企业安全建设之API网关kong的搭建
背景:
1、近年來,微服務架構在大中型企業中的應用越來越廣泛。在解決了單體架構所帶來的負責性高、部署慢、創新性低的問題的同時,也帶來了一些新的安全問題。在微服務的架構中,一個大的應用會被拆分成多個小的單一的服務提供出來,這些小的服務有自己的處理,有自己的數據庫(也可以共用),業務系統開發的每個接口都需要獨立實現和安全相關的認證、授權、限速,不但重復開發而且無法統一管理,容易產生遺漏。Kong是由Mashape開發的并且于2015年開源的一款API網關框架,使用kong以后,應用系統只需要專注自己的業務實現,通過的緩存、日志記錄、認證、授權等均有kong來實現,同時kong也可以用于傳統業務接口的保護,如短信轟炸、賬戶爆破、卡號證件號遍歷等等。,筆者所在的單位也在積極拓展微服務架構,身為高級安全工程(背鍋俠),如何解決api安全,是筆者的工作之一。
2、近日,某監管部門發文提示,某機構駐場人員通過偽造esb報文,向esb發送請求,esb未對報文的來源及有效性做校驗,直接調用轉賬接口進行轉賬,造成資金損失。筆者思考,利用kong的api key認證模式能夠解決該風險。
kong的工作模式
CLIENT
KONG SERVERS
當Kong運行時,每個對API的請求將先被Kong命中,然后這個請求將會被代理到最終的API。在requests和responses之間,Kong將會執行已經事先安裝和配置好的任何插件,授權您的API。Kong是每個API請求的入口點(point)。
Kong的安裝
環境:虛擬機centos7 硬盤20G以上
參考
1、安裝依賴
安裝pcre zlib openssl
sudo yum install -y pcre pcre-devel
sudo yum install -y zlib zlib-devel
sudo yum install -y openssl openssl-devel
安裝postgresql(同樣也可以使用cassandra)
sudo yum install -y https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-7-x86_64/pgdg-centos95-9.5-2.noarch.rpm
sudo yum install -y postgresql95-server postgresql95-contrib
sudo /usr/pgsql-9.5/bin/postgresql95-setup initdb
sudo systemctl enable postgresql-9.5.service
sudo systemctl start postgresql-9.5.service
suso systemctl status postgresql-9.5.service
配置postgresql sudo passwd postgres(修改密碼為postgresql)
新建用戶kon gsudo adduser kong
切換centos用戶su postgres
進入控制臺psql
修改管理員postgres密碼\password postgres(這里也修改為postgresql)
創建數據庫用戶
create user kong with password ‘123456’;
// 為新用戶建立數據庫
create database kong owner kong;
// 把新建的數據庫權限賦予 kong
grant all privileges on database kong to kong;
退出\q
登錄 psql -U kong -d kong -h 127.0.0.1 -p 5432
這個時候會登錄失敗,修改
/var/lib/pgsql/9.5/data/pg_hba.conf
If you want to allow non-local connections, you need to add more
“host” records.
In that case you will also need to make PostgreSQL
listen on a non-local interface via the listen addresses
configuration parameter, or via the -i or -h command line switches.
TYPE DATABASE
USER
ADDRESS
“local” is
local
IPv4 local
host
IPv6 local
host
for Unix domain
connections:
connections:
socket
Allow replication connections from
replication privilege.
connectionsonly127.0.0.1/32localhost,by a127.0.0.1/32user
with
local
host
iost
replication
replication
replication
postgres
postgres
postgres
METHOD
trust
trust
trust
the
trust
trust
trust
2、安裝kong
下載
https://bintray.com/kong/kong-community-edition-rpm/download_file?file_path=centos/7/kong-community-edition-0.13.1.el7.noarch.rpm
安裝
rpm -ivh kong-community-edition-0.13.1.el7.noarch.rpm
修改配置文件
sudo vi /etc/kong/kong.conf,添加自己開始設置的postgres的配置信息
database = postgres
pg_host =
127.0.0.1
pg_port —
- 5432
pg_user = kong
pg_password =
123456
pg_database = kong
pg_ssl = off
Determines which of PostgreSQL or Cassandra
this node will use as its datastore.
Accepted values are ‘postgres’ and
cassandra
The PostgreSQL host to connect to.
The port to connect to.
The username to authenticate if required.
The password to authenticate if required.
The database name to connect to.
Toggles client-server TLS connections
between Kong and PostgreSQL.
