最全面的改造Zuul网关为Spring Cloud Gateway(包含Zuul核心实现和Spring Cloud Gateway核心实现)

Posted kujo

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了最全面的改造Zuul网关为Spring Cloud Gateway(包含Zuul核心实现和Spring Cloud Gateway核心实现)相关的知识,希望对你有一定的参考价值。

前言:

最近开发了Zuul网关的实现和Spring Cloud Gateway实现,对比Spring Cloud Gateway发现后者性能好支持场景也丰富。在高并发或者复杂的分布式下,后者限流和自定义拦截也很棒。

 

提示:

本文主要列出本人开发的Zuul网关核心代码以及Spring Cloud Gateway核心代码实现。因为本人技术有限,主要是参照了 Spring Cloud Gateway 如有不足之处还请见谅并留言指出。

 

1:为什么要做网关

(1)网关层对外部和内部进行了隔离,保障了后台服务的安全性。
(2)对外访问控制由网络层面转换成了运维层面,减少变更的流程和错误成本。
(3)减少客户端与服务的耦合,服务可以独立运行,并通过网关层来做映射。
(4)通过网关层聚合,减少外部访问的频次,提升访问效率。
(5)节约后端服务开发成本,减少上线风险。
(6)为服务熔断,灰度发布,线上测试提供简单方案。
(7)便于进行应用层面的扩展。 
 
相信在寻找相关资料的伙伴应该都知道,在微服务环境下,要做到一个比较健壮的流量入口还是很重要的,需要考虑的问题也比较复杂和众多。
 
2:网关和鉴权基本实现架构(图中包含了auth组件,或SSO,文章结尾会提供此组件的实现)
 
技术图片
 
3:Zuul的实现
 
(1)第一代的zuul使用的是netflix开发的,在pom引用上都是用的原来的。
 1        <!-- zuul网关最基本要用到的 -->
 2        <!-- 封装原来的jedis,用处是在网关里来放token到redis或者调redis来验证当前是否有效,或者说直接用redis负载-->
 3        <dependency>
 4             <groupId>org.springframework.boot</groupId>
 5             <artifactId>spring-boot-starter-data-redis</artifactId>
 6         </dependency>
 7         <!-- 客户端注册eureka使用的,微服务必备 -->
 8         <dependency>
 9             <groupId>org.springframework.cloud</groupId>
10             <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
11         </dependency>
12         <!-- zuul -->
13         <dependency>
14             <groupId>org.springframework.cloud</groupId>
15             <artifactId>spring-cloud-starter-netflix-zuul</artifactId>
16         </dependency>
17        <!-- 熔断支持 -->
18       <dependency>
19             <groupId>org.springframework.cloud</groupId>
20             <artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
21         </dependency>
22         <!--负载均衡 -->
23         <dependency>
24             <groupId>org.springframework.cloud</groupId>
25             <artifactId>spring-cloud-starter-netflix-ribbon</artifactId>
26         </dependency>
27         <!-- 调用feign -->
28         <dependency>
29             <groupId>org.springframework.cloud</groupId>
30             <artifactId>spring-cloud-starter-openfeign</artifactId>
31         </dependency>
32         <!-- 健康 -->
33         <dependency>
34             <groupId>org.springframework.boot</groupId>
35             <artifactId>spring-boot-starter-actuator</artifactId>
36         </dependency>

(2)修改application-dev.yml 的内容

给个提示,在原来的starter-web中 yml的 context-path是不需要用的,微服务中只需要用application-name去注册中心找实例名即可,况且webflux后context-path已经不存在了。

 1 spring:
 2   application:
 3     name: gateway
 4 
 5 #eureka-gateway-monitor-config 每个端口+1
 6 server:
 7   port: 8702
 8 
 9 #eureka注册配置
10 eureka:
11   instance:
12     #使用IP注册
13     prefer-ip-address: true
14     ##续约更新时间间隔设置5秒,m默认30s
15     lease-renewal-interval-in-seconds: 30
16     ##续约到期时间10秒,默认是90秒
17     lease-expiration-duration-in-seconds: 90
18   client:
19     serviceUrl:
20       defaultZone: http://localhost:8700/eureka/
21 
22 # route connection
23 zuul:
24   host:
25     #单个服务最大请求
26     max-per-route-connections: 20
27     #网关最大连接数
28     max-total-connections: 200
29 
30 
31 #白名单
32 auth-props:
33   #accessIp: 127.0.0.1
34   #accessToken: admin
35   #authLevel: dev
36   #服务
37   api-urlMap: 
38     product: 1&2,
39     customer: 1&1
40   
41   #移除url同时移除服务
42   exclude-urls:
43     - /pro
44     - /cust
45 
46 
47 #断路时间
48 hystrix:
49   command:
50     default:
51       execution:
52         isolation:
53           thread:
54             timeoutInMilliseconds: 300000
55 
56 #ribbon
57 ribbon:
58   ReadTimeout: 15000
59   ConnectTimeout: 15000
60   SocketTimeout: 15000
61   eager-load:
62     enabled: true
63     clients: product, customer

