端口
kong 通过多个链接实现不同的目录:
- 代理
- 管理api
- 集群
代理
kong通过nginx做前端代理处理流入的数据流:
-
8000做HTTP代理端口,可以在配置文件配置proxy_listen修改端口 -
8443做HTTPS代理端口,通过proxy_listen_ssl修改端口
管理API
-
8001端口,通过改端口管理API,应该通过防火墙限制未授权访问,通过admin_api_listen配置项修改
集群
-
7373端口,kong通过该端口与本地的集群代理连接,通过cluster_listen_rpc配置项修改,该端口只是本地使用,并不需要暴露出去 -
7946端口,kong用于集群节点之间的链接,该端口上UDP、TCP协议的流量都应该允许通过,参考cluster_listen和cluster_advertise配置项,该端口应该只对节点开放。
配置实例
假如某节点本地集群端口侦听在 192.168.23.45:7946 端口,然后通过NAT映射到 192.168.10.5:17946 ip端口,那么对应的配置项应该如下:
- cluster_advertise=192.168.10.5:17946
- cluster_listen=192.168.23.45:7946
防火墙
Below are the recommended firewall settings:
The upstream APIs behind Kong will be available on proxy_listen and proxy_listen_ssl. Configure these ports accordingly to the access level you wish to grant to the upstream APIs.
Protect admin_api_listen, and only allow trusted sources that can access the Admin API.
Allow traffic on the cluster_listen and cluster_advertise portsonly between the Kong nodes. This port is used for intra-cluster communications.
Network
Kong assumes a flat network topology in multi-datacenter setups. If you have a multi-datacenter setup, Kong nodes between the datacenters should communicate over a VPN connection.