添加環境變量export KONG_SERF_PATH=”/usr/local/bin/serf”
啟動kong kong start –c kong.conf
這個時候會報錯,按照提示 kong migrations up
再次啟動
kong的默認端口為8000 管理端口為8001
3、安裝kong 圖形化界面
yum install npm
npm install -g kong-dashboard
kong-dashboard start –kong-url http://127.0.0.1:8001
默認開放8080號端口,訪問
192.168.1.101
Home
APIs
Consumers
Plugins
SNIs
Certificates
Upstreams
Search
Welcome to Kong Dashboard
Kong dashboard is a central hub for you to manage your Kong setup.
Learn Kong
This Dashboard will let you interact with
your Kong API to create or edit APIs,
Consumers and Plugins.
Wondering what all that means? Have a
look at the Kong documentation.
DOCUMENTATION
Get started
Not sure where to start?
How about listing your current APIs or
Consumers, creating a new API or a new
Consumer?
CREATE AN API
Contribute
Kong Dashboard is an open source
project hosted on github.
Special thanks to 5 top contributors:
marceldiass
balexandre
nkCoding
GITHUB PAGE
4、安裝lnmp
wget http://soft.vpser.net/lnmp/lnmp1.5.tar.gz
解壓 tar -xzvf lnmpl.5.tar.gz
進入解壓目錄執行./install.sh lnmp 自動化安裝
創建數據庫farmsec 表 student 在/home/wwwroot/default/douwaf-api
目錄下創建文件下farsec,創建文件users.php內容為
username=””;username=””;uid
conmysqlconnect(“1271′‘root′if(conmysqlconnect(“1271′‘root′if(con)
mysql select db(“farmsec” ,con);′root”);con);′root”);sql
‘select from users where uid=uid”;uid”;result
mysql query(sql);while(sql);while(row = my'ql fetch array(result))result))username —
row[‘username′];row[‘username′];email = row[‘email′];row[‘email′];phone = $row[ ‘phone’];
echo ;
創建3個用戶分別為柯南 小六 和19
farmsec
New
users
information schema
mysql
performance schema
Show all
+ Options
Number of mws:
email
kaoquanyang
wangba
363636@qq.com
25
phone
1366666
13888888
1382772
Filter
uid
3
username
kenan
xiaoliu
shijiu
正常情況下,這個場景就相當于我們說的,通過遍歷uid越權查看其他用戶信息
訪問http://192.168.1.101/farmsec/users.php?uid=1
@ 192.168.1.101/farmsec/users.php?uid=1
uid=l, username=kenan, email=kaoquanyang, phone=1366666
4、配置kong
配置基礎轉發服務
curl -i -X POST –url http://localhost:8001/apis/ –data ‘name=farmsec’ –data ‘hosts=127.0.0.1’ –data ‘upstream_url=http://127.0.0.1:80’
第一個–data 指定目錄為farmsec,第二個data制定為本機 第三個–data 是要轉發的url地址
創建成功
[root@localhost farmsec]# curl -i -X POST
e=farmsec
-data ‘hosts=127.0.0.1’
-data
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
Server: kong/0.13.1
upstream
{“created at” :1530447738574, “strip uri” :true, id
” , “hosts , “name
” : “farmsec” , “http if terminated” :false, “preserve host” :fal
se, “upstream url ?
” . “http:\/\/127.O.O.1:80
” , “upstream connect timeout” :60000, “upstream se
nd timeout” :60000, “upstream read timeout” :60000, ” retries” “https only” :false}
–url http://localhost:8001/apis/
uri=http://127.O.O.1:80’
- -data
’ nam
這時可以通過curlf訪問kong的api服務,通過執行http header的HOST字段來區分不同的api服務
curl “http://127.0.0.1:8000/farmsec/users.php?uid=2” –header ‘HOST:127.0.0.1’
Not Found[root@localhost fcurl -i -X POST –url http://localhost:8001/apis/
e=farmsec’ –data ‘hosts=127.0.0.1’
-data
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
Server: kong/0.13.1
-data
‘nam
upstream
uri=http://127.O.O.1:80’
{“created at” :1530448218066, “strip uri” :true, “Id
” , “hosts , “name
” : “farmsec” , “http if terminated” :false, “preserve host” :fal
se, “upstream url ?
