博客 / 詳情

返回

【隱語Secreflow】如何配置 Kuscia 對請求進行 Path Rewrit

打開鏈接即可點亮社區Star,照亮技術的前進之路。

Github 地址:https://github.com/secretflow/kuscia

背景

隱私計算合作機構之間的網絡較為複雜,經常存在多層次的網關,網關根據 Path 將請求路由到真正的業務節點。為了給這種組網提供支持,Kuscia 能夠對業務請求進行 Path Rewrite,將對應的路由前綴添加到請求 Path。

:::{tip}
網關要求:機構網關處需要進行 Path 前綴卸載。
:::

多機部署配置 Path Rewrite

  • Kuscia 中心化部署參考這裏
  • Kuscia 點對點部署參考這裏

下面以 Alice 機構訪問 Bob、Carol 機構的通信配置作為示例,其中 Nginx 服務器地址為 1.1.1.1,Bob 機構地址為 2.2.2.2,Carol 機構地址為 3.3.3.3。

# alice accesses bob's address
http://1.1.1.1/foo

# alice accesses carol's address
http://1.1.1.1/bar

Nginx 配置示例如下:

http {
    # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $http_host;
    proxy_pass_request_headers on;

    access_log /var/log/access.log;
    # To allow special characters in headers
    ignore_invalid_headers off;

    # Maximum number of requests through one keep-alive connection
    keepalive_requests 1000;
    keepalive_timeout 20m;

    client_max_body_size 2m;

    # To disable buffering
    proxy_buffering off;
    proxy_request_buffering off;

    upstream bob {
        server 2.2.2.2:11080 weight=1 max_fails=5 fail_timeout=60s;
        keepalive 32;
        keepalive_timeout 600s;
        keepalive_requests 1000;
    }

    upstream carol {
        server 3.3.3.3:21080 weight=1 max_fails=5 fail_timeout=60s;
        keepalive 32;
        keepalive_timeout 600s;
        keepalive_requests 1000;
    }

    # The reverse proxy needs to remove the prefix path before forwarding
    server {
        location /foo/ {
            proxy_read_timeout 10m;
            proxy_pass https://bob/;
        }
        location /bar/ {
            proxy_read_timeout 10m;
            proxy_pass https://carol/;
        }
    }
}

使用 KusciaAPI 配置 Path Rewrite

使用 KusciaAPI 要配置一條 Path Rewrite 路由規則,需要設置 endpointprefix 字段。

下面以機構 Alice 訪問機構 Bob 的場景為例,當機構 Bob 網關地址帶 Path 時如何調用 KusciaAPI 設置 endpointprefix 字段。

# Execute the example inside the container
# --cert is the certificate used for mutual authentication with the server
export CTR_CERTS_ROOT=/home/kuscia/var/certs
curl -k -X POST 'https://localhost:8082/api/v1/route/create'
--header "Token: $(cat ${CTR_CERTS_ROOT}/token)"
--header 'Content-Type: application/json'
--cert ${CTR_CERTS_ROOT}/kusciaapi-server.crt
--key ${CTR_CERTS_ROOT}/kusciaapi-server.key
--cacert ${CTR_CERTS_ROOT}/ca.crt  -d '{
  "authentication_type": "Token",
  "destination": "bob",
  "endpoint": {
    "host": "1.1.1.1",
    "ports": [
      {
        "port": 80,
        "protocol": "HTTP",
        "isTLS": true, # If the gateway is a domain and supports https, set to true, otherwise set to false
        "path_prefix": "/foo"
      }
    ]
  },
  "source": "alice",
  "token_config": {
    "token_gen_method": "RSA-GEN"
  }
}'
開源
user avatar
0 位用戶收藏了這個故事!

發佈 評論

Some HTML is okay.