• Kong(v1.0.2)代理参考





    admin_listen,它还定义了一个地址和端口列表,但是这些地址和端口应该限制为仅供管理员访问,因为它们公开了Kong的配置功能:Admin API(默认情况下是8001)。





    upstream service:指位于Kong后面的您自己的API/服务,客户端请求被转发的最终目的地。nginx中的上游服务器。








    HTTP/1.1 404 Not Found
    Content-Type: application/json
    Server: kong/<x.x.x>
        "message": "no route and no Service found with those values"



    向Kong添加服务是通过向Admin API发送HTTP请求来完成的:

    curl -i -X POST http://localhost:8001/services/ 
        -d 'name=foo-service' 
        -d 'url=http://foo-service.com'
    HTTP/1.1 201 Created
        "connect_timeout": 60000,
        "created_at": 1515537771,
        "host": "foo-service.com",
        "id": "d54da06c-d69f-4910-8896-915c63c270cd",
        "name": "foo-service",
        "path": "/",
        "port": 80,
        "protocol": "http",
        "read_timeout": 60000,
        "retries": 5,
        "updated_at": 1515537771,
        "write_timeout": 60000




    curl -i -X POST http://localhost:8001/routes/ 
        -d 'hosts[]=example.com' 
        -d 'paths[]=/foo' 
        -d 'service.id=d54da06c-d69f-4910-8896-915c63c270cd'
    HTTP/1.1 201 Created
        "created_at": 1515539858,
        "hosts": [
        "id": "ee794195-6783-4056-a5cc-a7e0fde88c81",
        "methods": null,
        "paths": [
        "preserve_host": false,
        "priority": 0,
        "protocols": [
        "service": {
            "id": "d54da06c-d69f-4910-8896-915c63c270cd"
        "strip_path": true,
        "updated_at": 1515539858


    Kong是一个透明的代理,默认情况下,它会将请求转发到您的上游服务,不受影响,但HTTP规范所需的各种头文件(如Connection, Date等)除外。




    • 请求必须包括所有配置的字段
    • 请求中字段的值必须至少匹配一个配置值(虽然字段配置接受一个或多个值,但是一个请求只需要其中一个值被认为是匹配的)


        "hosts": ["example.com", "foo-service.com"],
        "paths": ["/foo", "/bar"],
        "methods": ["GET"]


    GET /foo HTTP/1.1
    Host: example.com
    GET /bar HTTP/1.1
    Host: foo-service.com
    GET /foo/hello/world HTTP/1.1
    Host: example.com



    GET / HTTP/1.1
    Host: example.com
    POST /foo HTTP/1.1
    Host: example.com
    GET /foo HTTP/1.1
    Host: foo.com



    Request Host header

    基于host header路由请求是通过Kong代理流量的最直接方法,特别是因为这是HTTP host header的预期用途。Kong使得通过Route实体的hosts字段很容易做到这一点。



    curl -i -X POST http://localhost:8001/routes/ 
        -H 'Content-Type: application/json' 
        -d '{"hosts":["example.com", "foo-service.com"]}'
    HTTP/1.1 201 Created

    但是由于Admin API也支持表单- urlencoding内容类型,您可以通过[]符号指定一个数组:

    curl -i -X POST http://localhost:8001/routes/ 
        -d 'hosts[]=example.com' 
        -d 'hosts[]=foo-service.com'
    HTTP/1.1 201 Created

    要满足此路由的host条件,来自客户机的任何传入请求现在必须将其Host header集设置为:

    Host: example.com
    Host: foo-service.com

    使用通配符的主机名(Using wildcard hostnames)



    • *.example.com将允许a.example.com和x.y.example.com等主机值匹配。
    • example.*将允许example.com和example.org等主机值匹配。


        "hosts": ["*.example.com", "service.com"]


    GET / HTTP/1.1
    Host: an.example.com
    GET / HTTP/1.1
    Host: service.com

    preserve_host 属性

    When proxying, Kong’s default behavior is to set the upstream request’s Host header to the hostname specified in the Service’s host. The preserve_host field accepts a boolean flag instructing Kong not to do so.

    For example, when the preserve_host property is not changed and a Route is configured like so:

    在代理时,Kong的默认行为是将上游请求的Host header设置为Services中指定的host。preserve_host字段接受一个布尔值,指示Kong要不要这样做。


        "hosts": ["service.com"],
        "service": {
            "id": "..."


    GET / HTTP/1.1
    Host: service.com

    Kong将从Service的Host属性中提取Host header值,并发送以下上游请求:

    GET / HTTP/1.1
    Host: <my-service-host.com>


        "hosts": ["service.com"],
        "preserve_host": true,
        "service": {
            "id": "..."