” . “http:\/\/127.O.O.1:80
” , “upstream connect timeout” :60000, “upstream se
nd timeout” :60000, “upstream read timeout” :60000, ” retries” “https only” :false}
[root@localhost farmsec]# Is
p.php users.php
[root@localhost farmsec]# curl “http://127.0.0.1:8000/farmsec/users.php?uid=2”
‘HOST:127.O.O.1
farmsec]#
-header
圖形化界面的管理后臺的api欄目中也多了一個api
192.168.1.101
Home
APIs
Consumers
Plugins
SNIs
Certificates
Upstreams
APIs
Name
farmsec
Host(s)
127.0.0.1
Uri(s)
Method(s)
Search
Upstream url
http://127.O.O.1:80
Created
Jul 1, 2018
eoo
使用kong進行key認證
1、創建consumer
curl -i -X POST –url http://127.0.0.1:8001/consumers/ –data “username=xiaodong” –data “custom_id=5”
[root@localhost farmsec]# curl -i -X POST –url http://127.0.0.1:8001/consumers/
“username=xiaodong” - -data “custom id=5”
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
” username ” : “xiaodong
-data
Server: kong/0.13.1
{“custom id” : “5” , “created
[root@localhost farmsec]#
at” : 1530419836000 ,
” , ” id” : “a64f7411-a9fO-4
記下id
2、創建API key
curl -i -X POST –url http://127.0.0.1:8001/consumers/xiaodong/key-auth –data “key=a64f7411-a9f0-4e77-b042-a3a280079783”(這一點兜哥書中給的為-d “” 實際中可能由于版本問題無法實現)
[root@localhost farmsec]# curl
-i -X POST –url http://127.0.0.1:8001/consumers/xiaodon
g/key-auth
- -data “key=a64f7411
-a9fO-4e77-b042-a3a280079783”
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json;
charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
Server: kong/0.13.1
id” : “9eeOc95c-f945-46gg-9da5-19860a928ed4” , “created at” : 1530420003000, “key” : “a64f7411
-a9fO-4e77-b042-a3a280079783
” , “consumer id
分配的apikey 為64f7411-a9f0-4e77-b042-a3a280079783
開啟api key認證功能
curl -i -X POST –url http://127.0.0.1:8001/apis/farmsec/plugins –data “name=key-auth” –data “config.hide_credentials=true”
[root@localhost farmsec]# curl -i -X POST –url http://127.0.0.1:8001/apis/farmsec/plug
-data “name—key-auth”
-data “config.hide credentials=true”
HTTP/I.1 201 Created
Date: sun, 01 Jul 2018 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-0rigin: *
Server: kong/0.13.1
{“created at” :1530420169000, “config” in body” :false, “hide credentials” :true, “anon
, ” ? ” :iiff34c30f-afd2-4a24-9814
ymous” : , ” run on preflight” :true, “key names” : [“apikey”]} Id
-Ocgc2f36b65e -
” , “name” : “key-auth” , “api Id
” , “enabl
ed” : true}
api key驗證
開啟認證后,不允許直接訪問原j接口
[root@localhost farmsec]# curl
‘HOST:127.O.O.1’
{“message” : “No API key found in
[root@localhost farmsecl#
“http : //127.0.0.1 : 8000/farmsec/users .
request”}
-header
Url也不允許訪問
192.168.1.101
:8000/farmsec/users.php?uid=2
“message
. no route and no API found with those values
使用api認證訪問
[root@localhost farmsec]# curl “http://127.0.0.1:8000/farmsec/users.php?uid=2”
‘HOST:127.O.O.1
-H “apikey:a64f7411-a9fO-4e77-b042-a3a280079783”
farmsec]#
-header
再看consumer
192.168.1.101
:8080/#!/consumers
Jul 1, 2018
Home
APIs
Consumers
Plugins
SNIs
Certificates
Upstreams
Consumers
Usemame
Mac
farmsec
kongtest —data customer_id=2
xiaodong
Custom id
2
(none)
5
Search
Created
Jun 30, 2018
Jun 30, 2018
Jun 30, 2018
eoo
eoo
eoo
eoo
此外kong還可以用于api訪問限速、Bot檢測等等。當然了,這只是一個簡單的嘗試,如果要應用于實際的業務場景還需要更多的探索,寫出適合業務的插件。
參考:
https://github.com/xuxiangwork/Sharing/wiki/centos7-%E5%AE%89%E8%A3%85-kong-%E8%AF%A6%E8%A7%A3
《企業安全建設—基于開源軟件打造企業網絡安全》-劉焱
總結
以上是生活随笔為你收集整理的企业安全建设之API网关kong的搭建的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 数据流图(DFD)概念及画法
- 下一篇: 椭圆曲线:超级完整的椭圆曲线学习记录