CN118158159A

CN118158159A - High-performance extensible load balancing stream forwarding processing system

Info

Publication number: CN118158159A
Application number: CN202410161294.XA
Authority: CN
Inventors: 焦大光; 刘春霖; 宿媛媛; 鞠翠
Original assignee: Shandong Rural Credit Union
Current assignee: Shandong Rural Credit Union
Filing date: 2024-02-05
Publication date: 2024-06-07

Abstract

A high performance scalable load-balancing stream forwarding processing system, the processing system comprising: the core agent module is used for realizing detailed AP I agent logic; the management control client module is used for providing a visual WEB management interface and configuring and managing the core agent module; the core agent module takes the AP I as the minimum control unit and provides a series of configurable general processors to filter and forward the AP I request flow; the general processor includes a blacklist processor, a whitelist processor, an access restriction processor, a parameter check processor, a rights authentication processor, a core agent processor, and an exception processor.

Description

High-performance extensible load balancing stream forwarding processing system

Technical field:

the invention relates to a high-performance scalable load balancing stream forwarding processing system.

The background technology is as follows:

the gateway is also called an intersystem connector and a protocol converter, can realize network interconnection above a network layer, is complex network interconnection equipment, is only used for network interconnection with two different higher-layer protocols, and can be used for wide area network interconnection and local area network interconnection.

A gateway is a computer system or device that acts as a translation re-authority, used between different communication protocols, data formats or languages, and even two systems that are completely different in architecture; the gateway is a translator. Rather than simply conveying the information, the gateway repacks the received information to accommodate the needs of the destination system.

Aiming at the technical field of financial science and technology, the gateway systems on the market at present mainly comprise Zuul gateway systems and spring cloud gateway gateway systems; the Zuul gateway system adopts the traditional BIO technology, so that the system throughput and the CPU resource utilization rate are insufficient; meanwhile, the Zuul gateway system and the spring cloud gateway gateway system can only use configuration files to carry out service configuration, and do not provide a management control interface or a monitoring and transaction inquiry interface; in terms of the data flow proxy function, zuul gateway system and spring cloud gateway gateway system do not provide abundant enough data flow forwarding service processing modules which can be used after being unpacked, so that the customer experience is poor, the problem that the system resources are not effectively utilized exists, the functions of visual configuration and visual monitoring of the running state of the system are lacked, and the actual application requirements cannot be met.

The invention comprises the following steps:

The embodiment of the invention provides a high-performance extensible load balancing stream forwarding processing system, which has reasonable structural design, supports visual configuration and extensible configuration, can effectively improve the throughput of the system and the utilization rate of CPU resources, simultaneously provides a plurality of data stream forwarding processing logic modules which have rich functions and can be used in a case opening mode, meets the requirement of the current running state of a visual display system, improves the effective utilization rate of system resources and customer experience, can accurately monitor the running state of the system, has flexible and various overall configuration, and solves the problems existing in the prior art.

The technical scheme adopted by the invention for solving the technical problems is as follows:

A high performance scalable load-balancing stream forwarding processing system, the processing system comprising:

The core proxy module is used for realizing detailed API proxy logic;

The management control client module is used for providing a visual WEB management interface and configuring and managing the core agent module;

The core agent module takes an API as a minimum control unit and provides a series of configurable general processors for filtering and forwarding the API request stream; the general processor includes a blacklist processor, a whitelist processor, an access restriction processor, a parameter check processor, a rights authentication processor, a core agent processor, and an exception processor.

The blacklist processor is used for reading a request head in the http request, acquiring an IP address of a requester, and judging whether the requester is in a blacklist or not according to the IP address of the requester; if the requester is in the blacklist, ending the request and responding to the state code and the state information which are not authorized to be accessed;

The white list processor is used for reading a request head in the http request, acquiring an IP address of a requester, and judging whether the requester is in a white list or not according to the IP address of the requester; and if the requester is not in the white list, ending the request and responding to the state code and the state information which are not authorized to be accessed.

The access limit processor is used for opening access limit when creating the API, and the access limit unit can be set as day, hour and minute; the access restriction processor is capable of setting an API and an IP restriction, the IP restriction being not greater than the API restriction.

The parameter checking processor is used for adding an entry definition in the definition API request and checking parameters in the request according to the entry definition;

The permission authentication processor is used for checking the validity and the validity of each obtained http request head token value; if the token fails to verify, responding to an illegal request at the client; if the token verification is successful, processing continues at the next processor.