    GET / HTTP/1.1
    Host: service.com


    GET / HTTP/1.1
    Host: service.com

    Request path



        "paths": ["/service", "/hello/world"]

    The following requests would be matched:

    GET /service HTTP/1.1
    Host: example.com
    GET /service/resource?param=value HTTP/1.1
    Host: example.com
    GET /hello/world/resource HTTP/1.1
    Host: anything.com

    对于每个请求,Kong都检测到它们的URL path是不是和route path的前缀。默认情况下,Kong将在不更改URL path的情况下代理上游的请求。

    When proxying with path prefixes, the longest paths get evaluated first. This allow you to define two Routes with two paths: /service and /service/resource, and ensure that the former does not “shadow” the latter.


    Using regexes in paths

    Kong通过PCRE (Perl兼容的正则表达式)支持route paths字段的正则表达式模式匹配。您可以同时使用前缀和正则表达式规则在paths参数上。


        "paths": ["/users/d+/profile", "/following"]

    The following requests would be matched by this Route:

    GET /following HTTP/1.1
    Host: ...
    GET /users/123/profile HTTP/1.1
    Host: ...

    提供的正则表达式使用a PCRE标志(pcre_anchor)计算,这意味着它们将被约束在路径中的第一个匹配点(根/字符)进行匹配。

    Evaluation order(评估顺序:数字越大优先级越高)


            "paths": ["/status/d+"],
            "regex_priority": 0
            "paths": ["/version/d+/status/d+"],
            "regex_priority": 6
            "paths": ["/version"],
            "paths": ["/version/any/"],

    In this scenario, Kong will evaluate incoming requests against the following defined URIs, in this order:

    1. /version/any/
    2. /version
    3. /version/d+/status/d+
    4. /status/d+


    通常,请求还必须匹配路由Route’s hosts and methods属性,Kong将遍历您的路由,直到找到与大多数规则匹配的一个(参见[路由优先级][proxy- Routing - priority])。

    Capturing groups



    And the following request path:



    local router_matches = ngx.ctx.router_matches
    -- router_matches.uri_captures is:
    -- { "1", "john", version = "1", user = "john" }
    Escaping special characters(转义特殊字符)
    接下来,值得注意的是,根据RFC 3986,在正则表达式中发现的字符通常是保留字符,因此应该采用转义。在通过管理API使用regex路径配置路由时,如果需要,请确保URL对负载进行编码。例如,使用curl并使用应用程序/x-www-form- urlencoding MIME类型:
    curl -i -X POST http://localhost:8001/routes 
        --data-urlencode 'uris[]=/status/d+'
    HTTP/1.1 201 Created

    请注意,curl不会自动对有效负载进行URL编码,并注意——data-urlencode的使用,它阻止+字符被Kong的管理API解码并解释为空格' '。

    The strip_path property


        "paths": ["/service"],
        "strip_path": true,
        "service": {
            "id": "..."


    GET /service/path/to/resource HTTP/1.1
    Host: ...

    Will cause Kong to send the following upstream request:

    GET /path/to/resource HTTP/1.1
    Host: ...


        "paths": ["/version/d+/service"],
        "strip_path": true,
        "service": {
            "id": "..."

    The following HTTP request matching the provided regex path:

    GET /version/1/service/path/to/resource HTTP/1.1
    Host: ...

    Will be proxied upstream by Kong as:

    GET /path/to/resource HTTP/1.1
    Host: ...

    Request HTTP method


    The following Route allows routing via GET and HEAD:

        "methods": ["GET", "HEAD"],
        "service": {
            "id": "..."

    Such a Route would be matched with the following requests:

    GET / HTTP/1.1
    Host: ...
    HEAD /resource HTTP/1.1
    Host: ...


    Matching priorities


    The rule is: when evaluating a request, Kong will first try to match the Routes with the most rules.

    For example, if two Routes are configured like so:

        "hosts": ["example.com"],
        "service": {
            "id": "..."
        "hosts": ["example.com"],
        "methods": ["POST"],
        "service": {
            "id": "..."

    The second Route has a hosts field and a methods field, 因此第二条规则优先被Kong进行评估。通过这样做,我们避免了第一个路由对第二个路由的“阴影”调用。

    Thus, this request will match the first Route

    GET / HTTP/1.1
    Host: example.com

    And this request will match the second one:

    POST / HTTP/1.1
    Host: example.com


    Proxying behavior


    1. Load balancing


    You can find more information about configuring load balancing by consulting the Load Balancing Reference.

