Ocelot搭建api网关思维导图模板_ProcessOn思维导图、流程图

1.Ocelot简介

简单的来说Ocelot是一堆的asp.net core middleware组成的一个管道。当它拿到请求之后会用一个request builder来构造一个HttpRequestMessage发到下游的真实服务器，等下游的服务返回response之后再由一个middleware将它返回的HttpResponseMessage映射到HttpResponse上

2.Ocelot功能

路由、请求聚合、服务发现、认证、鉴权、限流熔断、并内置了负载均衡器与Service Fabric、Butterfly Tracing集成

3.演进

基本使用

集成Identity Server

网关集群

Consul 服务发现

分支主题

4.配置说明

Downstream是下游服务配置&#13; UpStream是上游服务配置&#13; Aggregates 服务聚合配置&#13; ServiceName, LoadBalancer, UseServiceDiscovery 配置服务发现&#13; AuthenticationOptions 配置服务认证&#13; RouteClaimsRequirement 配置Claims鉴权&#13; RateLimitOptions为限流配置&#13; FileCacheOptions 缓存配置&#13; QosOptions 服务质量与熔断&#13; DownstreamHeaderTransform头信息转发

{&#13; "DownstreamPathTemplate": "/",&#13; "UpstreamPathTemplate": "/",&#13; "UpstreamHttpMethod": [&#13; "Get"&#13; ],&#13; "AddHeadersToRequest": {},&#13; "AddClaimsToRequest": {},&#13; "RouteClaimsRequirement": {},&#13; "AddQueriesToRequest": {},&#13; "RequestIdKey": "",&#13; "FileCacheOptions": {&#13; "TtlSeconds": 0,&#13; "Region": ""&#13; },&#13; "ReRouteIsCaseSensitive": false,&#13; "ServiceName": "",&#13; "DownstreamScheme": "http",&#13; "DownstreamHostAndPorts": [&#13; {&#13; "Host": "localhost",&#13; "Port": 51876,&#13; }&#13; ],&#13; "QoSOptions": {&#13; "ExceptionsAllowedBeforeBreaking": 0,&#13; "DurationOfBreak": 0,&#13; "TimeoutValue": 0&#13; },&#13; "LoadBalancer": "",&#13; "RateLimitOptions": {&#13; "ClientWhitelist": [],&#13; "EnableRateLimiting": false,&#13; "Period": "",&#13; "PeriodTimespan": 0,&#13; "Limit": 0&#13; },&#13; "AuthenticationOptions": {&#13; "AuthenticationProviderKey": "",&#13; "AllowedScopes": []&#13; },&#13; "HttpHandlerOptions": {&#13; "AllowAutoRedirect": true,&#13; "UseCookieContainer": true,&#13; "UseTracing": true&#13; },&#13; "UseServiceDiscovery": false&#13; }

5.路由

基本使用

DownstreamPathTemplate：下游戏&#13; DownstreamScheme：下游服务http schema&#13; DownstreamHostAndPorts：下游服务的地址，如果使用LoadBalancer的话这里可以填多项&#13; UpstreamPathTemplate: 上游也就是用户输入的请求Url模板&#13; UpstreamHttpMethod: 上游请求http方法，可使用数组

{&#13; "DownstreamPathTemplate": "/api/post/{postId}",&#13; "DownstreamScheme": "https",&#13; "DownstreamHostAndPorts": [&#13; {&#13; "Host": "localhost",&#13; "Port": 80,&#13; }&#13; ],&#13; "UpstreamPathTemplate": "/post/{postId}",&#13; "UpstreamHttpMethod": [ "Get"]&#13; }

路由负载均衡

LoadBalancer将决定负载均衡的算法&#13; &#13; 1.LeastConnection – 将请求发往最空闲的那个服务器&#13; 2.RoundRobin – 轮流发送&#13; 3.NoLoadBalance – 总是发往第一个请求或者是服务发现

{&#13; "DownstreamPathTemplate": "/api/posts/{postId}",&#13; "DownstreamScheme": "https",&#13; "DownstreamHostAndPorts": [&#13; {&#13; "Host": "10.0.1.10",&#13; "Port": 5000,&#13; },&#13; {&#13; "Host": "10.0.1.11",&#13; "Port": 5000,&#13; }&#13; ],&#13; "UpstreamPathTemplate": "/posts/{postId}",&#13; "LoadBalancer": "LeastConnection",&#13; "UpstreamHttpMethod": [ "Put", "Delete" ]&#13; }

6.请求聚合

需要注意的是：&#13; &#13; 1.聚合服务目前只支持返回json&#13; 2.目前只支持Get方式请求下游服务&#13; 3.任何下游的response header并会被丢弃&#13; 4.如果下游服务返回404，聚合服务只是这个key的value为空，它不会返回404&#13; 有一些其它的功能会在将来实现&#13; &#13; 1.下游服务很慢的处理&#13; 2.做一些像 GraphQL的处理对下游服务返回结果进行处理&#13; 3.404的处理

