不允许直接调用微服务.仅允许通过API网关 [英] Don't allow direct calls to Microservices. Only allow through API Gateway
问题描述
也许这是一个奇怪的问题(我是Microservices的新手).但是我正在寻找有关如何进行此操作的信息.不需要特定于Spring,但这就是我目前正在使用的框架.
Maybe this is a strange question (I'm new with Microservices). But I'm looking for some info on how proceed with this. Does not need to be Spring specific, but that's the framework I'm using at the moment.
示例: 可以说我们有两个微服务
Example: Lets say we have two Microservices
a) http://myurlfortesting.com:8085/api/rest/serviceone
b) http://myurlfortesting.com:8090/api/rest/servicetwo
,我们已经设置了Spring Zuul(充当API网关),并具有以下规则来转发传入的调用:
and we have setup Spring Zuul (acting as the API Gateway) with the following rules that forward the incoming calls:
/rest/one-> http://myurlfortesting.com:8085/api/rest/服务员
/rest/one -> http://myurlfortesting.com:8085/api/rest/serviceone
/rest/two-> http://myurlfortesting.com:8090/api/rest/servicetwo
/rest/two -> http://myurlfortesting.com:8090/api/rest/servicetwo
问题... 有没有一种方法可以阻止用户直接访问A和B中提到的服务(仅允许通过API网关的服务)?
The question... Is there a way to stop users from directly accessing the services mentioned in A and B (only allow the ones that come through the API Gateway)?
可以使用Springs Zuul(充当API网关)通过设置一些额外的过滤器来完成此操作,还是可以在Microservices端点中对其进行设置?
Can this be done with Springs Zuul (Acting as a API Gateway) by setting up some extra filters or do we set it up in Microservices endpoints?
甚至想知道是否存在一种方法,甚至不处理通过API网关不进行的微服务端点上的直接调用.
Would even like to know if there is a way to not even processing the direct calls on the Microservices endpoints that don't come via the API Gateway.
也许这可以通过服务器特定的规则解决,而与Spring无关?
Maybe this is solved with server specific rules and has nothing to do with Spring?
非常感谢,
/D
推荐答案
假设您已安装防火墙,则可以将服务器的入站流量限制为Zuul终结点所在的端口,并禁止任何人访问微服务'直接端口.
Assuming that you have a firewall in place, you could restrict inbound traffic to server to the ports that your Zuul endpoints are exposed on and disallow anyone from accessing the microservices' ports directly.
如果要避免走防火墙路线,可以强制端点在转发请求之前检查特定的HTTP标头或Zuul设置的内容,但这样做很容易破解.根据我过去的经验,正确"的方法是通过防火墙进行此操作.您的应用应负责处理请求.您的防火墙应负责确定哪些人可以攻击特定的端点.
If you want to avoid going the firewall route, you could force the endpoints to check for a specific HTTP header or something that is set by Zuul prior to forwarding a request, but that would be hacky and easy to circumvent. Based on my past experiences, the "right" way would be to do this via a firewall. Your app should be responsible for dealing with requests. Your firewall should be responsible for deciding who can hit specific endpoints.
这篇关于不允许直接调用微服务.仅允许通过API网关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