 

如果仅仅是转发,那很简单,如果要做好场景,则需要添加白名单和黑名单,在zuul里只需要加白名单即可,存在链接或者实例名才能通过filter转发。

重点在:

api-urlMap: 是实例名,如果链接不存在才会去校验,因为端口+链接可以访问,如果加实例名一起也能访问,防止恶意带实例名攻击或者抓包请求后去猜链接后缀来攻击。
exclude-urls: 白名单连接,每个微服务的请求入口地址,包含即通过。

 
(3)上面提到白名单,那需要初始化白名单
 1 package org.yugh.gateway.config;
 2 
 3 import lombok.Data;
 4 import lombok.extern.slf4j.Slf4j;
 5 import org.springframework.beans.factory.InitializingBean;
 6 import org.springframework.boot.context.properties.ConfigurationProperties;
 7 import org.springframework.context.annotation.Configuration;
 8 import org.springframework.stereotype.Component;
 9 
10 import java.util.ArrayList;
11 import java.util.List;
12 import java.util.Map;
13 import java.util.regex.Pattern;
14 
15 /**
16  * //路由拦截配置
17  *
18  * @author: 余根海
19  * @creation: 2019-07-02 19:43
20  * @Copyright © 2019 yugenhai. All rights reserved.
21  */
22 @Data
23 @Slf4j
24 @Component
25 @Configuration
26 @ConfigurationProperties(prefix = "auth-props")
27 public class ZuulPropConfig implements InitializingBean 
28 
29     private static final String normal = "(\\\\w|\\\\d|-)+";
30     private List<Pattern> patterns = new ArrayList<>();
31     private Map<String, String> apiUrlMap;
32     private List<String> excludeUrls;
33     private String accessToken;
34     private String accessIp;
35     private String authLevel;
36 
37     @Override
38     public void afterPropertiesSet() throws Exception 
39         excludeUrls.stream().map(s -> s.replace("*", normal)).map(Pattern::compile).forEach(patterns::add);
40         log.info("============> 配置的白名单Url:", patterns);
41     
42 
43 
44 

 

