Kong Gateway - 13 基于网关服务的IP白名单限制访问（Whitelist IP Restriction）

用Kong配置一个book服务
在安装并启动Kong之后，使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:27:47 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "host": "contoso.com", 
    "created_at": 1526099267, 
    "connect_timeout": 60000, 
    "id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510", 
    "protocol": "http", 
    "name": "book", 
    "read_timeout": 60000, 
    "port": 80, 
    "path": "/v1/books", 
    "updated_at": 1526099267, 
    "retries": 5, 
    "write_timeout": 60000
}

添加一个路由（paths[]的值必须与book服务中的/v1/books一致）
使book服务暴露出来以供用户访问，book服务没必要添加多个路由。
注意啦，注意啦，注意啦，重要参数我只重复3遍
跨源资源共享(CORS)中的服务路由不允许配置--data 'hosts[]=contoso.com'参数值
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'paths[]=/v1/books'

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:30:05 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526099405, 
    "strip_path": true, 
    "hosts": null, 
    "preserve_host": false, 
    "regex_priority": 0, 
    "updated_at": 1526099405, 
    "paths": [
        "/v1/books"
    ], 
    "service": {
        "id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510"
    }, 
    "methods": null, 
    "protocols": [
        "http", 
        "https"
    ], 
    "id": "42251e97-2921-45ea-bb19-0416019ea67a"   // {route_id} = id 
}

我们可以这样检查一下book服务和它的路由配置的是否正确
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Sat, 12 May 2018 12:33:12 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 27
X-Kong-Proxy-Latency: 61
Via: kong/0.13.1

[
    {
        "id": 1, 
        "title": "Fashion That Changed the World", 
        "author": "Jennifer Croll"
    }, 
    {
        "id": 2, 
        "title": "Brigitte Bardot - My Life in Fashion", 
        "author": "Henry-Jean Servat and Brigitte Bardot"
    }, 
    {
        "id": 3, 
        "title": "The Fashion Image", 
        "author": "Thomas Werner"
    }
]

为book服务启用跨源资源共享(CORS)插件参数配置
URL格式：http://localhost:8001/services/{name of servie}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=cors"  \
--data "config.origins=http://contoso.com" \
--data "config.methods=GET, POST" \
--data "config.headers=Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Auth-Token" \
--data "config.exposed_headers=X-Auth-Token" \
--data "config.credentials=true" \
--data "config.max_age=3600"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:39:35 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526128775000, 
    "config": {
        "methods": [
            "GET", 
            "POST"
        ], 
        "exposed_headers": [
            "X-Auth-Token"
        ], 
        "max_age": 3600, 
        "headers": [
            "Accept", 
            "Accept-Version", 
            "Content-Length", 
            "Content-MD5", 
            "Content-Type", 
            "Date", 
            "X-Auth-Token"
        ], 
        "credentials": true, 
        "origins": [
            "http://contoso.com"
        ], 
        "preflight_continue": false
    }, 
    "id": "e352e234-e5ab-4ba8-ad00-3796e176a720", 
    "enabled": true, 
    "service_id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510", 
    "name": "cors"
}

为book服务的路由{route_id}启用跨源资源共享(CORS)插件参数配置
{route_id} 参数的值是使用不带参数--data 'hosts[]=contoso.com'创建的路由id值
URL格式：http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=cors"  \
--data "config.origins=http://contoso.com" \
--data "config.methods=GET, POST" \
--data "config.headers=Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Auth-Token" \
--data "config.exposed_headers=X-Auth-Token" \
--data "config.credentials=true" \
--data "config.max_age=3600"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:37:33 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526128653000, 
    "config": {
        "methods": [
            "GET", 
            "POST"
        ], 
        "exposed_headers": [
            "X-Auth-Token"
        ], 
        "max_age": 3600, 
        "headers": [
            "Accept", 
            "Accept-Version", 
            "Content-Length", 
            "Content-MD5", 
            "Content-Type", 
            "Date", 
            "X-Auth-Token"
        ], 
        "credentials": true, 
        "origins": [
            "http://contoso.com"
        ], 
        "preflight_continue": false
    }, 
    "id": "1f6dc33a-8a30-473f-929b-f4d38aadbdc7", 
    "enabled": true, 
    "route_id": "42251e97-2921-45ea-bb19-0416019ea67a", 
    "name": "cors"
}

我们希望用域名地址访问8000端口或者8443端口

像本范例中这样的地址格式(假如你申请了一个公网域名contoso.org 固定公网IPv4是 123.125.115.110（一旦公网域名申请下来就把hosts文件中的contoso.org对应的假公网IP换成申请域名填写固定公网IPv4地址123.125.115.110（即是替换第一个192.168.10.10），下面第2个192.168.10.10千万别动它）第2个同样的IP可不要更改，它永远不变的作为内网IP地址使用，contoso.com是自定义域名，永远作为公司内网域名使用，下面截图中的contoso.org域名是在模拟公网网页地址，这都是很基础的东西，本不想啰唆的，就顺便解释一下)：

http://contoso.org:8000/v1/books

https://contoso.org:8443/v1/books

上面只是模拟出了公网地址格式的本地访问，下面是模拟远程客户端浏览器访问Kong网关暴露出来的book服务

上面即模拟了公网地址格式 又模拟了远程的客户端浏览器访问Kong网关暴露出来的book服务

[root@contoso ~]# pg_dump -h 127.0.0.1 -p 5432 -U postgres kong > /opt/kong-20180427.bak   # 备份kong数据库  
Password: 123456  

