使用 Kong 网关实现 HZero 服务限流 - 完整指南一、架构说明当前架构用户 → Nginx → HZero Gateway (8080) → 内部服务使用 Kong 后的架构用户 → Nginx → Kong (8000/8443) → HZero Gateway (8080) → 内部服务Kong 将作为最外层网关HZero Gateway 作为内部网关。二、Kong 限流方案docker compose部署kong网关注意检查docker的iptables是否启用如果没启用的话kong容器内部无法访问外部的hzero-gateway:8080端口方案一通过 Kong Admin API 配置在 Linux 服务器192.168.0.95上执行# 1. 启用限流插件全局限流每秒1次每分钟60次curl-XPOST http://localhost:8001/plugins/\-HContent-Type: application/json\-d{ name: rate-limiting, config: { minute: 60, second: 1, policy: local, hide_client_headers: false } }# 2. 创建服务指向 HZero Gatewaycurl-XPOST http://localhost:8001/services/\-HContent-Type: application/json\-d{ name: hzero-gateway, url: http://192.168.0.128:8080 }# 3. 创建路由curl-XPOST http://localhost:8001/services/hzero-gateway/routes/\-HContent-Type: application/json\-d{ name: hzero-all, paths: [/], strip_path: false, preserve_host: true }方案二基于客户端 IP 用户 ID 的限流推荐# 1. 启用基于认证的限流插件curl-XPOST http://localhost:8001/plugins/\-HContent-Type: application/json\-d{ name: rate-limiting, config: { minute: 60, second: 1, policy: redis, redis_host: 192.168.0.95, redis_port: 6379, redis_database: 2, hide_client_headers: false }, consumer: false }三、排除鉴权服务的配置需要排除的服务hzero-gateway内部网关不需要限流hzero-oauthOAuth 认证服务登录接口不应限流hzero-register服务注册中心配置步骤# 1. 创建排除路径的插件配置针对 OAuth 登录等接口# 排除 OAuth 登录接口curl-XPOST http://localhost:8001/plugins/\-HContent-Type: application/json\-d{ name: rate-limiting, config: { minute: 60, second: 1, policy: local }, route: null, service: null, consumer: null, whitelist: [/oauth/token, /oauth/login] }更推荐的方案使用插件执行优先级Kong 插件执行顺序路由 服务 全局# 1. 为特定路由创建无限制配置curl-XPOST http://localhost:8001/services/hzero-gateway/routes/\-HContent-Type: application/json\-d{ name: hzero-oauth-no-limit, paths: [/oauth], strip_path: false, preserve_host: true }# 2. 为 OAuth 路由禁用限流curl-XPOST http://localhost:8001/plugins/\-HContent-Type: application/json\-d{ name: rate-limiting, route: {id: hzero-oauth-no-limit}, config: { enabled: false } }# 3. 为其他路由启用限流curl-XPOST http://localhost:8001/plugins/\-HContent-Type: application/json\-d{ name: rate-limiting, service: {id: hzero-gateway}, config: { minute: 60, second: 1, policy: local } }四、完整部署步骤步骤 1配置 Kong 指向 HZero Gateway# SSH 到 Kong 服务器ssh192.168.0.95# 配置 Kong 服务curl-XPOST http://localhost:8001/services/\-HContent-Type: application/json\-d{ name: hzero-backend, url: http://192.168.0.128:8080, read_timeout: 60000, write_timeout: 60000, connect_timeout: 60000 }# 配置路由curl-XPOST http://localhost:8001/services/hzero-backend/routes/\-HContent-Type: application/json\-d{ name: hzero-api, paths: [/], strip_path: false, preserve_host: true, regex_priority: 0 }步骤 2配置限流插件# 全局限流配置每秒1次每分钟60次curl-XPOST http://localhost:8001/plugins/\-HContent-Type: application/json\-d{ name: rate-limiting, service: {name: hzero-backend}, config: { minute: 60, second: 1, policy: redis, redis_host: 192.168.0.95, redis_port: 6379, redis_database: 2, hide_client_headers: false, fault_tolerant: true } }步骤 3配置排除规则可选如果需要排除特定接口创建自定义插件或使用路径匹配# 创建排除登录接口的路由高优先级curl-XPOST http://localhost:8001/services/hzero-backend/routes/\-HContent-Type: application/json\-d{ name: hzero-oauth-public, paths: [/oauth/, /iam/], strip_path: false, preserve_host: true, regex_priority: 10 }# 为排除路由配置不限流curl-XPOST http://localhost:8001/plugins/\-HContent-Type: application/json\-d{ name: rate-limiting, route: {name: hzero-oauth-public}, config: { minute: 1000, second: 10 } }步骤 4配置 CORS如果需要curl-XPOST http://localhost:8001/plugins/\-HContent-Type: application/json\-d{ name: cors, config: { origins: [*], methods: [GET, POST, PUT, DELETE, PATCH, OPTIONS], headers: [Authorization, Content-Type, Accept], exposed_headers: [X-Total-Count, X-Page-Number], credentials: true, max_age: 3600 } }步骤 5验证配置# 查看所有服务curlhttp://localhost:8001/services# 查看所有路由curlhttp://localhost:8001/routes# 查看已配置的插件curlhttp://localhost:8001/plugins# 测试限流连续请求多次foriin{1..5};docurl-Ihttp://localhost:8000/hzero-gateway/hadm/v1/servicesecho--- Request$i---done五、配置参数说明参数说明推荐值second每秒请求次数1minute每分钟请求次数60hour每小时请求次数可选policy限流策略redis推荐或localredis_hostRedis 地址192.168.0.95redis_portRedis 端口6379hide_client_headers是否隐藏限流头信息false六、限流响应头Kong 会返回以下响应头X-RateLimit-Limit-Minute: 每分钟限制次数X-RateLimit-Remaining-Minute: 剩余次数X-RateLimit-Limit-Second: 每秒限制次数X-RateLimit-Remaining-Second: 剩余次数七、常见问题1. 限流误伤正常用户解决方案增加限流阈值或使用用户级别限流2. Redis 连接失败解决方案检查 Redis 配置确保网络连通性3. 登录接口被限流解决方案创建单独的路由排除限流4. 内部服务调用被限流解决方案配置 IP 白名单或排除内部网络八、Docker Compose 配置供参考如果需要重新部署 Kong可使用以下 docker-compose.ymlversion:3.8services:kong:image:kong:3.4container_name:kongenvironment:KONG_DATABASE:offKONG_DECLARATIVE_CONFIG:/usr/local/kong/kong.ymlKONG_PROXY_LISTEN:0.0.0.0:8000KONG_ADMIN_LISTEN:0.0.0.0:8001KONG_LOG_LEVEL:infoports:-8000:8000-8443:8443-8001:8001volumes:-./kong.yml:/usr/local/kong/kong.yml:rorestart:unless-stopped九、总结通过以上配置可以实现的效果概括如下全局限流每秒 1 次每分钟 60 次排除鉴权服务OAuth 登录等接口不限流Redis 分布式限流支持多节点部署友好的限流响应返回剩余次数等信息