(4)核心代码zuulFilter

  1 package org.yugh.gateway.filter;
  2 
  3 import com.netflix.zuul.ZuulFilter;
  4 import com.netflix.zuul.context.RequestContext;
  5 import lombok.extern.slf4j.Slf4j;
  6 import org.springframework.beans.factory.annotation.Autowired;
  7 import org.springframework.beans.factory.annotation.Value;
  8 import org.springframework.util.CollectionUtils;
  9 import org.springframework.util.StringUtils;
 10 import org.yugh.gateway.common.constants.Constant;
 11 import org.yugh.gateway.common.enums.DeployEnum;
 12 import org.yugh.gateway.common.enums.HttpStatusEnum;
 13 import org.yugh.gateway.common.enums.ResultEnum;
 14 import org.yugh.gateway.config.RedisClient;
 15 import org.yugh.gateway.config.ZuulPropConfig;
 16 import org.yugh.gateway.util.ResultJson;
 17 
 18 import javax.servlet.http.Cookie;
 19 import javax.servlet.http.HttpServletRequest;
 20 import javax.servlet.http.HttpServletResponse;
 21 import java.util.Arrays;
 22 import java.util.HashMap;
 23 import java.util.Map;
 24 import java.util.function.Function;
 25 import java.util.regex.Matcher;
 26 
 27 /**
 28  * //路由拦截转发请求
 29  *
 30  * @author: 余根海
 31  * @creation: 2019-06-26 17:50
 32  * @Copyright © 2019 yugenhai. All rights reserved.
 33  */
 34 @Slf4j
 35 public class PreAuthFilter extends ZuulFilter 
 36 
 37 
 38     @Value("$spring.profiles.active")
 39     private String activeType;
 40     @Autowired
 41     private ZuulPropConfig zuulPropConfig;
 42     @Autowired
 43     private RedisClient redisClient;
 44 
 45     @Override
 46     public String filterType() 
 47         return "pre";
 48     
 49 
 50     @Override
 51     public int filterOrder() 
 52         return 0;
 53     
 54 
 55 
 56     /**
 57      * 部署级别可调控
 58      *
 59      * @return
 60      * @author yugenhai
 61      * @creation: 2019-06-26 17:50
 62      */
 63     @Override
 64     public boolean shouldFilter() 
 65         RequestContext context = RequestContext.getCurrentContext();
 66         HttpServletRequest request = context.getRequest();
 67         if (activeType.equals(DeployEnum.DEV.getType())) 
 68             log.info("请求地址 :       当前环境  :  ", request.getServletPath(), DeployEnum.DEV.getType());
 69             return true;
 70          else if (activeType.equals(DeployEnum.TEST.getType())) 
 71             log.info("请求地址 :       当前环境  :  ", request.getServletPath(), DeployEnum.TEST.getType());
 72             return true;
 73          else if (activeType.equals(DeployEnum.PROD.getType())) 
 74             log.info("请求地址 :       当前环境  :  ", request.getServletPath(), DeployEnum.PROD.getType());
 75             return true;
 76         
 77         return true;
 78     
 79 
 80 
 81     /**
 82      * 路由拦截转发
 83      *
 84      * @return
 85      * @author yugenhai
 86      * @creation: 2019-06-26 17:50
 87      */
 88     @Override
 89     public Object run() 
 90         RequestContext context = RequestContext.getCurrentContext();
 91         HttpServletRequest request = context.getRequest();
 92         String requestMethod = context.getRequest().getMethod();
 93         //判断请求方式
 94         if (Constant.OPTIONS.equals(requestMethod)) 
 95             log.info("请求的跨域的地址 :    跨域的方法", request.getServletPath(), requestMethod);
 96             assemblyCross(context);
 97             context.setResponseStatusCode(HttpStatusEnum.OK.code());
 98             context.setSendZuulResponse(false);
 99             return null;
100         
101         //转发信息共享 其他服务不要依赖MVC拦截器,或重写拦截器
102         if (isIgnore(request, this::exclude, this::checkLength)) 
103             String token = getCookieBySso(request);
104             if(!StringUtils.isEmpty(token))
105                 //context.addZuulRequestHeader(JwtUtil.HEADER_AUTH, token);
106             
107             log.info("请求白名单地址 :  ", request.getServletPath());
108             return null;
109         
110         String serverName = request.getServletPath().substring(1, request.getServletPath().indexOf(‘/‘, 1));
111         String authUserType = zuulPropConfig.getApiUrlMap().get(serverName);
112         log.info("实例服务名:   对应用户类型: ", serverName, authUserType);
113         if (!StringUtils.isEmpty(authUserType)) 
114             //用户是否合法和登录
115             authToken(context);
116          else 
117             //下线前删除配置的实例名
118             log.info("实例服务:   不允许访问", serverName);
119             unauthorized(context, HttpStatusEnum.FORBIDDEN.code(), "请求的服务已经作废,不可访问");
120         
121         return null;
122 
123         /******************************以下代码可能会复用,勿删,若使用Gateway整个路由项目将不使用 add by - yugenhai 2019-0704********************************************/
124 
125         /*String readUrl = request.getServletPath().substring(1, request.getServletPath().indexOf(‘/‘, 1));
126         try 
127             if (request.getServletPath().length() <= Constant.PATH_LENGTH || zuulPropConfig.getRoutes().size() == 0) 
128                 throw new Exception();
129             
130             Iterator<Map.Entry<String,String>> zuulMap = zuulPropConfig.getRoutes().entrySet().iterator();
131             while(zuulMap.hasNext())
132                 Map.Entry<String, String> entry = zuulMap.next();
133                 String routeValue = entry.getValue();
134                 if(routeValue.startsWith(Constant.ZUUL_PREFIX))
135                     routeValue = routeValue.substring(1, routeValue.indexOf(‘/‘, 1));
136                 
137                 if(routeValue.contains(readUrl))
138                     log.info("请求白名单地址 :      请求跳过的真实地址  : ", routeValue, request.getServletPath());
139                     return null;
140                 
141             
142             log.info("即将请求登录 :        实例名 :  ", request.getServletPath(), readUrl);
143             authToken(context);
144             return null;
145          catch (Exception e) 
146             log.info("gateway路由器请求异常 :  请求被拒绝 ", e.getMessage());
147             assemblyCross(context);
148             context.set("isSuccess", false);
149             context.setSendZuulResponse(false);
150             context.setResponseStatusCode(HttpStatusEnum.OK.code());
151             context.getResponse().setContentType("application/json;charset=UTF-8");