    2. Plugins execution


    插件可以配置为全局运行(针对所有代理的流量)或在特定的路由和服务上运行。在这两种情况下,您必须通过管理API创建plugin configuration

    一旦匹配了路由(及其关联的服务实体),Kong将运行与这两个实体关联的插件。在路由上配置的插件在服务上配置的插件之前运行,但是在其他情况下,应用插件关联plugins association的通常规则。

    这些配置好的插件将运行它们的访问阶段,您可以在插件开发指南Plugin development guide中找到更多关于这个阶段的信息。

    3. Proxying & upstream timeouts





    Kong will send the request over HTTP/1.1, and set the following headers:

    • Host: <your_upstream_host>, as previously described in this document.
    • Connection: keep-alive, to allow for reusing the upstream connections.
    • X-Real-IP: <remote_addr>, where $remote_addr is the variable bearing the same name provided by ngx_http_core_module. Please note that the $remote_addr is likely overridden by ngx_http_realip_module.
    • X-Forwarded-For: <address>, where <address> is the content of $realip_remote_addr provided by ngx_http_realip_module appended to the request header with the same name.
    • X-Forwarded-Proto: <protocol>, where <protocol> is the protocol used by the client. In the case where $realip_remote_addr is one of the trusted addresses, the request header with the same name gets forwarded if provided. Otherwise, the value of the $scheme variable provided by ngx_http_core_module will be used.
    • X-Forwarded-Host: <host>, where <host> is the host name sent by the client. In the case where $realip_remote_addr is one of the trusted addresses, the request header with the same name gets forwarded if provided. Otherwise, the value of the $host variable provided by ngx_http_core_module will be used.
    • X-Forwarded-Port: <port>, where <port> is the port of the server which accepted a request. In the case where $realip_remote_addr is one of the trusted addresses, the request header with the same name gets forwarded if provided. Otherwise, the value of the $server_port variable provided by ngx_http_core_module will be used.

    All the other request headers are forwarded as-is by Kong.

    One exception to this is made when using the WebSocket protocol. If so, Kong will set the following headers to allow for upgrading the protocol between the client and your upstream services:

    • Connection: Upgrade
    • Upgrade: websocket

    More information on this topic is covered in the [Proxy WebSocket traffic][proxy-websocket] section.

    4. Errors & retries





    第二个选项基于Nginx的[proxy_next_upstream][proxy_next_upstream]指令。此选项不能通过Kong直接配置,但可以使用自定义Nginx配置添加。 See the configuration reference for more details.

    5. Response



    • Via: kong/x.x.x, where x.x.x is the Kong version in use
    • X-Kong-Proxy-Latency: <latency>, where latency is the time in milliseconds between Kong receiving the request from the client and sending the request to your upstream service.
    • X-Kong-Upstream-Latency: <latency>, where latency is the time in milliseconds that Kong was waiting for the first byte of the upstream service response.

    Once the headers are sent to the client, Kong will start executing registered plugins for the Route and/or Service that implement the body_filter hook. This hook may be called multiple times, due to the streaming nature of Nginx. Each chunk of the upstream response that is successfully processed by such body_filter hooks is sent back to the client. You can find more information about the body_filter hook in the Plugin development guide.

    Configuring a fallback Route

    用一个实际用例说明Kong在提供灵活的代理服务中提供“fallback Route”,所以为了避免Kong返回HTTP 404响应、“no route found”,我们能赶上这样的请求和代理他们上游一个特殊的服务,或者应用插件(例如,这样一个插件可以终止请求用不同的状态代码没有代理请求或响应)。

    Here is an example of such a fallback Route:

        "paths": ["/"],
        "service": {
            "id": "..."

    可以猜到,对Kong发出的任何HTTP请求实际上都与此路由匹配,因为所有uri都以根字符/作为前缀。正如我们在[请求路径][proxy-request-path]一节中所知道的,最长的URL路径首先由Kong计算,因此/ path最终将由Kong计算,并有效地提供了一个“fallback”路由,仅在最后才匹配。然后你可以发送流量到一个特殊的服务或应用任何插件,你希望在这条路线。

    Configuring SSL for a Route

    Kong提供了一种根据每个连接动态提供SSL证书的方法。SSL证书由核心直接处理,并通过管理API进行配置。连接到TLS上的Kong的客户机必须支持 Server Name Indication扩展才能使用此功能。


    • /certificates, 它存储您的密钥和证书。
    • /snis, 将注册证书与服务器名称指示关联。

    You can find the documentation for those two resources in the Admin API Reference.

