Security and current limiting: Filter out illegal information at the gateway layer
nginx external gateway, gateway intranet
nginx can be enhanced using Lua or Kong
concept
id: any name
uri: The service address being proxied. id and uri are required, predicate and filter are optional
Predicate: can be used to match the URI of the gateway. If it matches, the current route will take effect.
Filter: An instance of GatewayFilter, which adds logic before or after the proxy, with the highest flexibility
Processing Flow
First, Handler Mapping processes the URL and then hands it to Web Handler, which calls the first half of the filter for processing. After the processing is completed, it calls the real proxied service. After the proxied service responds, it executes the logic of the second half of the filter and returns the result to WebHandler, then to HandlerMapping, and finally to the client.
If the elements in the list have multiple fields, you need to use "-" and colon to specify each field and value respectively; if there is only one field, you can use commas to separate them.
Object type configuration, you can use "-" and colon to configure each field
Map type: key and value are separated by colons
predicates:
- Path=/sendOrder
- Query=name,ma.
- name: Query
args:
param: id
regexp: d+
#predicates是List, 它的元素是
public class PredicateDefinition {
@NotNull
private String name;
private Map<String, String> args = new LinkedHashMap<>();}
等号分割转成对象的写法不是yml内置支持的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
predicate
The predicate configuration is a List, in which the elements can be strings in a specific format, or objects. String writing: equal sign separation, the first part is the predicate name, the second part args is comma-separated, the value is saved in Map value, and Map key is automatically generated. Object writing: PredicateDefinition
If args contains commas and colons, you cannot use string formatting.
The shortcutType method defines how to parse the args parameter to ConfigClass. DEFAULT: shortcutFieldOrder minus the shortcutFieldPrefix prefix corresponds to the ConfigClass field name, and the val of the args parameter corresponds to the field value of ConfigClass; GATHER_LIST: a comma-separated List; GATHER_LIST_TAIL_FLAG: a comma-separated List, but the last value is a Boolean value, and is eventually converted into a Map with 2 keys. The value of the first key is the List before the Boolean value, and the second is the Boolean value.
Used to match requests to access the gateway (such as URI, query parameters, request headers). If a match is made, the current route will take effect.
Corresponding to the implementation of GatewayPredicate, the implementation class is created by the factory. The factory is the implementation class of RoutePredicateFactory. The implementation class naming convention is: predicate name + RoutePredicateFactory, for example, Path corresponds to PathRoutePredicateFactory
The predicate name corresponds to the class name prefix of the factory implementation class, and the predicate parameter args corresponds to the factory ConfigClass
Multiple predicates areandRelationship
When the predicate does not pass, the gateway returns 404
Path
Match paths, support ant matching and extract uriVariables through {}
Query
Is there a corresponding http request parameter name? The value can be regular.
name is fixed Query, args has 2 values, param and regexp, corresponding to the query parameter name and value
When only the name is specified, it means that the request parameter will be passed.
Header
HeaderRoutePredicateFactory
Match the name and value of the request header. You can only match the name. There may be multiple values in the actual request header. As long as there is a match, the configuration value supports regular expressions.
Method
Matches HTTP request methods. Configuration must be uppercase and separated by commas.
RemoteAddr
The client IP address that matches the request. To be more precise, it is the IP address of the last network proxy. You can have multiple IP addresses, separated by commas.
Host
Matches the value of the host part in the Host request header (excluding the port). Multiple values are allowed, separated by commas. Ant can match
AntPathMatcher is used for matching, and the path separator is "."
Cookie
Matches the name and value of a cookie. The value can be a regular expression.
Weight
Used for load balancing of different routes. Routes in the same group are loaded according to weights.
You can configure 2 values, separated by commas, which are grouping and weight.
WeightCalculatorWebFilter: When started, a two-layer Map is generated according to the Weight configuration. The first layer is the group name and the second layer is the routing ID. When a request comes, a random number of 0~1 is generated, and a routing ID is selected for each group.
WeightRoutePredicateFactory: When filtering by predicate, filter by group and route ID
filter
The configuration is written in the same way as the predicate. The string is written as follows: the first part corresponds to the GatewayFilterFactory class name prefix, and the second part is the parameter.
Filters are used to modify requests and responses
AddRequestHeader
Add a request header, the backend can get
The request header value can be dynamically obtained from uriVariables
StripPrefix
There is only one integer value n. Split the requested path by "/" and remove the prefix n.
Limiting
Cross-domain
spring.cloud.gateway.globalcors:
cors-configurations:
'[/**]':#跨域的uriPattern
allowedHeaders: "*"
allowedOrigins: "*"
allowedMethods:
- POST
- OPTIONS
- GET
1
2
3
4
5
6
7
8
9
The server determines whether it is a cross-domain request by checking whether the request header Origin is the same as the scheme, host, and port of the request URL. If any one of them is different, it is a cross-domain request.
There must be a cross-domain configuration, and the requested URI matches the uriPattern of the cross-domain configuration. The gateway will then determine whether it is cross-domain. If it is cross-domain, the gateway will check whether the request header, source, and request method allowed for cross-domain in the cross-domain configuration match the request header, source, and request method of the actual request. If they all match, cross-domain access is performed, otherwise 403Forbidden is returned
Supports obtaining service IDs through service discovery, and automatically generates routing configurations based on service IDs. The default routing configuration uri is lb://serviceId, the predicate is /serviceId/**, and the filter is Rewritepath to remove serviceId
Global Filters
ReactiveLoadBalancerClientFilter
To process the route URI with lb scheme, first obtain the service instance according to the service name through ServiceInstanceListSupplier, and then load balance it through ReactorLoadBalancer instance
RouteToRequestUrlFilter
Do two things: 1. Support two-layer scheme, save the outer scheme to GATEWAY_SCHEME_PREFIX_ATTR, and then remove it. 2. Use the inner sheme, host, and port to replace the actual requested uri to achieve forwarding
