为什么要使用子域在多租户Web应用程序中指定租户? [英] Why use subdomains to designate tenants in a multi-tenant web application?
问题描述
- 为什么某些多租户Web应用程序使用子域来指定租户,而另一些则没有?
- 是否出于技术,隐私或安全原因?
- 它是否取决于用于开发Web应用程序的语言或框架?
- 这仅仅是样式还是开发人员的选择问题?
使用子域来指定租户的示例Web应用程序
- Basecamp
- RepositoryHosting
- Smugmug
- 取消混淆
- Basecamp
- RepositoryHosting
- Smugmug
- Unfuddle
- Github
- ThinMind
- Bitbucket
- 域-租户由整个
Host标头确定 - 子域-
Host标头的子域部分, - 基于路径-路径段,通常按前缀
host.com/tenantId/... - 基于cookie-cookie值包含租户ID(好的框架对此进行了加密!)
- 基于用户-服务器上的用户会话或一些数据记录
- domain - tenant is determined by whole
Hostheader - sub-domain - sub-domain part of
Hostheader, - path based - path segment, usually by prefix
host.com/tenantId/... - cookie based - cookie value contains tenant id (good framework encrypts this!)
- user based - user session or some data records on server
-
(子)域多租用是很好的选择.客户可能需要自定义的欢迎和登录页面,单独的用户库等.另一方面,基于路径的多租户对那些不固定为单个租户名称空间的用户来说是好的.它主要用于Facebook,GitHub等社交网络.
(Sub-)domain multi-tenancy is good if you want to give an user a perception of fully isolated tenancy. The customer may want custom welcome and login page, separate user-base etc. On the other hand the path based multi-tenancy is good for the users who are not fixed to single tenant namespace. It is mostly used by social networks like Facebook, GitHub etc.
Example Web Applications Using Subdomains to Designate Tenants
推荐答案
有几种方法可以在HTTP级别确定租户:
There are several ways to determine tenant on HTTP level:
以下是您的问题的答案:
Here are an answers to your questions:
-
如果您想让用户感觉完全隔离的租用,
(子)域可以为cookie,跨域资源共享(CORS)提供更好的隔离和安全控制.它使跨租户CSRF或XSS变得更加困难.此外,如果您可以控制DNS或负载均衡器,则可以将租户分配给不同的IP(例如地理路由)或各种版本的应用程序(例如Beta租户).您可以为最重要的租户分配一个单独的应用程序实例或服务器.这样,您将获得一种便宜的工具来控制单点故障和将所有鸡蛋装在一个篮子中的风险.
(Sub-)domains can give you better isolation and security control for cookies, cross-origin resources sharing (CORS). It makes cross-tenant CSRF or XSS a bit harder. Moreover if you have control over DNS or Load-balancer you can assign tenants to different IPs (think geo-routing) or to various versions of application (e.g. beta tenants). You can assign a separate app instance or server for your most important tenants. This way you get a cheap tool to control risk of single point of failure and all eggs in one basket.
任何可让您访问HTTP标头(Host)的网络框架都支持子域.任何认真的MVC网络框架都应直接或通过插件为您提供子域作为操作参数.
Any web-framework which gives you an access to HTTP headers (Host) is sub-domains capable. Any serious MVC web-framework should give you sub-domain as action parameter directly or by plugin.
这绝对是设计选择.如果您想了解最佳方法,请考虑为租户提供何种隔离级别.如果您决定但会发现方法不正确,则可以借助HTTP 301重定向迁移到另一个级别.
It is definitely a design choice. If you want to know the best way think what level of isolation you want for your tenants. If you decide but you will find that the way is not right then you can migrate to another level with help of HTTP 301 redirection.
这篇关于为什么要使用子域在多租户Web应用程序中指定租户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
