Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Centralizing security policies with the Kong AP...

Avatar for Jean-Baptiste Barth Jean-Baptiste Barth
September 27, 2018
Programming
0
300

Centralizing security policies with the Kong API Gateway

When a company grows, the number of systems grows with it, and generally it becomes harder and harder to get homogeneous security features across the various services or applications. In this talk we'll discuss how an API Gateway (Kong) can help bringing that back to a maintainable state.
Avatar for Jean-Baptiste Barth

Jean-Baptiste Barth

September 27, 2018
Tweet

More Decks by Jean-Baptiste Barth

See All by Jean-Baptiste Barth
Intro to Amazon SWF and simpleflow
Avatar for Jean-Baptiste Barth jbbarth
0
150
Docker / containers
Avatar for Jean-Baptiste Barth jbbarth
0
130
Rappels sur le Cloud
Avatar for Jean-Baptiste Barth jbbarth
0
68

Other Decks in Programming

See All in Programming
エラーって何種類あるの?
Avatar for Takuma Kajikawa kajitack
5
140
イベントストーミングから始めるドメイン駆動設計
Avatar for おだかとしゆき jgeem
4
830
PT AI без купюр
Avatar for Vladimir Kochetkov v0lka
0
230
Benchmark
Avatar for 송상윤 sysong
0
170
Datadog RUM 本番導入までの道
Avatar for Shintaro Matsumoto shinter61
1
270
Practical Tips and Tricks
for Working with 
Compose Multiplatform Previews (mDevCamp 2025)
Avatar for István Juhos stewemetal
0
120
Perplexity Slack Botを作ってAI活用を進めた話 / AI Engineering Summit プレイベント
Avatar for yukyan n3xem
0
650
The Evolution of Enterprise Java with Jakarta EE 11 and Beyond
Avatar for ivargrimstad ivargrimstad
1
670
Cloudflare Realtime と Workers でつくるサーバーレス WebRTC
Avatar for Taiyu Yoshizawa nekoya3
0
400
Cline指示通りに動かない? AI小説エージェントで学ぶ指示書の書き方と自動アップデートの仕組み
Avatar for 葦沢かもめ kamomeashizawa
1
480
統一感のある Go コードを生成 AI の力で手にいれる
Avatar for Kotaro Otaka otakakot
0
3k
カクヨムAndroidアプリのリブート
Avatar for Nabe numeroanddev
0
420

Featured

See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
8
650
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
137
34k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
276
23k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
480
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
107
19k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
780
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
367
19k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
52
7.6k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
92
6.1k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.3k

Transcript

  1. Centralizing security policies with an API gateway

  2. /whois • • • • • • •

  3. The origins: a Majestic Monolith © Current Web Architecture: sandbox

    Majestic Monolith rate- limit logs authz auth Heavy Business Logic Shiny Features https mainte nance IP limit

  4. Load Balancer / Reverse Proxy More tools, more services Current

    Web Architecture: sandbox Historical Monolith rate- limit logs authz auth Heavy Business Logic Shiny Features mainte nance IP limit Shiny New Service authz auth More Features https Admin tool authz auth Useful Tooling! Internal tool auth CI Jobs IP limit waf dos

  5. A few years later Current Web Architecture: sandbox

  6. How to improve that? • ◦ ◦ ◦ • ◦

    ◦ ◦ ▪ ▪ Kong ▪

  7. Kong: open-source / enterprise API Gateway source: https://konghq.com/

  8. Components: what is Kong anyway? • • • • ◦

    ◦ ◦ ◦ ◦

  9. Kong API Gateway Target architecture Load Balancer Historical Monolith rate-

    limit logs authz mainte nance IP limit Shiny New Service https Admin tool Internal tool waf dos kongdb 5" authz auth

  10. Plugins • • ◦ ◦ • ◦ ◦

  11. Bundling third party plugins # Dockerfile FROM kong:0.14.1 ENV USER=root

    PATH=$PATH:/usr/local/openresty/bin ENV KONG_CUSTOM_PLUGINS=external-oauth <... deps ...> ADD ./plugins /plugins RUN cd /plugins/external-oauth && luarocks make

  12. Sample architecture Kong API Gateway rate- limit kongdb auth Sample

    app Kong Demo app.internal:8080 kong-admin:8001 kong-demo.yeah:80 kong-proxy:80

  13. Add service % curl -X POST http://kong-admin:8001/services/ \ --data "name=kong-demo"

    \ --data "url=http://app.internal:8080" {"host":"app.internal","created_at":1537871796,"connect_timeout":60000,"id": "5ca1605b-304b-4c50-9ae0-8639d7c7185e","protocol":"http","name":"kong-demo", "read_timeout":60000,"port":8080,"path":null,"updated_at":1537871796,"retrie s":5,"write_timeout":60000}

  14. Add route % curl -X POST http://kong-admin:8001/services/kong-demo/routes \ --data "hosts[]=kong-demo.yeah"

    \ --data "preserve_host=true" {"created_at":1537872153,"strip_path":true,"hosts":["kong-demo.yeah"],"prese rve_host":true,"regex_priority":0,"updated_at":1537872153,"paths":null,"serv ice":{"id":"5ca1605b-304b-4c50-9ae0-8639d7c7185e"},"methods":null,"protocols ":["http","https"],"id":"b5aff8ee-028e-4e5d-a5d3-26d05210b1a3"}

  15. Add plugin: rate-limiting % curl -X POST http://kong-admin:8001/services/kong-demo/plugins \ --data

    "name=rate-limiting" \ --data "config.second=1"

  16. Demo

  17. Our opinion so far • ◦ ◦ ◦ ◦ ◦

    • ◦ ◦ ◦ ◦

  18. Tooling • ◦ ◦ • ◦ ◦ ◦ ◦

  19. Alternatives • ◦ ◦ ◦ ◦ ◦

  20. The end