教程:转换和保护 APITutorial: Transform and protect your API

本教程介绍如何转换 API,使其不会透露私密的后端信息。The tutorial shows how to transform your API so it does not reveal info about the private backend. 例如,你可能想要隐藏有关后端上运行的技术堆栈的信息。For example, you might want to hide the info about the technology stack that is running on the backend. 此外,还可能想要隐藏 API HTTP 响应正文中显示的原始 URL,而不是将其重定向到 APIM 网关。You might also want to hide original URLs that appear in the body of the API's HTTP response and instead redirect them to the APIM gateway.

本教程介绍如何使用 Azure API 管理配置速率限制,轻松为后端 API 添加保护。This tutorial also shows you how easy it is to add protection for your backend API by configuring a rate limit with Azure API Management. 例如,你可能想要限制 API 调用的速率,以使开发人员不会过度使用该 API。For example, you may want to limit the rate of API calls so the API isn't overused by developers. 有关详细信息,请参阅 API 管理策略For more information, see API Management policies.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 转换 API 以剥离响应标头Transform an API to strip response headers
  • 将 API 响应正文中的原始 URL 替换为 APIM 网关 URLReplace original URLs in the body of the API response with APIM gateway URLs
  • 通过添加速率限制策略(限制)来保护 APIProtect an API by adding a rate limit policy (throttling)
  • 测试转换Test the transformations

门户中的策略

先决条件Prerequisites

转到你的 API 管理实例Go to your API Management instance

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“所有服务”。Select All services.

  3. 在搜索框中输入 apiIn the search box, enter api.

  4. 在搜索结果中,选择“API 管理服务”。In the search results, select API Management services.

  5. 选择自己的 API 管理服务实例。Select your API Management service instance.

提示

若要将 API 管理添加到 Azure 门户中的收藏夹,请选择星形。To add API Management to your favorites in the Azure portal, select the star.

API 管理图标The API Management icon ((API 管理图标)现在显示在门户的左侧菜单中。) now appears in the left menu in the portal.

转换 API 以剥离响应标头Transform an API to strip response headers

本部分介绍如何隐藏不想向用户显示的 HTTP 标头。This section shows how to hide the HTTP headers that you don't want to show to your users. 此示例介绍如何在 HTTP 响应中删除以下标头:This example shows how to delete the following headers in the HTTP response:

  • X-Powered-ByX-Powered-By
  • X-AspNet-VersionX-AspNet-Version

测试原始响应Test the original response

若要查看原始响应,请执行以下操作:To see the original response:

  1. 在 API 管理服务实例中,选择“API”。In your API Management service instance, select APIs.
  2. 在 API 列表中选择“演示会议 API”。Select Demo Conference API from your API list.
  3. 选择屏幕顶部的“测试”选项卡。Select the Test tab, on the top of the screen.
  4. 选择“GetSpeakers”操作,并选择“发送” 。Select the GetSpeakers operation and select Send.

原始响应应类似于以下形式:The original response should look similar to the following:

原始 API 响应

可以看到,响应包括“X-AspNet-Version”和“X-Powered-By”标头 。As you can see, the response includes the X-AspNet-Version and X-Powered-By headers.

设置转换策略Set the transformation policy

  1. 选择“演示会议 API” > “设计” > “所有操作” 。Select Demo Conference API > Design > All operations.

  2. 在“出站处理”部分,选择代码编辑器 (</>) 图标 。In the Outbound processing section, select the code editor (</>) icon.

    导航到出站策略

  3. 将光标置于“<出站>”元素内,然后选择上角的“显示片段” 。Position the cursor inside the <outbound> element and select Show snippets at the top right corner.

  4. 在右侧窗口中的“转换策略”下,选择”设置 HTTP 标头”两次(以插入两个策略片段) 。In the right window, under Transformation policies, select Set HTTP header twice (to insert two policy snippets).

    设置 HTTP 标头策略

  5. 按如下所示修改 <outbound> 代码:Modify your <outbound> code to look like this:

    <set-header name="X-Powered-By" exists-action="delete" />
    <set-header name="X-AspNet-Version" exists-action="delete" />
    

    设置 HTTP 标头

  6. 选择“保存”。Select Save.

将 API 响应正文中的原始 URL 替换为 APIM 网关 URLReplace original URLs in the body of the API response with APIM gateway URLs

本部分介绍如何隐藏 API HTTP 响应正文中显示的原始 URL,而不是将其重定向到 APIM 网关。This section shows how to hide original URLs that appear in the body of the API's HTTP response and instead redirect them to the APIM gateway.

测试原始响应Test the original response

若要查看原始响应,请执行以下操作:To see the original response:

  1. 选择“演示会议 API” > “测试” 。Select Demo Conference API > Test.