The core agent processor is used for processing http stream forwarding, supporting load balancing of a plurality of URLs at the back end, and supporting fusing processing and reconnection mechanisms when the back end is unavailable;

When the core agent processor creates an API interface, filling in a plurality of back-end service address URLs, wherein a request weight can be set among the plurality of back-end service URLs, and load balancing is performed in a form of polling available connection or IP hash according to the weight;

Executing fusing processing logic when the back-end service is not available, and enabling the request of the client to be not forwarded to the back-end URL, and simultaneously starting a back-end URL reconnection timing task; and when the back-end service is restored, the fusing is released, and the normal forwarding function is restored.

The management control client module comprises an application management component, an API management component and a monitoring statistics component; the application management component is used for dynamically adding or modifying the application; the API management component is used for configuring and managing detailed parameters of each processor of the core agent module; the monitoring statistics component is used for monitoring the current running state of the system, and can monitor running time, normal application number, normal API number, abnormal request number, global request number, HTTP processor processing number and JVM running condition.

The application can configure a monitored service port, HTTP service setting, HTTPS service setting, cross-domain setting, request body length limitation, session keeping setting, connection pool setting, httpCLIENT setting and application service expansion setting, and can restore the external service state of the whole application by suspending and starting.

The permission authentication processor can perform session-token authentication or JWT-token authentication;

the session-token authentication flow is as follows: before a service request is initiated, an API gateway getSessionToken is required to be requested to serve, after a white list passes through, a Token is generated by the system and placed in a session sharing storage, when a client interface requests, token data are required to be placed in userToken in a request HEADER, after the request is received by the API gateway, userToken data in the request HEADER are acquired, the data are compared with the Token in the session sharing storage, the interface access right is acquired after successful matching, and an authentication failure error is returned after the matching failure;

The JWT-token authentication flow is as follows: before a service request is initiated, an API gateway getJWTToken is required to be requested to serve, a client user name and a password are required to be placed in a request header during the request, after the user name and the password pass through, the API gateway issues a unique token, and authentication failure errors are returned after the verification fails. After normally acquiring the Token, the client is required to place Token data in userToken of a request HEADER, after receiving the request, the API gateway acquires userToken data of the request HEADER and compares the userToken data with the Token stored by the server, if the matching is successful, the interface access right is acquired, and if the matching is failed, the authentication failure error is returned.

By adopting the structure, the application adopts NIO multiplexing technology on the bottom layer connection layer in the aspect of performance, and uses limited threads to finish the client connection request with large concurrency, thereby effectively solving the problems of system throughput and CPU utilization efficiency; in the aspect of visual configuration, a visual console interface with rich and easy functions can be provided to facilitate user service configuration, and the problem of complex user configuration is effectively solved; in the aspect of service monitoring, a service monitoring interface can be provided for checking the running condition of the system, and compared with a gateway configured by zuul and other xml files, the configuration of the application is more flexible, and the operations of adding, suspending, starting and the like of the whole application can be realized at a control end, so that the application has the advantages of safety, practicability, flexibility and high efficiency.

Description of the drawings:

Fig. 1 is a schematic structural view of the present invention.

FIG. 2 is a flowchart illustrating the execution of the core proxy module of the present invention.

Fig. 3 is a schematic structural diagram of a management control client module according to the present invention.

Fig. 4 is a flow chart of forwarding a data stream of a core proxy module.

Fig. 5 is a timing diagram of a session authentication process of the core proxy module.

Fig. 6 is a timing diagram of a core proxy module token authentication process.

The specific embodiment is as follows:

In order to clearly illustrate the technical features of the present solution, the present invention will be described in detail below with reference to the following detailed description and the accompanying drawings.

As shown in fig. 1-6, a high performance scalable load-balanced stream forwarding processing system, the processing system comprising:

the core proxy module is used for realizing detailed AP I proxy logic;

The core agent module takes the AP I as the minimum control unit and provides a series of configurable general processors to filter and forward the AP I request flow; the general processor includes a blacklist processor, a whitelist processor, an access restriction processor, a parameter check processor, a rights authentication processor, a core agent processor, and an exception processor.

The access restriction processor is used for opening access restriction when creating the AP I, and the access restriction unit can be set as day, hour and minute; the access restriction processor is capable of setting AP I and IP restrictions, the IP restrictions being not greater than the AP I restrictions.