152             context.setResponseBody(JsonUtils.toJson(JsonResult.buildErrorResult(HttpStatusEnum.UNAUTHORIZED.code(),"Url Error, Please Check It")));
153             return null;
154         
155         */
156     
157 
158 
159     /**
160      * 检查用户
161      *
162      * @param context
163      * @return
164      * @author yugenhai
165      * @creation: 2019-06-26 17:50
166      */
167     private Object authToken(RequestContext context) 
168         HttpServletRequest request = context.getRequest();
169         HttpServletResponse response = context.getResponse();
170         /*boolean isLogin = sessionManager.isLogined(request, response);
171         //用户存在
172         if (isLogin) 
173             try 
174                 User user = sessionManager.getUser(request);
175                 log.info("用户存在 :  ", JsonUtils.toJson(user));
176                // String token = userAuthUtil.generateToken(user.getNo(), user.getUserName(), user.getRealName());
177                 log.info("根据用户生成的Token :", token);
178                 //转发信息共享
179                // context.addZuulRequestHeader(JwtUtil.HEADER_AUTH, token);
180                 //缓存 后期所有服务都判断
181                 redisClient.set(user.getNo(), token, 20 * 60L);
182                 //冗余一份
183                 userService.syncUser(user);
184              catch (Exception e) 
185                 log.error("调用SSO获取用户信息异常 :", e.getMessage());
186             
187          else 
188             //根据该token查询该用户不存在
189             unLogin(request, context);
190         */
191         return null;
192 
193     
194 
195 
196     /**
197      * 未登录不路由
198      *
199      * @param request
200      */
201     private void unLogin(HttpServletRequest request, RequestContext context) 
202         String requestURL = request.getRequestURL().toString();
203         String loginUrl = getSsoUrl(request) + "?returnUrl=" + requestURL;
204         //Map map = new HashMap(2);
205         //map.put("redirctUrl", loginUrl);
206         log.info("检查到该token对应的用户登录状态未登录  跳转到Login页面 :  ", loginUrl);
207         assemblyCross(context);
208         context.getResponse().setContentType("application/json;charset=UTF-8");
209         context.set("isSuccess", false);
210         context.setSendZuulResponse(false);
211         //context.setResponseBody(ResultJson.failure(map, "This User Not Found, Please Check Token").toString());
212         context.setResponseStatusCode(HttpStatusEnum.OK.code());
213     
214 
215 
216     /**
217      * 判断是否忽略对请求的校验
218      * @param request
219      * @param functions
220      * @return
221      */
222     private boolean isIgnore(HttpServletRequest request, Function<HttpServletRequest, Boolean>... functions) 
223         return Arrays.stream(functions).anyMatch(f -> f.apply(request));
224     
225 
226 
227     /**
228      * 判断是否存在地址
229      * @param request
230      * @return
231      */
232     private boolean exclude(HttpServletRequest request) 
233         String servletPath = request.getServletPath();
234         if (!CollectionUtils.isEmpty(zuulPropConfig.getExcludeUrls())) 
235             return zuulPropConfig.getPatterns().stream()
236                     .map(pattern -> pattern.matcher(servletPath))
237                     .anyMatch(Matcher::find);
238         
239         return false;
240     
241 
242 
243     /**
244      * 校验请求连接是否合法
245      * @param request
246      * @return
247      */
248     private boolean checkLength(HttpServletRequest request) 
249         return request.getServletPath().length() <= Constant.PATH_LENGTH || CollectionUtils.isEmpty(zuulPropConfig.getApiUrlMap());
250     
251 
252 
253     /**
254      * 会话存在则跨域发送
255      * @param request
256      * @return
257      */
258     private String getCookieBySso(HttpServletRequest request)
259         Cookie cookie = this.getCookieByName(request, "");
260         return cookie != null ? cookie.getValue() : null;
261     
262 
263 
264     /**
265      * 不路由直接返回
266      * @param ctx
267      * @param code
268      * @param msg
269      */
270     private void unauthorized(RequestContext ctx, int code, String msg) 
271         assemblyCross(ctx);
272         ctx.getResponse().setContentType("application/json;charset=UTF-8");
273         ctx.setSendZuulResponse(false);
274         ctx.setResponseBody(ResultJson.failure(ResultEnum.UNAUTHORIZED, msg).toString());
275         ctx.set("isSuccess", false);
276         ctx.setResponseStatusCode(HttpStatusEnum.OK.code());
277     
278 
279 
280     /**
281      * 获取会话里的token
282      * @param request
283      * @param name
284      * @return
285      */
286     private Cookie getCookieByName(HttpServletRequest request, String name) 
287         Map<String, Cookie> cookieMap = new HashMap(16);
288         Cookie[] cookies = request.getCookies();
289         if (!StringUtils.isEmpty(cookies)) 
290             Cookie[] c1 = cookies;
291             int length = cookies.length;
292             for(int i = 0; i < length; ++i) 
293                 Cookie cookie = c1[i];
294                 cookieMap.put(cookie.getName(), cookie);
295             
296         else 
297             return null;
298         
299         if (cookieMap.containsKey(name)) 
300             Cookie cookie = cookieMap.get(name);
301             return cookie;
302         
303         return null;
304     
305 
306 
307     /**
308      * 重定向前缀拼接
309      *
310      * @param request
311      * @return
312      */
313     private String getSsoUrl(HttpServletRequest request) 
314         String serverName = request.getServerName();
315         if (StringUtils.isEmpty(serverName)) 
316             return "https://github.com/yugenhai108";
317         
318         return "https://github.com/yugenhai108";
319 
320     
321 
322     /**
323      * 拼装跨域处理
324      */
325     private void assemblyCross(RequestContext ctx) 
326         HttpServletResponse response = ctx.getResponse();
327         response.setHeader("Access-Control-Allow-Origin", "*");
328         response.setHeader("Access-Control-Allow-Headers", ctx.getRequest().getHeader("Access-Control-Request-Headers"));
329         response.setHeader("Access-Control-Allow-Methods", "*");
330     
331 
332 
333 