  2. 选择“GetSpeakers”操作,并选择“发送” 。Select the GetSpeakers operation and select Send.

    可以看到,响应包括原始后端 URL:As you can see, the response includes the original backend URLs:

    响应中的原始 URL

设置转换策略Set the transformation policy

  1. 选择“演示会议 API” > “所有操作” > “设计” 。Select Demo Conference API > All operations > Design.
  2. 在“出站处理”部分,选择代码编辑器 (</>) 图标 。In the Outbound processing section, select the code editor (</>) icon.
  3. 将光标置于“<出站>”元素内,然后选择上角的“显示片段” 。Position the cursor inside the <outbound> element and select Show snippets at the top right corner.
  4. 在右侧窗口中的“转换策略”下,选择“在内容中屏蔽 URL” 。In the right window, under Transformation policies, select Mask URLs in content.
  5. 选择“保存”。Select Save.

通过添加速率限制策略(限制)来保护 APIProtect an API by adding rate limit policy (throttling)

本部分介绍如何通过配置速率限制来为后端 API 添加保护。This section shows how to add protection for your backend API by configuring rate limits. 例如,你可能想要限制 API 调用的速率,以使开发人员不会过度使用该 API。For example, you may want to limit the rate of API calls so that the API isn't overused by developers. 在此示例中,对每个订阅 ID 的限制设置为每 15 秒调用 3 次。In this example, the limit is set to 3 calls per 15 seconds for each subscription ID. 15 秒后,开发人员可以重试调用该 API。After 15 seconds, a developer can retry calling the API.

  1. 选择“演示会议 API” > “所有操作” > “设计” 。Select Demo Conference API > All operations > Design.

  2. 在“入站处理”部分中,选择代码编辑器 (</>) 图标 。In the Inbound processing section, select the code editor (</>) icon.

  3. 将光标置于“<>”元素内,然后选择上角的“显示片段” 。Position the cursor inside the <inbound> element and select Show snippets at the top right corner.

    设置入站策略

  4. 在右侧窗口中的“访问限制策略”下,选择“+ 限制每个键的调用速率” 。In the right window, under Access restriction policies, select + Limit call rate per key.

  5. 将 rate-limit-by-key 代码(在 <inbound> 元素中)修改为以下代码 :Modify your rate-limit-by-key code (in the <inbound> element) to the following code:

    <rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
    

测试转换Test the transformations

此时如果查看代码编辑器中的代码,则会发现策略如下所示:At this point, if you look at the code in the code editor, your policies look like this:

<policies>
   <inbound>
     <rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
     <base />
   </inbound>
   <backend>
     <base />
   </backend>
   <outbound>
     <set-header name="X-Powered-By" exists-action="delete" />
     <set-header name="X-AspNet-Version" exists-action="delete" />
     <redirect-content-urls />
     <base />
   </outbound>
   <on-error>
     <base />
   </on-error>
</policies>

本部分的余下内容介绍如何测试本文中设置的策略转换。The rest of this section tests policy transformations that you set in this article.

测试剥离响应标头Test the stripped response headers

  1. 选择“演示会议 API” > “测试” 。Select Demo Conference API > Test.

  2. 选择“GetSpeakers”操作,并选择“发送” 。Select the GetSpeakers operation and select Send.

    可以看到,标头已剥离:As you can see, the headers have been stripped:

    剥离的响应标头

测试替换 URLTest the replaced URL

  1. 选择“演示会议 API” > “测试” 。Select Demo Conference API > Test.

  2. 选择“GetSpeakers”操作,并选择“发送” 。Select the GetSpeakers operation and select Send.

    可以看到,URL 已替换。As you can see, the URL has been replaced.

    替换的 URL

测试速率限制(限制)Test the rate limit (throttling)

  1. 选择“演示会议 API” > “测试” 。Select Demo Conference API > Test.

  2. 选择“GetSpeakers”操作。Select the GetSpeakers operation. 连续选择“发送”三次。Select Send three times in a row.

    发送请求 3 次之后,会收到“429 请求过多”响应。After sending the request 3 times, you get the 429 Too many requests response.

    请求过多

  3. 等待大约 15 秒,然后再次选择“发送”。Wait 15 seconds or so and select Send again. 此时应会收到“200 正常”响应。This time you should get a 200 OK response.

后续步骤Next steps

在本教程中,你了解了如何执行以下操作:In this tutorial, you learned how to:

  • 转换 API 以剥离响应标头Transform an API to strip response headers
  • 将 API 响应正文中的原始 URL 替换为 APIM 网关 URLReplace original URLs in the body of the API response with APIM gateway URLs
  • 通过添加速率限制策略(限制)来保护 APIProtect an API by adding rate limit policy (throttling)
  • 测试转换Test the transformations

转到下一教程:Advance to the next tutorial: