https://github.com/apache/incubator-apisix-docker
https://hub.docker.com/r/bitnami/etcd
https://hub.docker.com/r/iresty/apisix
https://github.com/apache/incubator-apisix/tree/master/doc
APISIX 是一个云原生、高性能、可扩展的微服务 API 网关。
它是基于 OpenResty 和 etcd 来实现,和传统 API 网关相比,APISIX 具备动态路由和插件热加载,特别适合微服务体系下的 API 管理。
apisixetcd
bitnami/etcd:3.3.15-r13
变量:
ALLOW_NONE_AUTHENTICATION = yes
卷:
/etc/localtime:/etc/localtime:ro
/data/file:/data/file
/data/docker/nginx/apisix/etcd.conf.yml:/opt/bitnami/etcd/conf/etcd.conf.yml:ro
端口:(http)2379:2379
apisix
iresty/apisix:latest
卷:
/etc/localtime:/etc/localtime:ro
/data/file:/data/file
/data/docker/nginx/apisix/config.yaml:/usr/local/apisix/conf/config.yaml:ro
端口:(http)9080:9080
访问:
http://ip:9080/apisix/dashboard/
---Dashboard 默认允许任何 IP 访问。你可以自行修改 conf/config.yaml 中的 allow_admin 字段,指定允许访问 dashboard 的 IP 列表。
vi /data/docker/nginx/apisix/etcd.conf.yml # 无修改
# This is the configuration file for the etcd server.
# Human-readable name for this member.
name: 'default'
# Path to the data directory.
data-dir:
# Path to the dedicated wal directory.
wal-dir:
# Number of committed transactions to trigger a snapshot to disk.
snapshot-count: 10000
# Time (in milliseconds) of a heartbeat interval.
heartbeat-interval: 100
# Time (in milliseconds) for an election to timeout.
election-timeout: 1000
# Raise alarms when backend size exceeds the given quota. 0 means use the
# default quota.
quota-backend-bytes: 0
# List of comma separated URLs to listen on for peer traffic.
listen-peer-urls: http://localhost:2380
# List of comma separated URLs to listen on for client traffic.
listen-client-urls: http://localhost:2379
# Maximum number of snapshot files to retain (0 is unlimited).
max-snapshots: 5
# Maximum number of wal files to retain (0 is unlimited).
max-wals: 5
# Comma-separated white list of origins for CORS (cross-origin resource sharing).
cors:
# List of this member's peer URLs to advertise to the rest of the cluster.
# The URLs needed to be a comma-separated list.
initial-advertise-peer-urls: http://localhost:2380
# List of this member's client URLs to advertise to the public.
# The URLs needed to be a comma-separated list.
advertise-client-urls: http://localhost:2379
# Discovery URL used to bootstrap the cluster.
discovery:
# Valid values include 'exit', 'proxy'
discovery-fallback: 'proxy'
# HTTP proxy to use for traffic to discovery service.
discovery-proxy:
# DNS domain used to bootstrap initial cluster.
discovery-srv:
# Initial cluster configuration for bootstrapping.
initial-cluster:
# Initial cluster token for the etcd cluster during bootstrap.
initial-cluster-token: 'etcd-cluster'
# Initial cluster state ('new' or 'existing').
initial-cluster-state: 'new'
# Reject reconfiguration requests that would cause quorum loss.
strict-reconfig-check: false
# Accept etcd V2 client requests
enable-v2: true
# Enable runtime profiling data via HTTP server
enable-pprof: true
# Valid values include 'on', 'readonly', 'off'
proxy: 'off'
# Time (in milliseconds) an endpoint will be held in a failed state.
proxy-failure-wait: 5000
# Time (in milliseconds) of the endpoints refresh interval.
proxy-refresh-interval: 30000
# Time (in milliseconds) for a dial to timeout.
proxy-dial-timeout: 1000
# Time (in milliseconds) for a write to timeout.
proxy-write-timeout: 5000
# Time (in milliseconds) for a read to timeout.
proxy-read-timeout: 0
client-transport-security:
# Path to the client server TLS cert file.
cert-file:
# Path to the client server TLS key file.
key-file:
# Enable client cert authentication.
client-cert-auth: false
# Path to the client server TLS trusted CA cert file.
trusted-ca-file:
# Client TLS using generated certificates
auto-tls: false
peer-transport-security:
# Path to the peer server TLS cert file.
cert-file:
# Path to the peer server TLS key file.
key-file:
# Enable peer client cert authentication.
client-cert-auth: false
# Path to the peer server TLS trusted CA cert file.
trusted-ca-file:
# Peer TLS using generated certificates.
auto-tls: false
# Enable debug-level logging for etcd.
debug: false
logger: zap
# Specify 'stdout' or 'stderr' to skip journald logging even when running under systemd.
log-outputs: [stderr]
# Force to create a new one member cluster.
force-new-cluster: false
auto-compaction-mode: periodic
auto-compaction-retention: "1"
vi /data/docker/nginx/apisix/config.yaml # 修改 host: "http://95.216.76.105:2379"
apisix:
