I have two projects. Both are reactive Spring. Project one is a combination of a Javascript application and Spring Cloud Gateway for reverse proxying. The second project is a Spring resource server.
Project one proxies requests from /api/artists to project two at http://localhost:8081/v1/artists.
If I call the resource server (project two) directly with a valid JWT, the response comes back HTTP 200. If I go by way of the reverse proxy in project one, and hit http://localhost:8080/api/artists with the same JWT, I receive an HTTP 403 from project two, which propagates back through project one.
Here is my Spring Cloud Gateway configuration:
spring:
cloud:
gateway:
routes:
- id: experience-api
uri: http://localhost:8081/v1/artists
predicates:
- Path=/api/artists/**
filters:
- TokenRelay=
The HTTP 403 indicates that while the token was valid, it must be lacking some other permission to perform the action. Though, I'm not sure why it works when I call it directly versus calling it by way of the reverse proxy/Spring Cloud Gateway.
After stepping away for a couple days, I realized that my gateway configuration was incorrect. I realized that the original configuration was proxying requests to /v1/artists/api/artists, which doesn't exist on project two, but my security configuration was set up so that /v1/** required authentication. I suspect that is why I saw an HTTP 403 Forbidden before I saw an HTTP 404 Not Found.
I ended up using the below configuration:
spring:
cloud:
gateway:
routes:
- id: experience-api
uri: http://localhost:8081
predicates:
- Path=/v1/artists/**
filters:
- TokenRelay=
Note that I removed /v1/artists from the uri property. Now, requests to project one at http://localhost:8080/v1/artists are getting proxied to http://localhost:8081/v1/artists. I could have used the StripToken predicate filter but it wasn't as clean as this.
Related
I am building a spring cloud gateway to act as gateway with multiple backends. Some backends are internally calling websocket call ws://x.x.x.x:0000
user -> http://localhost:8085/ -> http://x.x.x.x:0000 -> ws://x.x.x.x:0000/websockify
if i don't explicitly setup a route for websocket call as well, it is taking localhost:8085 as host and port from origin server but not from http://x.x.x.x:0000.
Below is my application.yaml of spring cloud gateway and it is working. But i dont want to mention websocket_route which is being made internally from first route uri (http://x.x.x.x:0000) and i have other apps also internally making similar calls so can't setup individual routes for every app. please help
spring:
cloud:
gateway:
routes:
- id: inst-user1-target-77
uri: http://x.x.x.x:0000
predicates:
- Path=/inst-user1-target-77/**
filters:
- RewritePath=/inst-user1-target-77/(?<segment>.*), /$\{segment}
- id: websocket_route
uri: ws://x.x.x.x:0000
predicates:
- Path=/websockify
I'm using Spring Cloud Gateway as a reverse proxy. Behind that proxy I have an Angular Web App the code of which I can't modify.
The problem is that the webapp uses relative hyperlinks so when accessing the proxied web app by URL http://localhost:8080/webapp/ the app omits the webapp part in it's hyperlinks and the hyperlinks look like http://localhost:8080/destination/ instead of http://localhost:8080/webapp/destination.Apache Httpd has module for it called mod_proxy_html that rewrites the paths in HTML content served by the proxy. Is there something similar in Spring Cloud Gateway or maybe one should use reverse proxy functionality only for REST APIs?
try:
application.yml
spring:
cloud:
gateway:
routes:
- id: rewritepath_route
uri: http://localhost:8080
predicates:
- Path=/destination
filters:
- RewritePath=/(?<segment>/?.*), /webapp/$\{segment}
https://cloud.spring.io/spring-cloud-gateway/reference/html/#the-rewritepath-gatewayfilter-factory
I am using spring cloud gateway for our application. We have a requirement to remove all the sensitive headers from all the configured routes. I have configured it as follows -
spring:
cloud:
gateway:
default-filters:
#Remove All the sensitive request headers (Cookie, Set-Cookie & Authorization) while passing request to downstream services
- RemoveRequestHeader=Cookie
- RemoveRequestHeader=Set-Cookie
- RemoveRequestHeader=Authorization
This is working as expected. Now we have requirement to pass Authorization header to only one of the routes. Is there a way to configure this so that I don't have to add 3 RemoveRequestHeader in all the routes?
I have tried to add Authorization request header specifically for one route but it is not working because of ordering of routes. Once the request headers are removed, these can't be re-added.
P.S. - We were using Zuul before migrating to spring cloud gateway & it was possible to do this.
Default filters are all or nothing. To do what you want you need to add the RemoveRequestHeader to each route that needs it, omitting it from those that don't.
I am trying to deploy a simple microservice application (Spring boot) in GAE. The application has 3 services -
1. Discovery Service
2. Spring Cloud Gateway
3. Customer service
I am trying to call an API through API gateway. This works fine in local machine but getting 404 in GAE hosted application.
The URL I am using is - https://Gateway-url/customer-service/version
And corresponding YAML config is :
spring:
cloud:
gateway:
routes:
-id: customer-service
uri: https://XXXXXX.customer-service.appspot.com/
predicates:
- Path=/customer-service/**
filters:
- StripPrefix=1
The URI configured in above code snippet is - target URL of GAE service.
So When I hit the https://Gateway-url/customer-service/version url in browser, I am getting 404 error but it works if I hit the direct url https://customer-service-url/version
When I changed the API Gateway configuration in the local environment, (change uri to cloud based service uri), the issue is reproducible. So I am thinking that Gateway is not able to route the requests to App Engine Service target URL.
How can I fix this problem?
I think the problem is the url that you are using in the configuration file to route your requests.
According to google cloud documentation, to call from one service to another you should use a endpoint like this
https://VERSION_ID-dot-SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com
As yo can see here
https://cloud.google.com/appengine/docs/standard/java/communicating-between-services
And it seems that the url that you are using doesn't fit int this.
Anyway I think that in a serverless environment such as app engine the best option to perform service discovery and to route requests via gateway is using the services provided by google. In case of service discovery it is done automatically and if you want a gateway you can use google cloud endpoints that have a greate integration with app engine. Because this is the gateway intended to use with these applications
I have anexo API with some endpoints, like:
Localhsost:8080/api/clients -> GET findall
Localhsost:8080/api/clients/id -> GET findByID
Localhsost:8080/api/clients -> POST insert a cliente
Localhsost:8080/api/clients/id DELETE deleteByID
How do I use Spring Cloud Gateway with those endpoints?
If you're having trouble seeing where to start you could try following property-based the example from the dzone article 'Spring Cloud Gateway - Configuring a Simple Route'. You could configure just one of your services to begin with. That example suggests creating a spring cloud gateway project from the spring initializr by selecting the 'gateway' dependency and adding a route to the application.yaml:
spring:
cloud:
gateway:
routes:
- predicates:
- Path=/props/**
filters:
- StripPrefix=1
uri: "http://httpbin.org"
So you could replace httpbin.org with localhost:8080 and replace /props/** with your path - /api/clients/**. You could test that by making an http get call and then try adding in a second service afterwards. In your case I suspect you want to remove the filter to strip the prefix as it sounds like your service is exposing an /api/clients endpoint so you'd presumably want to preserve that whole path. That's something you'd need to check.