    Here is how to configure an SSL certificate on a given Route: first, upload your SSL certificate and key via the Admin API:

    curl -i -X POST http://localhost:8001/certificates 
        -F "cert=@/path/to/cert.pem" 
        -F "key=@/path/to/cert.key" 
        -F "snis=ssl-example.com,other-ssl-example.com"
    HTTP/1.1 201 Created


    你现在必须在Kong注册下列路线。为了方便,我们将仅使用host header将请求匹配到此路由: 

    curl -i -X POST http://localhost:8001/routes 
        -d 'hosts=ssl-example.com,other-ssl-example.com' 
        -d 'service.id=d54da06c-d69f-4910-8896-915c63c270cd'
    HTTP/1.1 201 Created

    You can now expect the Route to be served over HTTPS by Kong:

    curl -i https://localhost:8443/ 
      -H "Host: ssl-example.com"
    HTTP/1.1 200 OK

    在建立连接并协商SSL握手时,如果客户端发送SSL -example.com作为SNI扩展的一部分,Kong将提供之前配置的cert.pem证书。

    Restricting the client protocol (HTTP/HTTPS/TCP/TLS)

    路由有一个protocols属性来限制它们应该侦听的客户机协议。该属性接受一组值, which can be "http", "https", "tcp" or "tls".

    A Route with http and https will accept traffic in both protocols.

        "hosts": ["..."],
        "paths": ["..."],
        "methods": ["..."],
        "protocols": ["http", "https"],
        "service": {
            "id": "..."

    Not specifying any protocol has the same effect, since routes default to ["http", "https"].

    然而,如果某个路由只配置了https那么就只接受https上的流量。如果SSL终止以前发生在受信任的IP上,它还将接受未加密的通信流。如果请求来自trusted_ips中配置的ip之一,并且设置了x -Forwarded-Proto: https header,则认为SSL终止有效:

        "hosts": ["..."],
        "paths": ["..."],
        "methods": ["..."],
        "protocols": ["https"],
        "service": {
            "id": "..."

    If a Route such as the above matches a request, but that request is in plain-text without valid prior SSL termination, Kong responds with:

    HTTP/1.1 426 Upgrade Required
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: Upgrade
    Upgrade: TLS/1.2, HTTP/1.1
    Server: kong/x.y.z
    {"message":"Please use HTTPS protocol"}

    Since Kong 1.0 it’s possible to create routes for raw TCP (not necessarily HTTP) connections by using "tcp" in the protocols attribute:

        "hosts": ["..."],
        "paths": ["..."],
        "methods": ["..."],
        "protocols": ["tcp"],
        "service": {
            "id": "..."

    Similarly, we can create routes which accept raw TLS traffic (not necessarily HTTPS) with the "tls" value:

        "hosts": ["..."],
        "paths": ["..."],
        "methods": ["..."],
        "protocols": ["tls"],
        "service": {
            "id": "..."

    A Route with only TLS would only accept traffic over TLS.

    It is also possible to accept both TCP and TLS simultaneously:

        "hosts": ["..."],
        "paths": ["..."],
        "methods": ["..."],
        "protocols": ["tcp", "tls"],
        "service": {
            "id": "..."

    Proxy WebSocket traffic

    Kong supports WebSocket traffic thanks to the underlying Nginx implementation. When you wish to establish a WebSocket connection between a client and your upstream services through Kong, you must establish a WebSocket handshake. This is done via the HTTP Upgrade mechanism. This is what your client request made to Kong would look like:

    GET / HTTP/1.1
    Connection: Upgrade
    Host: my-websocket-api.com
    Upgrade: WebSocket

    This will make Kong forward the Connection and Upgrade headers to your upstream service, instead of dismissing them due to the hop-by-hop nature of a standard HTTP proxy.

    WebSocket and TLS

    Kong will accept ws and wss connections on its respective http and https ports. To enforce TLS connections from clients, set the protocols property of the Route to https only.

    When setting up the Service to point to your upstream WebSocket service, you should carefully pick the protocol you want to use between Kong and the upstream. If you want to use TLS (wss), then the upstream WebSocket service must be defined using the https protocol in the Service protocol property, and the proper port (usually 443). To connect without TLS (ws), then the http protocol and port (usually 80) should be used in protocol instead.

    If you want Kong to terminate SSL/TLS, you can accept wss only from the client, but proxy to the upstream service over plain text, or ws.

    Back to TOC


    Through this guide, we hope you gained knowledge of the underlying proxying mechanism of Kong, from how does a request match a Route to be routed to its associated Service, on to how to allow for using the WebSocket protocol or setup dynamic SSL certificates.

    This website is Open-Source and can be found at github.com/Kong/docs.konghq.com. Feel free to provide feedback to this document there, or propose improvements!

    If you haven’t already, we suggest that you also read the Load balancing Reference, as it closely relates to the topic we just covered.

  • 相关阅读:
    git 无法提交到远程服务器【转载】
    vscode 常用快捷键
    mongodb nodejs一个有自增id的功能
    C++ lambda表达式与函数对象
    TypeScript的async, await, promise,多参数的调用比较(第2篇)
    TyepScript判断一个变量是null, or undefined
    MongoClient 对 Mongodb的 增删改查 操作
  • 原文地址:https://www.cnblogs.com/duanxz/p/10371116.html
Copyright © 2020-2023  润新知