 

在 if (isIgnore(request, this::exclude, this::checkLength))   里面可以去调鉴权组件,或者用redis去存放token,获取直接用redis负载抗流量,具体可以自己实现。

 

4:Spring Cloud Gateway的实现

(1)第二代的Gateway则是由Spring Cloud开发,而且用了最新的Spring5.0和响应式Reactor以及最新的Webflux等等,比如原来的阻塞式请求现在变成了异步非阻塞式。
   那么在pom上就变了,变得和原来的starer-web也不兼容了。
 1         <dependency>
 2             <groupId>org.yugh</groupId>
 3             <artifactId>global-auth</artifactId>
 4             <version>0.0.1-SNAPSHOT</version>
 5             <exclusions>
 6                 <exclusion>
 7                     <groupId>org.springframework.boot</groupId>
 8                     <artifactId>spring-boot-starter-web</artifactId>
 9                 </exclusion>
10             </exclusions>
11         </dependency>
12         <!-- gateway -->
13         <dependency>
14             <groupId>org.springframework.cloud</groupId>
15             <artifactId>spring-cloud-starter-gateway</artifactId>
16         </dependency>
17         <dependency>
18             <groupId>org.springframework.cloud</groupId>
19             <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
20         </dependency>
21         <!-- feign -->
22         <dependency>
23             <groupId>org.springframework.cloud</groupId>
24             <artifactId>spring-cloud-starter-openfeign</artifactId>
25         </dependency>
26         <dependency>
27             <groupId>org.springframework.boot</groupId>
28             <artifactId>spring-boot-starter-actuator</artifactId>
29         </dependency>
30         <dependency>
31             <groupId>org.springframework.boot</groupId>
32             <artifactId>spring-boot-configuration-processor</artifactId>
33         </dependency>
34         <!-- redis -->
35         <dependency>
36             <groupId>org.springframework.boot</groupId>
37             <artifactId>spring-boot-starter-data-redis-reactive</artifactId>
38         </dependency>
39         <dependency>
40             <groupId>com.google.guava</groupId>
41             <artifactId>guava</artifactId>
42             <version>23.0</version>
43         </dependency>
44         <dependency>
45             <groupId>org.springframework.boot</groupId>
46             <artifactId>spring-boot-starter-test</artifactId>
47             <scope>test</scope>
48         </dependency>

 