准备工作终于都准备好了，本篇blog正式进入主题

为book服务的路由{route_id}启动Basic验证插件，我们可以用9种验证方式来取代basic-auth,
其它8种验证方式我就不举例了，真要举例估计我都能写一本书，篇幅太多太长了，就不施展了  
URL格式：http://localhost:8001/routes/{route_id}/plugins  
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:47:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526129231000, 
    "config": {
        "hide_credentials": true, 
        "anonymous": ""
    }, 
    "id": "7992d4c5-4a8d-445e-8271-06c46c9f5f5d", 
    "enabled": true, 
    "route_id": "42251e97-2921-45ea-bb19-0416019ea67a", 
    "name": "basic-auth"
}

添加第1个username为jack的消费者，{custom_id}参数可省略，此参数是个自定义唯一标识，  
它作用是把消费者jack映射到另外一个数据库上  
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:48:23 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526129303000, 
    "username": "jack", 
    "id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}

为第1个用户jack启用Basic验证插件  
URL格式：http://localhost:8001/consumers/{username or consumer_id}/basic-auth  
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "[email protected]" \
--data "password=123456"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:50:05 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526129405000, 
    "id": "ae14ab2f-756e-40be-8c2c-dc45de901760", 
    "username": "[email protected]", 
    "password": "70ee8509541cc3c9062ce62e868f19347d289d72", 
    "consumer_id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}

在线base64编码工具http://tool.oschina.net/encrypt?type=3  
键-值对{username:password}字符串  
[email protected]:123456 左边的键-值对字符串BASE64编码结果为：  
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=  
使用用户jack的Basic验证方式访问书籍数据接口  
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY="

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Sat, 12 May 2018 12:51:28 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
Vary: Origin
Access-Control-Allow-Origin: http://contoso.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Auth-Token
X-Kong-Upstream-Latency: 26
X-Kong-Proxy-Latency: 48
Via: kong/0.13.1

[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]

为名称为book的服务启用IP白名单限制访问
其中192.168.10.50表示限制macOS系统这一台计算机不能访问book服务
其中192.168.43.0/24表示限制IP地址是192.168.43这一整个网段的IP都不能访问book服务(Windows 10在此网段内)
URL格式：http://contoso.org:8001/services/{service}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=ip-restriction"  \

--data "config.whitelist=192.168.10.50, 192.168.43.0/24"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 12:58:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526129906000, 
    "config": {
        "whitelist": [
            "192.168.10.50", 
            "192.168.43.0/24"
        ]
    }, 
    "id": "d3ef0103-9eca-4e20-a845-10cfc2152ca1", 
    "enabled": true, 
    "service_id": "f4c0d700-ce37-4a97-b7c2-21c4f8620510", 
    "name": "ip-restriction"
}

为名称为book的服务的路由{route_id启用IP白名单限制访问
其中192.168.10.50表示限制macOS系统这一台计算机不能访问book服务的路由
其中192.168.43.0/24表示限制IP地址是192.168.43这一整个网段的IP都不能访问book服务的路由(Windows 10在此网段内)
URL格式：http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/42251e97-2921-45ea-bb19-0416019ea67a/plugins \
--data "name=ip-restriction"  \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 13:01:21 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526130082000, 
    "config": {
        "whitelist": [
            "192.168.10.50", 
            "192.168.43.0/24"
        ]
    }, 
    "id": "bafcf0ad-31dd-4779-aca9-c2dea8384e29", 
    "enabled": true, 
    "route_id": "42251e97-2921-45ea-bb19-0416019ea67a", 
    "name": "ip-restriction"
}

到下面这个命令这儿，在不同操作系统的客户端各种浏览器里即使用jack的账号成功登陆也会返回

{"message":"Your IP address is not allowed"} 这条信息才是与我们预期的结果一致，为什么这么说？

因为我还没有让登录用户与IP白名单进行关联这条命令执行，最后面会演示关联后的效果（在白名单里的IP都能访问book书籍数据接口），只要白名单没有关联具体的用户，那么现在所有的用户就都相当于在黑名单当中，大家都不能访问书籍接口

现在的jack,就相当于在黑名单中，唯一名称的book服务不允许我们即定义服务的IP白名单又定义IP的黑名单

[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY="

HTTP/1.1 403 Forbidden
Date: Sat, 12 May 2018 13:02:26 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
Vary: Origin
Access-Control-Allow-Origin: http://contoso.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Auth-Token

{"message":"Your IP address is not allowed"}

以下命令就是上面提到的最后面会演示关联后的效果（在白名单里的IP都能访问book书籍数据接口）
现在可以使用以下命令将白名单whitelist关联到消费者jack：
{consumer_id} = 61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/plugins \
--data "name=ip-restriction" \
--data "consumer_id=61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"  \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"

HTTP/1.1 201 Created
Date: Sat, 12 May 2018 16:07:56 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526141276000, 
    "config": {
        "whitelist": [
            "192.168.10.50", 
            "192.168.43.0/24"
        ]
    }, 
    "id": "fb92b792-d2f2-44be-a8a2-f8d12eed4cb4", 
    "name": "ip-restriction", 
    "enabled": true, 
    "consumer_id": "61e2ce89-3ebf-4e1f-8fda-3e3cd145a9bd"
}

我期望 macOS 系统能够访问http://contoso.org:8000/v1/books 原来限制的情形下都能访问 现在允许macOS访问 当然就能访问了 奇怪的是 明明允许Windows 10系统能够访问http://contoso.org:8000/v1/books

，但它依然返回{"message":"Your IP address is not allowed"}  这不应该啊 难道我自己玩错了其中某个步骤 还是官网发布的东西有问题  我现在得继续实验 看看问题出在哪儿了  欢迎大家与我交流 。。。。。。。。。。。。。。。