugins
[root[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=cors" \
--data "config.origins=http://contoso.com" \
--data "config.methods=GET, POST" \
--data "config.headers=Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Auth-Token" \
--data "config.exposed_headers=X-Auth-Token" \
--data "config.credentials=true" \
--data "config.max_age=3600"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:37:33 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1526128653000,
"config": {
"methods": [
"GET",
"POST"
],
"exposed_headers": [
"X-Auth-Token"
],
"max_age": 3600,
"headers": [
"Accept",
"Accept-Version",
"Content-Length",
"Content-MD5",
"Content-Type",
"Date",
"X-Auth-Token"
],
"credentials": true,
"origins": [
"http://contoso.com"
],
"preflight_continue": false
},
"id": "1f6dc33a-8a30-473f-929b-f4d38aadbdc7",
"enabled": true,
"route_id": "42251e97-2921-45ea-bb19-0416019ea67a",
"name": "cors"
}
我們希望用域名地址訪問8000埠或者8443埠
像本範例中這樣的地址格式(假如你申請了一個公網域名contoso.org 固定公網IPv4是 123.125.115.110(一旦公網域名申請下來就把hosts檔案中的contoso.org對應的假公網IP換成申請域名填寫固定公網IPv4地址123.125.115.110(即是替換第一個192.168.10.10),下面第2個192.168.10.10千萬別動它)第2個同樣的IP可不要更改,它永遠不變的作為內網IP地址使用,contoso.com是自定義域名,永遠作為公司內網域名使用,下面截圖中的contoso.org域名是在模擬公網網頁地址,這都是很基礎的東西,本不想囉唆的,就順便解釋一下):
http://contoso.org:8000/v1/books
https://contoso.org:8443/v1/books
上面只是模擬出了公網地址格式的本地訪問,下面是模擬遠端客戶端瀏覽器訪問Kong閘道器暴露出來的book服務
上面即模擬了公網地址格式 又模擬了遠端的客戶端瀏覽器訪問Kong閘道器暴露出來的book服務
[[email protected] ~]# pg_dump -h 127.0.0.1 -p 5432 -U postgres kong > /opt/kong-20180427.bak # 備份kong資料庫
Password: 123456
準備工作終於都準備好了,本篇blog正式進入主題
為book服務的路由{route_id}啟動Basic驗證外掛,我們可以用9種驗證方式來取代basic-auth,
其它8種驗證方式我就不舉例了,真要舉例估計我都能寫一本書,篇幅太多太長了,就不施展了
URL格式:http://localhost:8001/routes/{route_id}/plugins
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:47:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1526129231000,
"config": {
"hide_credentials": true,
"anonymous": ""
},
"id": "7992d4c5-4a8d-445e-8271-06c46c9f5f5d",
"enabled": true,
"route_id": "42251e97-2921-45ea-bb19-0416019ea67a",
"name": "basic-auth"
}
新增第1個username為jack的消費者,{custom_id}引數可省略,此引數是個自定義唯一標識, 它作用是把消費者jack對映到另外一個數據庫上
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:48:23 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1526129303000,
"username": "jack",
"id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}
為第1個使用者jack啟用Basic驗證外掛 URL格式:http://localhost:8001/consumers/{username or consumer_id}/basic-auth
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "[email protected]" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:50:05 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1526129405000,
"id": "ae14ab2f-756e-40be-8c2c-dc45de901760",
"username": "[email protected]",
"password": "70ee8509541cc3c9062ce62e868f19347d289d72",
"consumer_id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}
線上base64編碼工具http://tool.oschina.net/encrypt?type=3 鍵-值對{username:password}字串
[email protected]:123456 左邊的鍵-值對字串BASE64編碼結果為:
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=
使用使用者jack的Basic驗證方式訪問書籍資料介面
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY="
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Sat, 12 May 2018 12:51:28 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
Vary: Origin
Access-Control-Allow-Origin: http://contoso.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Auth-Token
X-Kong-Upstream-Latency: 26
X-Kong-Proxy-Latency: 48
Via: kong/0.13.1
[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]
為名稱為book的服務啟用IP白名單限制訪問其中192.168.10.50表示限制macOS系統這一臺計算機不能訪問book服務
其中192.168.43.0/24表示限制IP地址是192.168.43這一整個網段的IP都不能訪問book服務(Windows 10在此網段內)
URL格式:http://contoso.org:8001/services/{service}/plugins
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=ip-restriction" \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:58:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1526129906000,
"config": {
"whitelist": [
"192.168.10.50",
"192.168.43.0/24"
]
},
"id": "d3ef0103-9eca-4e20-a845-10cfc2152ca1",
"enabled": true,
"service_id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510",
"name": "ip-restriction"
}
為名稱為book的服務的路由{route_id啟用IP白名單限制訪問其中192.168.10.50表示限制macOS系統這一臺計算機不能訪問book服務的路由
其中192.168.43.0/24表示限制IP地址是192.168.43這一整個網段的IP都不能訪問book服務的路由(Windows 10在此網段內)
URL格式:http://localhost:8001/routes/{route_id}/plugins
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=ip-restriction" \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 13:01:21 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1526130082000,
"config": {
"whitelist": [
"192.168.10.50",
"192.168.43.0/24"
]
},
"id": "bafcf0ad-31dd-4779-aca9-c2dea8384e29",
"enabled": true,
"route_id": "42251e97-2921-45ea-bb19-0416019ea67a",
"name": "ip-restriction"
}
到下面這個命令這兒,在不同作業系統的客戶端各種瀏覽器裡即使用jack的賬號成功登陸也會返回
{"message":"Your IP address is not allowed"} 這條資訊才是與我們預期的結果一致,為什麼這麼說?
因為我還沒有讓登入使用者與IP白名單進行關聯這條命令執行,最後面會演示關聯後的效果(在白名單裡的IP都能訪問book書籍資料介面),只要白名單沒有關聯具體的使用者,那麼現在所有的使用者就都相當於在黑名單當中,大家都不能訪問書籍介面
現在的jack,就相當於在黑名單中,唯一名稱的book服務不允許我們即定義服務的IP白名單又定義IP的黑名單
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY="
HTTP/1.1 403 Forbidden
Date: Sat, 12 May 2018 13:02:26 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
Vary: Origin
Access-Control-Allow-Origin: http://contoso.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Auth-Token
{"message":"Your IP address is not allowed"}
以下命令就是上面提到的最後面會演示關聯後的效果(在白名單裡的IP都能訪問book書籍資料介面)
現在可以使用以下命令將白名單whitelist關聯到消費者jack:
{consumer_id} = 61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/plugins \
--data "name=ip-restriction" \
--data "consumer_id=61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd" \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"
HTTP/1.1 201 Created
Date: Sat, 12 May 2018 16:07:56 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1526141276000,
"config": {
"whitelist": [
"192.168.10.50",
"192.168.43.0/24"
]
},
"id": "fb92b792-d2f2-44be-a8a2-f8d12eed4cb4",
"name": "ip-restriction",
"enabled": true,
"consumer_id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}
我期望 macOS 系統能夠訪問http://contoso.org:8000/v1/books 原來限制的情形下都能訪問 現在允許macOS訪問 當然就能訪問了 奇怪的是 明明允許Windows 10系統能夠訪問http://contoso.org:8000/v1/books,但它依然返回{"message":"Your IP address is not allowed"} 這不應該啊 難道我自己玩錯了其中某個步驟 還是官網釋出的東西有問題 我現在得繼續實驗 看看問題出在哪兒了 歡迎大家與我交流 。。。。。。。。。。。。。。。