(2)修改application-dev.yml 的内容

  1 server:
  2   port: 8706
  3 #setting
  4 spring:
  5   application:
  6     name: gateway-new
  7   #redis
  8   redis:
  9     host: localhost
 10     port: 6379
 11     database: 0
 12     timeout: 5000
 13   #遇到相同名字,允许覆盖
 14   main:
 15     allow-bean-definition-overriding: true
 16   #gateway
 17   cloud:
 18     gateway:
 19       #注册中心服务发现
 20       discovery:
 21         locator:
 22           #开启通过服务中心的自动根据 serviceId 创建路由的功能
 23           enabled: true
 24       routes:
 25         #服务1
 26         - id: CompositeDiscoveryClient_CUSTOMER
 27           uri: lb://CUSTOMER
 28           order: 1
 29           predicates:
 30             # 跳过自定义是直接带实例名 必须是大写 同样限流拦截失效
 31             - Path= /api/customer/**
 32           filters:
 33             - StripPrefix=2
 34             - AddResponseHeader=X-Response-Default-Foo, Default-Bar
 35             - name: RequestRateLimiter
 36               args:
 37                 key-resolver: "#@gatewayKeyResolver"
 38                 #限额配置
 39                 redis-rate-limiter.replenishRate: 1
 40                 redis-rate-limiter.burstCapacity: 1
 41         #用户微服务
 42         - id: CompositeDiscoveryClient_PRODUCT
 43           uri: lb://PRODUCT
 44           order: 0
 45           predicates:
 46             - Path= /api/product/**
 47           filters:
 48             - StripPrefix=2
 49             - AddResponseHeader=X-Response-Default-Foo, Default-Bar
 50             - name: RequestRateLimiter
 51               args:
 52                 key-resolver: "#@gatewayKeyResolver"
 53                 #限额配置
 54                 redis-rate-limiter.replenishRate: 1
 55                 redis-rate-limiter.burstCapacity: 1
 56           #请求路径选择自定义会进入限流器
 57           default-filters:
 58             - AddResponseHeader=X-Response-Default-Foo, Default-Bar
 59             - name: gatewayKeyResolver
 60               args:
 61                 key-resolver: "#@gatewayKeyResolver"
 62               #断路异常跳转
 63             - name: Hystrix
 64               args:
 65                 #网关异常或超时跳转到处理类
 66                 name: fallbackcmd
 67                 fallbackUri: forward:/fallbackController
 68 
 69 #safe path
 70 auth-skip:
 71   instance-servers:
 72     - CUSTOMER
 73     - PRODUCT
 74   api-urls:
 75     #PRODUCT
 76     - /pro
 77     #CUSTOMER
 78     - /cust
 79 
 80     #gray-env
 81     #...
 82 
 83 #log
 84 logging:
 85   level:
 86     org.yugh: INFO
 87     org.springframework.cloud.gateway: INFO
 88     org.springframework.http.server.reactive: INFO
 89     org.springframework.web.reactive: INFO
 90     reactor.ipc.netty: INFO
 91 
 92 #reg
 93 eureka:
 94   instance:
 95     prefer-ip-address: true
 96   client:
 97     serviceUrl:
 98       defaultZone: http://localhost:8700/eureka/
 99 
100 
101 ribbon:
102   eureka:
103     enabled: true
104   ReadTimeout: 120000
105   ConnectTimeout: 30000
106 
107 
108 #feign
109 feign:
110   hystrix:
111     enabled: false
112 
113 #hystrix
114 hystrix:
115   command:
116     default:
117       execution:
118         isolation:
119           thread:
120             timeoutInMilliseconds: 20000
121 
122 management:
123   endpoints:
124     web:
125       exposure:
126         include: ‘*‘
127       base-path: /actuator
128   endpoint:
129     health:
130       show-details: ALWAYS

 

网关限流用的 spring-boot-starter-data-redis-reactive 做令牌桶IP限流。

具体实现在这个类gatewayKeyResolver

 

(3)令牌桶IP限流,限制当前IP的请求配额

 1 package org.yugh.gatewaynew.config;
 2 
 3 import org.springframework.cloud.gateway.filter.ratelimit.KeyResolver;
 4 import org.springframework.stereotype.Component;
 5 import org.springframework.web.server.ServerWebExchange;
 6 import reactor.core.publisher.Mono;
 7 
 8 /**
 9  * //令牌桶IP限流
10  *
11  * @author 余根海
12  * @creation 2019-07-05 15:52
13  * @Copyright © 2019 yugenhai. All rights reserved.
14  */
15 @Component
16 public class GatewayKeyResolver implements KeyResolver 
17 
18     @Override
19     public Mono<String> resolve(ServerWebExchange exchange) 
20         return Mono.just(exchange.getRequest().getRemoteAddress().getAddress().getHostAddress());
21     
22 
23 

 

(4)网关的白名单和黑名单配置

 1 package org.yugh.gatewaynew.properties;
 2 
 3 
 4 import lombok.Data;
 5 import lombok.extern.slf4j.Slf4j;
 6 import org.springframework.beans.factory.InitializingBean;
 7 import org.springframework.boot.context.properties.ConfigurationProperties;
 8 import org.springframework.context.annotation.Configuration;
 9 import org.springframework.stereotype.Component;
10 
11 import java.util.ArrayList;
12 import java.util.List;
13 import java.util.regex.Pattern;
14 
15 /**
16  * //白名单和黑名单属性配置
17  *
18  * @author  余根海
19  * @creation  2019-07-05 15:52
20  * @Copyright © 2019 yugenhai. All rights reserved.
21  */
22 @Data
23 @Slf4j
24 @Component
25 @Configuration
26 @ConfigurationProperties(prefix = "auth-skip")
27 public class AuthSkipUrlsProperties implements InitializingBean 
28 
29     private static final String NORMAL = "(\\\\w|\\\\d|-)+";
30     private List<Pattern> urlPatterns = new ArrayList(10);
31     private List<Pattern> serverPatterns = new ArrayList(10);
32     private List<String> instanceServers;
33     private List<String> apiUrls;
34 
35     @Override
36     public void afterPropertiesSet() 
37         instanceServers.stream().map(d -> d.replace("*", NORMAL)).map(Pattern::compile).forEach(serverPatterns::add);
38         apiUrls.stream().map(s -> s.replace("*", NORMAL)).map(Pattern::compile).forEach(urlPatterns::add);
39         log.info("============> 配置服务器ID :  , 白名单Url : ", serverPatterns, urlPatterns);
40     
41 
42 

