Tian Jiale's Blog

Build a gateway by kong.

Why should we build our own gateway?

First of all, to clarify the purpose of the gateway, I use the gateway completely to unifiedly manage the various background interfaces. Before building my own gateway my background interfaces are very scattered, some are deployed on the HTTP event trigger of the cloud function, some are deployed on the Web cloud function of the cloud function, some are on the API gateway of Tencent cloud, some are on the nginx proxy. This time I build my own gateway mainly to organize the interfaces provided, and at the same time clean up unnecessary configuration(mainly nginx).

If the above reasons alone are not enough to need to toss themselves again, but Tencent these days canceled the free quota of cloud functions, and since next month as long as the use will deduct the basic service fee of 12.8 yuan, Are you kinding me? Since services can be run using cloud functions, they can also be run in docker, so migrate all services in cloud functions to docker on the server. PS: Since the cloud function does not support container deployment at the beginning, some old services are directly bound to the cloud vendor’s services, so these old services will be temporarily stopped.

Start Kong Gateway(docker)

kong is still stable as an open source gateway service, here is how to deploy Kong, note the modification of PASSWORD in it.

  1. Start the database, which serves Kong.

    docker run -d --name kong-database \
  --network=kong-net \
  -p 5432:5432 \
  -e "POSTGRES_USER=kong" \
  -e "POSTGRES_DB=kong" \
  -e "POSTGRES_PASSWORD=kongpass" \
  postgres:9.6

  2. Initialize the configuration, here configure the database.

    docker run --rm --network=kong-net \
  -e "KONG_DATABASE=postgres" \
  -e "KONG_PG_HOST=kong-database" \
  -e "KONG_PG_PASSWORD=kongpass" \
  kong/kong-gateway:2.8.1.0-alpine kong migrations bootstrap

  3. Start the Kong gateway, since we will be using the nginx proxy, SSL will be configured in nginx, and we are using the community edition, so just use the 8001 and 8000 ports.

    docker run -d --name kong-gateway \
  --network=kong-net \
  -e "KONG_DATABASE=postgres" \
  -e "KONG_PG_HOST=kong-database" \
  -e "KONG_PG_USER=kong" \
  -e "KONG_PG_PASSWORD=kongpass" \
  -e "KONG_ADMIN_LISTEN=0.0.0.0:8001" \
  -p 8000:8000 \
  -p 8001:8001 \
  kong/kong-gateway:2.8.1.0-alpine
    • :8000:For providing gateway services.
    • :8001:The administrative API used to configure the Kong listener.

Now that we have Kong configured, we launch a UI interface to help us manage it.

Start konga

konga is a third-party GUI administration page.

We also use the docker configuration.

docker run -p 1337:1337 \
  --network kong-net \
  --name konga \
  -e "NODE_ENV=production" \
  -e "TOKEN_SECRET=fdasfeag34agft" \
  pantsel/konga

Once started, simply open port 1337 to configure our kong gateway via the UI.

The first time we enter, we need to fill in the kong configuration interface, because the above services are added to the kong-net network, so we only need to fill in http://kong-gateway:8001.

Config nginx

Since we need to use nginx to configure the SSL service, we should modify the nginx configuration here.

server {
    listen 80;
    server_name hostname;

    return 301 https://hostname;
}

server {
    listen 443 ssl;
    server_name hostname;

    location / {
        proxy_pass http://localhost:8000;
        proxy_set_header    Host            $http_host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect      off;
    }

    ssl_certificate /config/nginx/cert/fullchain.cer;
    ssl_certificate_key /config/nginx/cert/cert.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
}

Add Services

In Kong, a distinction needs to be made between services and routes. services are the access settings to the back-end services. routes are the services provided by the gateway to the outside world. A service can have multiple routes; while a route can have only one service.

Since all my services are on one server, I joined them to the same network as kong for security reasons. So when we configure service, we only need to fill in the container name in the HOST field, and we don’t need to add port mapping to improve security.

Todo: I should have filled in some more detailed instructions on how to add the service here, but I am bored to write it, so I’ll leave it, if you have any questions you can concat me.