您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

转换和保护 APITransform and protect your API

本教程介绍如何转换 API,使其不会透露私密的后端信息。The tutorial shows how to transform your API so it does not reveal a private backend info. 例如,你可能想要隐藏有关后端上运行的技术堆栈的信息。For example, you might want to hide the info about technology stack that is running on the backend. 此外,还可能想要隐藏 API HTTP 响应正文中显示的原始 URL,而不是将其重定向到 APIM 网关。You might also want to hide original URLs that appear in the body of API's HTTP response and instead redirect them to the APIM gateway.

本教程介绍如何使用 Azure API 管理配置速率限制,轻松为后端 API 添加保护。This tutorial also shows you how easy it is to add protection for your backend API by configuring rate limit with Azure API Management. 例如,可以限制 API 的调用次数,以防开发人员过度使用它。For example, you may want to limit a number of calls the API is called so it is not overused by developers. 有关详细信息,请参阅 API 管理策略For more information, see API Management policies

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 转换 API 以剥离响应标头Transform an API to strip response headers
  • 将 API 响应正文中的原始 URL 替换为 APIM 网关 URLReplace original URLs in the body of the API response with APIM gateway URLs
  • 通过添加速率限制策略(限制)来保护 APIProtect an API by adding rate limit policy (throttling)
  • 测试转换Test the transformations

策略

先决条件Prerequisites

转到你的 API 管理实例Go to your API Management instance

导航到 API 管理实例

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“所有服务” 。Select All services.

  3. 在搜索框中输入 api managementIn the search box, enter api management.

  4. 在搜索结果中,选择“API 管理服务”。 In the search results, select API Management services.

  5. 选择自己的 API 管理服务实例。Select your API Management service instance.

提示

若要将 API 管理添加到 Azure 门户中的收藏夹,请选择星形。To add API Management to your favorites in the Azure portal, select the star.

API 管理图标The API Management icon ((API 管理图标)现在显示在门户的左侧菜单中。) now appears in the left menu in the portal.

转换 API 以剥离响应标头Transform an API to strip response headers

本部分介绍如何隐藏不想要向用户显示的 HTTP 标头。This section shows how to hide the HTTP headers that you do not want to show to your users. 在此示例中,会删除 HTTP 响应中的以下标头:In this example, the following headers get deleted in the HTTP response:

  • X-Powered-ByX-Powered-By
  • X-AspNet-VersionX-AspNet-Version

测试原始响应Test the original response

若要查看原始响应,请执行以下操作:To see the original response:

  1. 在 APIM 服务实例中,选择“API”(位于“API 管理”下)。In your APIM service instance, select APIs (under API MANAGEMENT).
  2. 在 API 列表中单击“演示会议 API”。Click Demo Conference API from your API list.
  3. 单击屏幕顶部的“测试”选项卡。Click the Test tab, on the top of the screen.
  4. 选择“GetSpeakers”操作。Select the GetSpeakers operation.
  5. 按屏幕底部的“发送”按钮。Press the Send button, at the bottom of the screen.

原始响应应该如下所示:The original response should look like this:

策略

设置转换策略Set the transformation policy

设置出站策略

  1. 选择“演示会议 API”。Select Demo Conference API.

  2. 选择屏幕顶部的“设计”选项卡。On the top of the screen, select Design tab.

  3. 选择“所有操作”。Select All operations.

  4. 在“出站处理”部分,单击 </> 图标。In the Outbound processing section, click the </> icon.

  5. 将光标置于 <outbound> 元素内。Position the cursor inside the <outbound> element.

  6. 在右侧窗口中的“转换策略”下面,单击“+ 设置 HTTP 标头”两次(以插入两个策略代码片段)。In the right window, under Transformation policies, click + Set HTTP header twice (to insert two policy snippets).

    策略

  7. 按如下所示修改 <outbound> 代码:Modify your <outbound> code to look like this:

    <set-header name="X-Powered-By" exists-action="delete" />
    <set-header name="X-AspNet-Version" exists-action="delete" />
    

    策略

  8. 单击“保存”按钮 。Click the Save button.

将 API 响应正文中的原始 URL 替换为 APIM 网关 URLReplace original URLs in the body of the API response with APIM gateway URLs

本部分介绍如何隐藏 API HTTP 响应正文中显示的原始 URL,而不是将其重定向到 APIM 网关。This section shows how to hide original URLs that appear in the body of API's HTTP response and instead redirect them to the APIM gateway.

测试原始响应Test the original response

若要查看原始响应,请执行以下操作:To see the original response:

  1. 选择“演示会议 API”。Select Demo Conference API.

  2. 单击屏幕顶部的“测试”选项卡。Click the Test tab, on the top of the screen.

  3. 选择“GetSpeakers”操作。Select the GetSpeakers operation.

  4. 按屏幕底部的“发送”按钮。Press the Send button, at the bottom of the screen.