The parameter checking processor is used for adding an entry definition in the definition AP I request and checking parameters in the request according to the entry definition;

When the core agent processor creates an AP I interface, filling in a plurality of rear-end service address URLs, wherein a request weight can be set among the plurality of rear-end service URLs, and load balancing is performed in a form of polling available connection or IP hash according to the weight;

The management control client module comprises an application management component, an AP I management component and a monitoring statistics component; the application management component is used for dynamically adding or modifying the application; the AP I management component is used for configuring and managing detailed parameters of each processor of the core agent module; the monitoring statistical component is used for monitoring the current running state of the system, and can monitor the running time, the number of normal applications, the number of normal AP I, the number of abnormal requests, the number of global requests, the number of HTTP processor processing and the running condition of JVM.

The working principle of the high-performance extensible load balancing stream forwarding processing system in the embodiment of the invention is as follows: the system supports visual configuration and extensible configuration, can effectively improve the throughput of the system and the utilization rate of CPU resources, simultaneously provides a plurality of data stream forwarding processing logic modules which have rich functions and can be used when being opened, meets the requirement of the current running state of the visual display system, improves the effective utilization rate of system resources and customer experience, can accurately monitor the running state of the system, and has flexible and various overall configuration; in terms of performance, the system gateway bottom layer connection layer adopts an N IO multiplexing technology, and uses a limited number of threads to finish the client connection request with large concurrency, so that the system throughput and the CPU use efficiency can be effectively solved; in the aspect of visual configuration, the system provides a visual console interface with rich and easy functions, which is convenient for user service configuration, and effectively solves the problem of complex user configuration; in the aspect of service monitoring, the system provides a service monitoring interface to check the running condition of the system.

Furthermore, the system has a data flow forwarding function module for realizing gateway unified entry, authentication verification, dynamic routing, black and white list verification, access frequency limitation, load balancing, parameter verification, preprocessor, postprocessor, exception handler, service monitoring and the like.

More specifically, the system can customize service parameters such as application ports, session timeout, connection number and the like; the black-and-white list function is provided, and black-and-white list control can be performed according to the request service IP; the access frequency limit is newly added, the whole frequency limit can be carried out on the interface or only the frequency of a certain IP is limited, and the safety and the stability of the system are effectively protected; the interface forwarding aspect provides a simple load balancing strategy, and load balancing request flow is set according to the weight; newly adding a parameter verification function, and carrying out transparent transmission and configuration transmission and verification on the access parameters; the pre-processor, the post-processor and the exception handler are added for the interface, and the pre-processing logic, the post-processing logic and the exception processing logic which are unified for the interface can be customized and developed according to specific services, so that the expansibility is strong; the system can also provide functions of dynamic service routing, current limiting and fault tolerance, identity authentication and security control, service monitoring, service gray level release, dynamic monitoring and the like.

Compared with the gateways configured by the xm files such as zuu l, the system is more flexible in configuration, and the operations such as adding, suspending, starting and the like of the whole application can be realized at a control end; the system is developed based on Vertx in terms of performance, the bottom IO adopts a multiplexing thought, the ultra-high connection number is realized by adopting a limited thread, and a filter chain form is adopted to accurately control a load balancing stream forwarding processor in the routing process through an extensible algorithm.

In the whole scheme, the system mainly comprises a core proxy module, wherein the core proxy module is used for realizing detailed AP I proxy logic;

Preferably, the blacklist processor is used for reading a request header in the http request, acquiring an IP address of the requester, and judging whether the requester is in the blacklist according to the IP address of the requester; if the requester is in the blacklist, ending the request and responding to the state code and the state information which are not authorized to be accessed, otherwise, continuing to execute the next processor.

The white list processor is used for reading a request head in the http request, acquiring an IP address of the requester, and judging whether the requester is in a white list or not according to the IP address of the requester; if the requester is not in the white list, ending the request and responding to the state code and the state information which are not authorized to be accessed, otherwise, continuing to execute the next processor.

For the access restriction processor, when an API is created, access restriction is opened, and the component is executed, and the units of access restriction are respectively: day, hour and minute, API and IP restrictions can be set, and the IP restrictions cannot be greater than the API restrictions; if the open API is limited to 10000 times in 1 minute, if the access times exceeds 10000 in 1 minute, the system returns directly: access restricted error cues.

When the client requests the API, the access limiting processor records the time of each request to the circular queue, the length of the circular queue is the number of times set by the access limiting, when the circular queue is full, the time difference between the tail data and the head data of the new request calculation queue is received, if the limit time is exceeded, the limiting processor throws out the batch overrun abnormality, and if the limit time is not exceeded, the head data of the circular queue is required to be deleted, and the request time is written into the circular queue.