node_listen: 9080 # APISIX listening port
node_ssl_listen: 9443
enable_heartbeat: true
enable_admin: true
enable_debug: false
enable_ipv6: true
config_center: etcd # etcd: use etcd to store the config value
# yaml: fetch the config value from local yaml file `/your_path/conf/apisix.yaml`
# allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
# - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default.
# - "::/64"
# port_admin: 9180 # use a separate port
real_ip_header: "X-Real-IP" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
- 127.0.0.1
- 'unix:'
router:
http: 'radixtree_uri' # radixtree_uri: match route by uri(base on radixtree)
# radixtree_host_uri: match route by host + uri(base on radixtree)
# r3_uri: match route by uri(base on r3)
# r3_host_uri: match route by host + uri(base on r3)
ssl: 'radixtree_sni' # r3_sni: match route by SNI(base on r3)
# radixtree_sni: match route by SNI(base on radixtree)
# stream_proxy: # TCP/UDP proxy
# tcp: # TCP proxy port list
# - 9100
# - 9101
# udp: # UDP proxy port list
# - 9200
# - 9211
dns_resolver: # default DNS resolver, with disable IPv6 and enable local DNS
- 114.114.114.114
- 223.5.5.5
- 1.1.1.1
- 8.8.8.8
ssl:
enable: true
enable_http2: true
listen_port: 9443
ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
nginx_config: # config for render the template to genarate nginx.conf
error_log: "logs/error.log"
error_log_level: "warn" # warn,error
event:
worker_connections: 10620
http:
access_log: "logs/access.log"
keepalive_timeout: 60s # timeout during which a keep-alive client connection will stay open on the server side.
client_header_timeout: 60s # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client
send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed
etcd:
host: "http://95.216.76.105:2379" # etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 1 # 1 seconds
plugins: # plugin list
- example-plugin
- limit-req
- limit-count
- limit-conn
- key-auth
- prometheus
- node-status
- jwt-auth
- zipkin
- ip-restriction
- grpc-transcode
- serverless-pre-function
- serverless-post-function
- openid-connect
- proxy-rewrite
stream_plugins:
- mqtt-proxy
目前已支持这些插件:
HTTPS:根据 TLS 扩展字段 SNI(Server Name Indication) 动态加载证书。
动态负载均衡:跨多个上游服务的动态负载均衡,目前已支持 round-robin 和一致性哈希算法。
key-auth:基于 Key Authentication 的用户认证。
JWT-auth:基于 JWT (JSON Web Tokens) Authentication 的用户认证。
limit-count:基于“固定窗口”的限速实现。
limit-req:基于漏桶原理的请求限速实现。
limit-conn:限制并发请求(或并发连接)。
prometheus:以 Prometheus 格式导出 APISIX 自身的状态信息,方便被外部 Prometheus 服务抓取。
OpenTracing:支持 Zikpin 和 Apache SkyWalking。
grpc-transcode:REST <--> gRPC 转码。
serverless:允许在 APISIX 中的不同阶段动态运行 Lua 代码。
ip-restriction: IP 黑白名单。
openid-connect
为什么选择 APISIX?
如果你正在构建网站、移动设备或 IoT(物联网)的应用,那么你可能需要使用 API 网关来处理接口流量。
APISIX 是基于云原生的微服务 API 网关,可以处理传统的南北向流量,也可以处理服务间的东西向流量。
APISIX 通过插件机制,提供动态负载平衡、身份验证、限流限速等功能,并且支持你自己开发的插件。
功能
- 云原生: 平台无关,没有供应商锁定,无论裸机还是 Kubernetes,APISIX 都可以运行。
- 热更新和热插件: 无需重启服务,就可以持续更新配置和插件。
- 动态负载均衡:动态支持有权重的 round-robin 负载平衡。
- 支持一致性 hash 的负载均衡:动态支持一致性 hash 的负载均衡。
- SSL:动态加载 SSL 证书。
- HTTP(S) 反向代理
- 健康检查:启用上游节点的健康检查,将在负载均衡期间自动过滤不健康的节点,以确保系统稳定性。
- 熔断器: 智能跟踪不健康上游服务。
- 身份认证: key-auth, JWT。
- 限制速率
- 限制请求数
- 限制并发
- 代理请求重写: 支持重写请求上游的
host、uri、schema、enable_websocket、headers信息。 - OpenTracing: 支持 Apache Skywalking 和 Zipkin
- 监控和指标: Prometheus
- gRPC 协议转换:支持协议的转换,这样客户端可以通过 HTTP/JSON 来访问你的 gRPC API。
- Serverless: 在 APISIX 的每一个阶段,你都可以添加并调用自己编写的函数。
- 自定义插件: 允许挂载常见阶段,例如
rewrite,access,header filer,body filter和log,还允许挂载 balancer 阶段。 - 控制台: 内置控制台来操作 APISIX 集群。
- 版本控制:支持操作的多次回滚。
- CLI: 使用命令行来启动、关闭和重启 APISIX。
- REST API
- Websocket 代理
- IPv6:支持使用 IPv6 格式匹配路由。
- 集群:APISIX 节点是无状态的,创建配置中心集群请参考 etcd Clustering Guide。
- 可扩展:简单易用的插件机制方便扩展。
- 高性能:在单核上 QPS 可以达到 24k,同时延迟只有 0.6 毫秒。
- 防御 ReDoS(正则表达式拒绝服务)
- IP 黑名单
- IdP 支持: 支持外部的身份认证服务,比如 Auth0,Okta,Authing 等,用户可以借此来对接 Oauth2.0 等认证方式。
- 单机模式: 支持从本地配置文件中加载路由规则,在 kubernetes(k8s) 等环境下更友好。
- 全局规则:允许对所有请求执行插件,比如黑白名单、限流限速等。
- TCP/UDP 代理: 动态 TCP/UDP 代理。
- 动态 MQTT 代理: 支持用
client_id 对 MQTT 进行负载均衡,同时支持 MQTT 3.1.* 和 5.0 两个协议标准。 - ACL: TODO。
- Bot detection: TODO。
https://blog.csdn.net/qq_16063307/article/details/102774822