 

(5)核心网关代码GatewayFilter

  1 package org.yugh.gatewaynew.filter;
  2 
  3 import lombok.extern.slf4j.Slf4j;
  4 import org.springframework.beans.factory.annotation.Autowired;
  5 import org.springframework.beans.factory.annotation.Qualifier;
  6 import org.springframework.cloud.gateway.filter.GatewayFilterChain;
  7 import org.springframework.cloud.gateway.filter.GlobalFilter;
  8 import org.springframework.core.Ordered;
  9 import org.springframework.core.io.buffer.DataBuffer;
 10 import org.springframework.http.HttpStatus;
 11 import org.springframework.http.MediaType;
 12 import org.springframework.http.server.reactive.ServerHttpRequest;
 13 import org.springframework.http.server.reactive.ServerHttpResponse;
 14 import org.springframework.util.CollectionUtils;
 15 import org.springframework.web.server.ServerWebExchange;
 16 import org.yugh.gatewaynew.config.GatewayContext;
 17 import org.yugh.gatewaynew.properties.AuthSkipUrlsProperties;
 18 import org.yugh.globalauth.common.constants.Constant;
 19 import org.yugh.globalauth.common.enums.ResultEnum;
 20 import org.yugh.globalauth.pojo.dto.User;
 21 import org.yugh.globalauth.service.AuthService;
 22 import org.yugh.globalauth.util.ResultJson;
 23 import reactor.core.publisher.Flux;
 24 import reactor.core.publisher.Mono;
 25 
 26 import java.nio.charset.StandardCharsets;
 27 import java.util.concurrent.ExecutorService;
 28 import java.util.regex.Matcher;
 29 
 30 /**
 31  * // 网关服务
 32  *
 33  * @author 余根海
 34  * @creation 2019-07-09 10:52
 35  * @Copyright © 2019 yugenhai. All rights reserved.
 36  */
 37 @Slf4j
 38 public class GatewayFilter implements GlobalFilter, Ordered 
 39 
 40     @Autowired
 41     private AuthSkipUrlsProperties authSkipUrlsProperties;
 42     @Autowired
 43     @Qualifier(value = "gatewayQueueThreadPool")
 44     private ExecutorService buildGatewayQueueThreadPool;
 45     @Autowired
 46     private AuthService authService;
 47 
 48 
 49     @Override
 50     public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) 
 51         GatewayContext context = new GatewayContext();
 52         ServerHttpRequest request = exchange.getRequest();
 53         ServerHttpResponse response = exchange.getResponse();
 54         response.getHeaders().setContentType(MediaType.APPLICATION_JSON_UTF8);
 55         log.info("当前会话ID : ", request.getId());
 56         //防止网关监控不到限流请求
 57         if (blackServersCheck(context, exchange)) 
 58             response.setStatusCode(HttpStatus.FORBIDDEN);
 59             byte[] failureInfo = ResultJson.failure(ResultEnum.BLACK_SERVER_FOUND).toString().getBytes(StandardCharsets.UTF_8);
 60             DataBuffer buffer = response.bufferFactory().wrap(failureInfo);
 61             return response.writeWith(Flux.just(buffer));
 62         
 63         //白名单
 64         if (whiteListCheck(context, exchange)) 
 65             authToken(context, request);
 66             if (!context.isDoNext()) 
 67                 byte[] failureInfo = ResultJson.failure(ResultEnum.LOGIN_ERROR_GATEWAY, context.getRedirectUrl()).toString().getBytes(StandardCharsets.UTF_8);
 68                 DataBuffer buffer = response.bufferFactory().wrap(failureInfo);
 69                 response.setStatusCode(HttpStatus.UNAUTHORIZED);
 70                 return response.writeWith(Flux.just(buffer));
 71             
 72             ServerHttpRequest mutateReq = exchange.getRequest().mutate().header(Constant.TOKEN, context.getSsoToken()).build();
 73             ServerWebExchange mutableExchange = exchange.mutate().request(mutateReq).build();
 74             log.info("当前会话转发成功 : ", request.getId());
 75             return chain.filter(mutableExchange);
 76          else 
 77             //黑名单
 78             response.setStatusCode(HttpStatus.FORBIDDEN);
 79             byte[] failureInfo = ResultJson.failure(ResultEnum.WHITE_NOT_FOUND).toString().getBytes(StandardCharsets.UTF_8);
 80             DataBuffer buffer = response.bufferFactory().wrap(failureInfo);
 81             return response.writeWith(Flux.just(buffer));
 82         
 83     
 84 
 85 
 86     @Override
 87     public int getOrder() 