For a parameter checking processor, adding an entry definition in the definition API request, and checking parameters in the request according to the entry definition; if the parameter type or the non-empty check does not meet the API setting, ending the request and returning gateway entry parameter checking failure prompt information; the parameter checking processor may obtain parameters from the request path or URL parameters of the HEADER, RESTFUL specification of the HTTP request, perform validity of the non-empty checksum parameter type according to the parameters set in the API management, and set default data for data allowed to be empty.

In the application, the authority authentication processor can verify the validity and the validity of each obtained http request head token value; if the token fails to verify, responding to an illegal request at the client; if the token verification is successful, processing continues at the next processor.

Specifically, the authority authentication processor may perform session-token authentication or JWT-token authentication; the session-token authentication flow is as follows: before a service request is initiated, an API gateway getSessionToken is required to be requested to serve, after a white list passes through, a Token is generated and placed in a session sharing storage, when a client interface requests, token data are required to be placed in userToken in a request HEADER, after the API gateway receives the request, userToken data in the request HEADER are acquired, the Token in the session sharing storage is compared, the interface access right is acquired after the matching is successful, and an authentication failure error is returned after the matching is failed.

For the core proxy processor, http stream forwarding can be processed, load balancing of a plurality of URLs at the back end is supported according to back-end service setting, back-end parameter setting and return parameter setting in AP I management, and fusing processing and reconnection mechanism when the back end is unavailable are supported.

When an AP I interface is created, filling in a plurality of rear-end service address URLs, wherein a request weight can be set among the plurality of rear-end service URLs, and the system can load balance by polling available connection or an IP hash form according to the weight, and can also provide a link connectivity test function; and when the back-end service is not available, executing fusing logic, wherein the request of the client is not forwarded to the back-end URL any more, starting the back-end URL reconnection timing task, and when the back-end service is restored, releasing fusing, and restoring the normal forwarding function.

After the access back-end service address is overtime, the system can continuously send 3 requests to prevent network fluctuation from causing request failure, if 3 requests are overtime, the system marks the current AP I interface fusing state, the front-end request current AP I interface directly returns to the back-end service overtime, after the front-end request is fused for 1 minute for the first time, the front-end request is normally forwarded to the back-end service, if the back-end service is overtime for 3 times again, the current AP I interface fusing state is marked again, the second fusing state is released after 3 minutes, if fusing occurs for three times or more continuously, the system interface fusing releasing time is 10 minutes.

Further, the exception handler is used for handling the exception that occurs in the AP I proxy process, capturing the exception when all other processors are abnormal, and performing error return according to the return parameter setting in AP I management; default system return code 202 exception from the access limit processor, indicating access limit returns, indicating that the current request frequency is overrun; default system return code 403, exception from access restriction processor, indicates that the request is in the blacklist or white list is turned on but the request IP is not in the whitelist.

Default system returns code 400, and the exception comes from the parameter check processor, indicating that the requested parameter check failed. Default system return code 504, exception from core proxy processor, indicates request back-end service timeout. Meanwhile, the system supports self-defined return codes and return description, the return codes can be set according to specific conditions of the interface, and the system can record error information according to the setting and respond to the abnormal information to the client.

In the application management component, whether an HTTP service setting and an HTTPS service setting are opened or not and a port can be set respectively, wherein HTTPS needs to specify a certificate type, a certificate key and a certificate path; the cross-domain setting can set whether cross-domain is supported or not; the illegal request setting mainly sets illegal path return Content and return data Content-Type, return code of IP authentication failure, return data Content-Type and return Content; the length of the request body is limited to the length of the request body of the TCP request, the default is-1, the limitation is not carried out, and after the maximum length is set, the request exceeding the length limitation is intercepted; after the session is kept and set up, the established links are multiplexed after the client requests, the links fail after exceeding the set time, and the requests reestablish the links; the connection pool is set to be configured by an API gateway and a background server interactive link pool; the HttpClient expansion is set as HttpClientOptions service configuration in Vert.x, and service logic expansion processing is performed between the gateway and the back-end service; the application service expansion is set as HttpServerOptions service configuration in the ver. X, and acts on the interactive expansion configuration of the user and the gateway.

In the API management component, the IP white list setting can be added with a white list group name and a plurality of white list IPs, if the interface selects an IP white list, the API gateway is checked by a white list checking processor after receiving the request, if the API gateway is in the white list IP, the API gateway enters the next processor, and if the API gateway is not in the white list IP, the API gateway returns data according to information in illegal request setting in application management.