{&#13; "ReRoutes": [&#13; {&#13; "DownstreamPathTemplate": "/",&#13; "UpstreamPathTemplate": "/laura",&#13; "UpstreamHttpMethod": [&#13; "Get"&#13; ],&#13; "DownstreamScheme": "http",&#13; "DownstreamHostAndPorts": [&#13; {&#13; "Host": "localhost",&#13; "Port": 51881&#13; }&#13; ],&#13; "Key": "Laura"&#13; },&#13; {&#13; "DownstreamPathTemplate": "/",&#13; "UpstreamPathTemplate": "/tom",&#13; "UpstreamHttpMethod": [&#13; "Get"&#13; ],&#13; "DownstreamScheme": "http",&#13; "DownstreamHostAndPorts": [&#13; {&#13; "Host": "localhost",&#13; "Port": 51882&#13; }&#13; ],&#13; "Key": "Tom"&#13; }&#13; ],&#13; "Aggregates": [&#13; {&#13; "ReRouteKeys": [&#13; "Tom",&#13; "Laura"&#13; ],&#13; "UpstreamPathTemplate": "/"&#13; }&#13; ]&#13; }

{"Tom":{"Age": 19},"Laura":{"Age": 25}}

7.限流

这个功能就是我们的张善友添加进去的。优雅的实现了对请求进行限流可以防止下游服务器因为访问过载而崩溃

1.ClientWihteList 白名单&#13; 2.EnableRateLimiting 是否启用限流&#13; 3.Period 统计时间段：1s, 5m, 1h, 1d&#13; 4.PeroidTimeSpan 多少秒之后客户端可以重试&#13; 5.Limit 在统计时间段内允许的最大请求数量

"RateLimitOptions": {&#13; "ClientWhitelist": [],&#13; "EnableRateLimiting": true,&#13; "Period": "1s",&#13; "PeriodTimespan": 1,&#13; "Limit": 1&#13; }

在 GlobalConfiguration下我们还可以进行以下配置&#13; 1.Http头 X-Rate-Limit 和 Retry-After 是否禁用&#13; 2.QuotaExceedMessage 当请求过载被截断时返回的消息&#13; 3.HttpStatusCode 当请求过载被截断时返回的http status&#13; 4.ClientIdHeader 用来识别客户端的请求头，默认是 ClientId

"RateLimitOptions": {&#13; "DisableRateLimitHeaders": false,&#13; "QuotaExceededMessage": "Customize Tips!",&#13; "HttpStatusCode": 999,&#13; "ClientIdHeader" : "Test"&#13; }

8.服务质量与熔断

当下游服务已经出现故障的时候再请求也是功而返，并且增加下游服务器和API网关的负担&#13; &#13; 1.ExceptionsAllowedBeforeBreaking 允许多少个异常请求&#13; 2.DurationOfBreak 熔断的时间，单位为秒&#13; 3.TimeoutValue 如果下游请求的处理时间超过多少则自如将请求设置为超时

"QoSOptions": {&#13; "ExceptionsAllowedBeforeBreaking":3,&#13; "DurationOfBreak":5,&#13; "TimeoutValue":5000&#13; }

9.缓存

依赖于CacheManager 来实现

"FileCacheOptions": { "TtlSeconds": 15, "Region": "somename" }

10.认证

在ReRoutes的路由模板中的AuthenticationOptions进行配置，只需要我们的AuthenticationProviderKey一致即可

"ReRoutes": [{&#13; "DownstreamHostAndPorts": [&#13; {&#13; "Host": "localhost",&#13; "Port": 51876,&#13; }&#13; ],&#13; "DownstreamPathTemplate": "/",&#13; "UpstreamPathTemplate": "/",&#13; "UpstreamHttpMethod": ["Post"],&#13; "ReRouteIsCaseSensitive": false,&#13; "DownstreamScheme": "http",&#13; "AuthenticationOptions": {&#13; "AuthenticationProviderKey": "TestKey",&#13; "AllowedScopes": []&#13; }&#13; }]

public void ConfigureServices(IServiceCollection services)&#13; {&#13; var authenticationProviderKey = "TestKey";&#13; var options = o =&gt;&#13; {&#13; o.Authority = "https://whereyouridentityserverlives.com";&#13; o.ApiName = "api";&#13; o.SupportedTokens = SupportedTokens.Both;&#13; o.ApiSecret = "secret";&#13; };&#13; &#13; services.AddAuthentication()&#13; .AddIdentityServerAuthentication(authenticationProviderKey, options);&#13; &#13; services.AddOcelot();&#13; }

11.鉴权

通过认证中的AllowedScopes 拿到claims之后，如果要进行权限的鉴别需要添加以下配置

"RouteClaimsRequirement": {&#13; "UserType": "registered"&#13; }&#13; 当前请求上下文的token中所带的claims如果没有 name=”UserType” 并且 value=”registered” 的话将无法访问下游服务

12.请求头转化

13.Claims转化

14.Consul服务发现

后续探索

子主题 1 Service fabric + Ocelot + Identity Server4 + 52ABP

子主题 2 不够痛就别微服务

子主题 3 asp.net core webApi 参数保护 nuget 包 WeihanLi.DataProtection

微服务

好处