 88         return Integer.MIN_VALUE;
 89     
 90 
 91     /**
 92      * 检查用户
 93      *
 94      * @param context
 95      * @param request
 96      * @return
 97      * @author yugenhai
 98      */
 99     private void authToken(GatewayContext context, ServerHttpRequest request) 
100         try 
101             // boolean isLogin = authService.isLoginByReactive(request);
102             boolean isLogin = true;
103             if (isLogin) 
104                 //User userDo = authService.getUserByReactive(request);
105                 try 
106                     // String ssoToken = authCookieUtils.getCookieByNameByReactive(request, Constant.TOKEN);
107                     String ssoToken = "123";
108                     context.setSsoToken(ssoToken);
109                  catch (Exception e) 
110                     log.error("用户调用失败 : ", e.getMessage());
111                     context.setDoNext(false);
112                     return;
113                 
114              else 
115                 unLogin(context, request);
116             
117          catch (Exception e) 
118             log.error("获取用户信息异常 :", e.getMessage());
119             context.setDoNext(false);
120         
121     
122 
123 
124     /**
125      * 网关同步用户
126      *
127      * @param userDto
128      */
129     public void synUser(User userDto) 
130         buildGatewayQueueThreadPool.execute(new Runnable() 
131             @Override
132             public void run() 
133                 log.info("用户同步成功 : ", "");
134             
135         );
136 
137     
138 
139 
140     /**
141      * 视为不能登录
142      *
143      * @param context
144      * @param request
145      */
146     private void unLogin(GatewayContext context, ServerHttpRequest request) 
147         String loginUrl = getSsoUrl(request) + "?returnUrl=" + request.getURI();
148         context.setRedirectUrl(loginUrl);
149         context.setDoNext(false);
150         log.info("检查到该token对应的用户登录状态未登录  跳转到Login页面 :  ", loginUrl);
151     
152 
153 
154     /**
155      * 白名单
156      *
157      * @param context
158      * @param exchange
159      * @return
160      */
161     private boolean whiteListCheck(GatewayContext context, ServerWebExchange exchange) 
162         String url = exchange.getRequest().getURI().getPath();
163         boolean white = authSkipUrlsProperties.getUrlPatterns().stream()
164                 .map(pattern -> pattern.matcher(url))
165                 .anyMatch(Matcher::find);
166         if (white) 
167             context.setPath(url);
168             return true;
169         
170         return false;
171     
172 
173 
174     /**
175      * 黑名单
176      *
177      * @param context
178      * @param exchange
179      * @return
180      */
181     private boolean blackServersCheck(GatewayContext context, ServerWebExchange exchange) 
182         String instanceId = exchange.getRequest().getURI().getPath().substring(1, exchange.getRequest().getURI().getPath().indexOf(‘/‘, 1));
183         if (!CollectionUtils.isEmpty(authSkipUrlsProperties.getInstanceServers())) 
184             boolean black = authSkipUrlsProperties.getServerPatterns().stream()
185                     .map(pattern -> pattern.matcher(instanceId))
186                     .anyMatch(Matcher::find);
187             if (black) 
188                 context.setBlack(true);
189                 return true;
190             
191         
192         return false;
193     
194 
195 
196     /**
197      * @param request
198      * @return
199      */
200     private String getSsoUrl(ServerHttpRequest request) 
201         return request.getPath().value();
202     
203 
204 

 

在 private void authToken(GatewayContext context, ServerHttpRequest request) 这个方法里可以自定义做验证。

 

结束语:

我实现了一遍两种网关,发现还是官网的文档最靠谱,也是能落地到项目中的。如果你需要源码的请到 余根海的博客 去clone,如果帮助到了你,还请点个 star,项目我会一直更新。

 

如果转载请写上出处!感谢阅读!

以上是关于最全面的改造Zuul网关为Spring Cloud Gateway(包含Zuul核心实现和Spring Cloud Gateway核心实现)的主要内容,如果未能解决你的问题,请参考以下文章

Spring cloud微服务安全实战-4-8Zuul网关安全开发

Spring Cloud Zuul API 网关不会为无状态会话转发 JWT 令牌

Spring Cloud 微服务二:API网关spring cloud zuul

Spring Cloud 如何利用zuul实现网关

spring cloud 学习 - zuul 微服务网关

Spring-Cloud-Zuul-网关配置