The security authentication setting can set session-token authentication or JWT-token authentication in the form of an authentication configuration file; the access limit setting can set the highest access frequency of the API interface in a period of time or set the highest access frequency of the single user IP according to the user request IP; the system supports the expansion of the front-end processor and the rear-end processor, and the user-defined front-end processor and the user-defined rear-end processor can be set according to actual requirements; the parameter entering definition sets a transmission rule capable of being configured with parameter entering rules, and performs non-empty check or default value setting functions; the back-end service setting can set a back-end service type, an http request type, a back-end timeout time, a load balancing strategy, the number of failed retries of the request and the like; the back-end parameter setting mainly sets a corresponding relation of the front-end parameter and the back-end parameter and a system-level constant parameter; the return parameter setting can set the return data Content-Type, the transparent header value, the return of the connection failure to the background server, the return of the gateway entry parameter check failure, and the like.

Specifically, the application can also add the global blacklist for the client IP, and any interface from the IP request API gateway in the blacklist returns a prompt of no access after the global blacklist is set, thereby effectively preventing malicious attack from the client.

In summary, the high-performance scalable load balancing stream forwarding processing system in the embodiment of the invention supports visual configuration and scalable configuration, can effectively improve the throughput of the system and the utilization rate of CPU resources, simultaneously provides a plurality of data stream forwarding processing logic modules which have rich functions and can be used after being opened, meets the requirement of the current running state of the visual display system, improves the effective utilization rate of system resources and customer experience, can accurately monitor the running state of the system, and has flexible and various overall configuration; in terms of performance, the system gateway bottom layer connection layer adopts NIO multiplexing technology, and uses limited threads to complete the client connection request with large concurrency, so that the system throughput and CPU use efficiency can be effectively solved; in the aspect of visual configuration, the system provides a visual console interface with rich and easy functions, which is convenient for user service configuration, and effectively solves the problem of complex user configuration; in the aspect of service monitoring, the system provides a service monitoring interface to check the running condition of the system, thereby being capable of providing the functions of service dynamic routing, current limiting and fault tolerance, identity authentication, security control, service monitoring, service gray level release, dynamic monitoring and the like, and having wide application scenes and being convenient for popularization.

The above embodiments are not to be taken as limiting the scope of the invention, and any alternatives or modifications to the embodiments of the invention will be apparent to those skilled in the art and fall within the scope of the invention.

The present invention is not described in detail in the present application, and is well known to those skilled in the art.

Claims

1. A high performance scalable load balancing stream forwarding processing system, said processing system comprising:

The core proxy module is used for realizing detailed API proxy logic;

2. The high performance scalable load balancing stream forwarding processing system of claim 1, wherein: the blacklist processor is used for reading a request head in the http request, acquiring an IP address of a requester, and judging whether the requester is in a blacklist or not according to the IP address of the requester; if the requester is in the blacklist, ending the request and responding to the state code and the state information which are not authorized to be accessed;

3. The high performance scalable load balancing stream forwarding processing system of claim 1, wherein: the access limit processor is used for opening access limit when creating the API, and the access limit unit can be set as day, hour and minute; the access restriction processor is capable of setting an API and an IP restriction, the IP restriction being not greater than the API restriction.

4. The high performance scalable load balancing stream forwarding processing system of claim 1, wherein: the parameter checking processor is used for adding an entry definition in the definition API request and checking parameters in the request according to the entry definition;

5. The high performance scalable load balancing stream forwarding processing system of claim 1, wherein: the core agent processor is used for processing http stream forwarding, supporting load balancing of a plurality of URLs at the back end, and supporting fusing processing and reconnection mechanisms when the back end is unavailable;

6. The high performance scalable load balancing stream forwarding processing system of claim 1, wherein: the management control client module comprises an application management component, an API management component and a monitoring statistics component; the application management component is used for dynamically adding or modifying the application; the API management component is used for configuring and managing detailed parameters of each processor of the core agent module; the monitoring statistics component is used for monitoring the current running state of the system, and can monitor running time, normal application number, normal API number, abnormal request number, global request number, HTTP processor processing number and JVM running condition.

7. The high-performance scalable load-balancing stream forwarding processing system of claim 6, wherein: the application can configure a monitored service port, HTTP service setting, HTTPS service setting, cross-domain setting, request body length limitation, session keeping setting, connection pool setting, httpCLIENT setting and application service expansion setting, and can restore the external service state of the whole application by suspending and starting.

8. The high-performance scalable load-balancing stream forwarding processing system of claim 4, wherein: the permission authentication processor can perform session-token authentication or JWT-token authentication;