APISIX - 2 - 网关优化
APISIX网关搭建
前置条件
已安装 Docker,Docker Compose 用于部署
etcd和APISIX已安装 curl,用于验证APISIX是否安装成功 采用APISIX的3.2.2LTS长期支持版本,APISIX Dashboard的3.0.0版本,etcd的3.5.11版本 配置APISIX固定 IP 桥接模式 配置APISIX绑定到443&80端口;
安装
1. 下载文件
初始化相关配置,添加 apisix-dashboard 配置文件夹 dashboard_conf 以及文件
cd ~
git clone https://github.com/apache/apisix-docker.git
cd apisix-docker/example
mkdir dashboard_conf
cd ~
cp apisix-docker/all-in-one/apisix-dashboard/conf.yaml apisix-docker/example/dashboard_conf
mkdir apisix
cp -r apisix-docker/example/* apisix
rm -rf apisix-docker
2. apisix-dashboard
注意修改 conf.etcd.endpoints为 apisix 可访问的 etcd 地址;监听端口 9000
dashboard_conf/conf.yaml,内容如下:
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
conf:
listen:
host: 0.0.0.0 # `manager api` listening ip or host name
port: 9000 # `manager api` listening port
etcd:
endpoints: # supports defining multiple etcd host addresses for an etcd cluster
- http://etcd:2379
# etcd basic auth info
# username: "root" # ignore etcd username if not enable etcd auth
# password: "123456" # ignore etcd password if not enable etcd auth
log:
error_log:
level: warn # supports levels, lower to higher: debug, info, warn, error, panic, fatal
file_path:
logs/error.log # supports relative path, absolute path, standard output
# such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr
authentication:
secret:
secret # secret for jwt token generation.
# NOTE: Highly recommended to modify this value to protect `manager api`.
# if it's default value, when `manager api` start, it will generate a random string to replace it.
expire_time: 3600 # jwt token expire time, in second
users:
- username: admin # username and password for login `manager api`
password: xxxx-todo
plugin_attr:
prometheus:
export_addr:
ip: "0.0.0.0"
port: 9091
3. apisix
默认情况下 apisix 使用 9080 和 9443 当作服务入口,端口修改参考如下:
- 修改
apisix_conf/config.yaml文件中 HTTP默认端口为80,HTTPS默认端口为443 - 修改
docker-compose.yml文件中 添加80、443两个端口映射 - 启用
9092Admin API端口,修改admin_key的key
apisix_conf/config.yaml,内容如下:
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apisix:
# APISIX listening port
node_listen:
- 9080
- 80
# SSL
ssl:
enable: true
listen:
- port: 443
enable_ipv6: false
# If true, show APISIX version in the `Server` response header.
enable_server_tokens: false
enable_control: true
control:
ip: "0.0.0.0"
port: 9092
deployment:
admin:
allow_admin: # https://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
admin_key:
- name: "admin"
key: todo-admin-key
role: admin # admin: manage all configuration data
- name: "viewer"
key: todo-viewer-key
role: viewer
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://etcd:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds
plugin_attr:
prometheus:
export_addr:
ip: "0.0.0.0"
port: 9091
4. docker-compose
- 如果服务器内存不足,建议
docker-compose.yml中的移除prometheus以及grafana - 添加节点
apisix-dashboard,用于可视化管理网关 - etcd的数据映射到本地docker磁盘,可通过命令查看
sudo ls /var/lib/docker/volumes/apisix_etcd_data/_data - 由于
apisix绑定到了443,80两个端口,针对centos 7.x等操作系统,需要在docker-compose.yml添加如下片段,启用特殊网络绑定权限 - 如果通过
docker run xxx命令启动apisix, 遇见端口权限问题,需要添加参数--privileged=true
user: root
cap_add:
- NET_BIND_SERVICE
docker-compose.yml,内容如下:
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
version: "3"
services:
apisix-dashboard:
image: apache/apisix-dashboard:3.0.0-alpine
restart: always
volumes:
- ./dashboard_conf/conf.yaml:/usr/local/apisix-dashboard/conf/conf.yaml:ro
depends_on:
- etcd
##network_mode: host
ports:
- "9000:9000/tcp"
networks:
apisix:
ipv4_address: 172.25.0.4
apisix:
image: apache/apisix:${APISIX_IMAGE_TAG:-3.2.2-debian}
restart: always
volumes:
- ./apisix_conf/config.yaml:/usr/local/apisix/conf/config.yaml:ro
depends_on:
- etcd
ports:
- "80:80/tcp"
- "443:443/tcp"
user: root
cap_add:
- NET_BIND_SERVICE
networks:
apisix:
ipv4_address: 172.25.0.3
etcd:
image: bitnami/etcd:3.5.11
restart: always
volumes:
- etcd_data:/bitnami/etcd
environment:
ETCD_ENABLE_V2: "true"
ALLOW_NONE_AUTHENTICATION: "yes"
ETCD_ADVERTISE_CLIENT_URLS: "http://etcd:2379"
ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
ports:
- "2379:2379/tcp"
networks:
apisix:
ipv4_address: 172.25.0.2
web1:
image: nginx:1.19.0-alpine
restart: always
volumes:
- ./upstream/web1.conf:/etc/nginx/nginx.conf
ports:
- "9081:80/tcp"
environment:
- NGINX_PORT=80
networks:
apisix:
web2:
image: nginx:1.19.0-alpine
restart: always
volumes:
- ./upstream/web2.conf:/etc/nginx/nginx.conf
ports:
- "9082:80/tcp"
environment:
- NGINX_PORT=80
networks:
apisix:
networks:
apisix:
driver: bridge
ipam:
config:
- subnet: 172.25.0.0/16
volumes:
etcd_data:
driver: local
5. 启动
docker-compose -p APISIX up -d
docker compose(v2)
docker compose up -d
6. 验证
网关验证
curl "http://127.0.0.1:80" --head
验证面板
http://127.0.0.1:9000/dashboard
7. 停止
docker-compose -p APISIX down
8. 清理
docker rm apisix-dashboard
docker rm apisix
docker rm etcd
docker rm web1
docker rm web2
docker network rm apisix
9. 网络
# 查看docker网络
docker network ls
# 查看网络细节
docker network inspect apisix_apisix
10. 网络防火墙
sudo ufw status numbered
#sudo ufw delete 3
# deny etcd
sudo ufw deny 2379
# allow apisix access all port
sudo ufw allow from 172.25.0.0/16
参考文档
最后修改于 2024-08-26
此篇文章的评论功能已经停用。