    可以看到如下所示的原始响应:As you can see the original response looks like this:

    策略

设置转换策略Set the transformation policy

  1. 选择“演示会议 API”。Select Demo Conference API.

  2. 选择“所有操作”。Select All operations.

  3. 选择屏幕顶部的“设计”选项卡。On the top of the screen, select Design tab.

  4. 在“出站处理”部分,单击 </> 图标。In the Outbound processing section, click the </> icon.

  5. 将光标置于 <outbound> 元素内。Position the cursor inside the <outbound> element.

  6. 在右侧窗口中的“转换策略”下面,单击“+ 查找并替换正文中的字符串”。In the right window, under Transformation policies, click + Find and replace string in body.

  7. 修改 find-and-replace 代码(在 <outbound> 元素中)以替换 URL,使之与 APIM 网关匹配。Modify your find-and-replace code (in the <outbound> element) to replace the URL to match your APIM gateway. 例如:For example:

    <find-and-replace from="://conferenceapi.azurewebsites.net" to="://apiphany.azure-api.net/conference"/>
    

通过添加速率限制策略(限制)来保护 APIProtect an API by adding rate limit policy (throttling)

本部分介绍如何通过配置速率限制来为后端 API 添加保护。This section shows how to add protection for your backend API by configuring rate limits. 例如,可以限制 API 的调用次数,以防开发人员过度使用它。For example, you may want to limit a number of calls the API is called so it is not overused by developers. 在此示例中,对每个订阅 ID 设置的限制为每 15 秒 3 次调用。15 秒后,开发人员可以重试调用该 API。In this example, the limit is set to 3 calls per 15 seconds for each subscription Id. After 15 seconds, a developer can retry calling the API.

设置入站策略

  1. 选择“演示会议 API”。Select Demo Conference API.

  2. 选择“所有操作”。Select All operations.

  3. 选择屏幕顶部的“设计”选项卡。On the top of the screen, select Design tab.

  4. 在“入站处理”部分中,单击 </> 图标。In the Inbound processing section, click the </> icon.

  5. 将光标置于 <inbound> 元素内。Position the cursor inside the <inbound> element.

  6. 在右侧窗口中的“访问限制策略”下面,单击“+ 限制每个键的调用速率”。In the right window, under Access restriction policies, click + Limit call rate per key.

  7. rate-limit-by-key 代码(在 <inbound> 元素中)修改为以下代码:Modify your rate-limit-by-key code (in the <inbound> element) to the following code:

    <rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
    

测试转换Test the transformations

此时如果查看代码编辑器中的代码,则会发现策略如下所示:At this point if you look at the code in the code editor, your policies look like this:

<policies>
    <inbound>
        <rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <set-header name="X-Powered-By" exists-action="delete" />
        <set-header name="X-AspNet-Version" exists-action="delete" />
        <find-and-replace from="://conferenceapi.azurewebsites.net:443" to="://apiphany.azure-api.net/conference"/>
        <find-and-replace from="://conferenceapi.azurewebsites.net" to="://apiphany.azure-api.net/conference"/>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

本部分的余下内容介绍如何测试本文中设置的策略转换。The rest of this section tests policy transformations that you set in this article.

测试剥离响应标头Test the stripped response headers

  1. 选择“演示会议 API”。Select Demo Conference API.

  2. 选择“测试”选项卡。Select the Test tab.

  3. 单击“GetSpeakers”操作。Click the GetSpeakers operation.

  4. 按“发送”。Press Send.

    可以看到,标头已剥离:As you can see the headers have been stripped:

    策略

测试替换 URLTest the replaced URL

  1. 选择“演示会议 API”。Select Demo Conference API.

  2. 选择“测试”选项卡。Select the Test tab.

  3. 单击“GetSpeakers”操作。Click the GetSpeakers operation.

  4. 按“发送”。Press Send.

    可以看到,URL 已替换。As you can see the URL has been replaced.

    策略

测试速率限制(限制)Test the rate limit (throttling)

  1. 选择“演示会议 API”。Select Demo Conference API.

  2. 选择“测试”选项卡。Select the Test tab.

  3. 单击“GetSpeakers”操作。Click the GetSpeakers operation.

  4. 连续按“发送”三次。Press Send three times in a row.

    发送请求 3 次之后,会收到“429 请求过多”响应。After sending the request 3 times, you get 429 Too many requests response.

  5. 等待大约 15 秒,然后再次按“发送”。Wait 15 seconds or so and press Send again. 此时应会收到“200 正常”响应。This time you should get a 200 OK response.

    限制

视频Video

后续步骤Next steps

本教程介绍了如何:In this tutorial, you learned how to:

  • 转换 API 以剥离响应标头Transform an API to strip response headers
  • 将 API 响应正文中的原始 URL 替换为 APIM 网关 URLReplace original URLs in the body of the API response with APIM gateway URLs
  • 通过添加速率限制策略(限制)来保护 APIProtect an API by adding rate limit policy (throttling)
  • 测试转换Test the transformations

转到下一教程:Advance to the next tutorial: