轉換及保護您的 APITransform and protect your API

此教學課程示範如何轉換您的 API,使它不會揭露私人的後端資訊。The tutorial shows how to transform your API so it does not reveal a private backend info. 例如,您可以隱藏在後端執行之技術堆疊的相關資訊。For example, you might want to hide the info about technology stack that is running on the backend. 您也可以隱藏 API HTTP 回應主體中出現的原始 URL,改為將它們重新導向至 APIM 閘道。You might also want to hide original URLs that appear in the body of API's HTTP response and instead redirect them to the APIM gateway.

此教學課程示範透過使用「Azure API 管理」設定速率限制,來為後端 API 新增保護是多麼簡單容易的工作。This tutorial also shows you how easy it is to add protection for your backend API by configuring rate limit with Azure API Management. 例如,您可以限制呼叫 API 的呼叫次數,使得開發人員不會過度使用它。For example, you may want to limit a number of calls the API is called so it is not overused by developers. 如需詳細資訊,請參閱 API 管理原則For more information, see API Management policies

在此教學課程中,您了解如何:In this tutorial, you learn how to:

  • 轉換 API 以刪除回應標頭Transform an API to strip response headers
  • 使用 APIM 閘道 URL 取代 API 回應主體中的原始 URLReplace original URLs in the body of the API response with APIM gateway URLs
  • 新增速率限制原則 (節流) 來保護 APIProtect an API by adding rate limit policy (throttling)
  • 測試轉換Test the transformations

原則

必要條件Prerequisites

移至您的 API 管理執行個體Go to your API Management instance

瀏覽至 API 管理執行個體

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 選取 [所有服務] 。Select All services.

  3. 在搜尋方塊中,輸入 api managementIn the search box, enter api management.

  4. 在搜尋結果中,選取 [API 管理服務] 。In the search results, select API Management services.

  5. 選取 API 管理服務執行個體。Select your API Management service instance.

提示

若要將 API 管理新增至 Azure 入口網站中的「我的最愛」,請選取星號。To add API Management to your favorites in the Azure portal, select the star.

[API 管理圖示] (The API Management icon (API 管理圖示此時會出現在入口網站的左側功能表中。) now appears in the left menu in the portal.

轉換 API 以刪除回應標頭Transform an API to strip response headers

此節示範如何隱藏您不想向使用者顯示的 HTTP 標頭。This section shows how to hide the HTTP headers that you do not want to show to your users. 在此範例中,會在 HTTP 回應中刪除下列標頭:In this example, the following headers get deleted in the HTTP response:

  • X-Powered-ByX-Powered-By
  • X-AspNet-VersionX-AspNet-Version

測試原始回應Test the original response

查看原始回應:To see the original response:

  1. 在 APIM 服務執行個體中,選取 [API] (位於 [API 管理] 下方)。In your APIM service instance, select APIs (under API MANAGEMENT).
  2. 按一下 API 清單中的 [示範會議 API]。Click Demo Conference API from your API list.
  3. 按一下畫面頂端的 [測試] 索引標籤。Click the Test tab, on the top of the screen.
  4. 選取 GetSpeakers 作業。Select the GetSpeakers operation.
  5. 按畫面底部的 [傳送] 按鈕。Press the Send button, at the bottom of the screen.

原始回應應如下所示:The original response should look like this:

原則

設定轉換原則Set the transformation policy

設定輸出原則

  1. 選取 [Demo Conference API]。Select Demo Conference API.

  2. 選取畫面頂端的 [設計] 索引標籤。On the top of the screen, select Design tab.

  3. 選取 [所有作業]。Select All operations.

  4. 在 [輸出處理] 區段中,按一下 </> 圖示。In the Outbound processing section, click the </> icon.

  5. 將游標放在 <outbound> 元素內部。Position the cursor inside the <outbound> element.

  6. 在右側視窗的 [轉換原則] 下方,按兩次 [+ 設定 HTTP 標頭] (以插入兩個原則程式碼片段)。In the right window, under Transformation policies, click + Set HTTP header twice (to insert two policy snippets).

    原則

  7. 修改您的 <outbound> 程式碼,使它看起來如下:Modify your <outbound> code to look like this:

    <set-header name="X-Powered-By" exists-action="delete" />
    <set-header name="X-AspNet-Version" exists-action="delete" />
    

    原則

  8. 按一下 [儲存] 按鈕。Click the Save button.

使用 APIM 閘道 URL 取代 API 回應主體中的原始 URLReplace original URLs in the body of the API response with APIM gateway URLs

此節示範如何隱藏 API HTTP 回應主體中出現的原始 URL,改為將它們重新導向至 APIM 閘道。This section shows how to hide original URLs that appear in the body of API's HTTP response and instead redirect them to the APIM gateway.

測試原始回應Test the original response

查看原始回應:To see the original response:

  1. 選取 [Demo Conference API]。Select Demo Conference API.

  2. 按一下畫面頂端的 [測試] 索引標籤。Click the Test tab, on the top of the screen.

  3. 選取 GetSpeakers 作業。Select the GetSpeakers operation.

  4. 按畫面底部的 [傳送] 按鈕。Press the Send button, at the bottom of the screen.

    此時,您會看見如下的原始回應:As you can see the original response looks like this:

    原則

設定轉換原則Set the transformation policy

  1. 選取 [Demo Conference API]。Select Demo Conference API.

  2. 選取 [所有作業]。Select All operations.

  3. 選取畫面頂端的 [設計] 索引標籤。On the top of the screen, select Design tab.

  4. 在 [輸出處理] 區段中,按一下 </> 圖示。In the Outbound processing section, click the </> icon.

  5. 將游標放在 <outbound> 元素內部。Position the cursor inside the <outbound> element.

  6. 在右側視窗的 [轉換原則] 下方,按一下 [+ 尋找並取代主體中的字串]。In the right window, under Transformation policies, click + Find and replace string in body.

  7. 修改您的 find-and-replace 程式碼 (位於 <outbound> 元素中),並用來取代 URL,以符合您的 APIM 閘道。Modify your find-and-replace code (in the <outbound> element) to replace the URL to match your APIM gateway. 例如︰For example:

    <find-and-replace from="://conferenceapi.azurewebsites.net" to="://apiphany.azure-api.net/conference"/>
    

新增速率限制原則 (節流) 來保護 APIProtect an API by adding rate limit policy (throttling)

此節示範如何透過設定速率限制來為後端 API 新增保護。This section shows how to add protection for your backend API by configuring rate limits. 例如,您可以限制呼叫 API 的呼叫次數,使得開發人員不會過度使用它。For example, you may want to limit a number of calls the API is called so it is not overused by developers. 在此範例中,會針對每個訂用帳戶 ID,將限制設定為每 15 秒呼叫 3 次。15 秒之後,開發人員就可重試呼叫 API。In this example, the limit is set to 3 calls per 15 seconds for each subscription Id. After 15 seconds, a developer can retry calling the API.

設定輸入原則

  1. 選取 [Demo Conference API]。Select Demo Conference API.

  2. 選取 [所有作業]。Select All operations.

  3. 選取畫面頂端的 [設計] 索引標籤。On the top of the screen, select Design tab.

  4. 在 [輸入處理] 區段中,按一下 </> 圖示。In the Inbound processing section, click the </> icon.

  5. 將游標放在 <inbound> 元素內部。Position the cursor inside the <inbound> element.

  6. 在右側視窗的 [存取限制原則] 下方,按一下 [+ 限制每個金鑰的呼叫速率]。In the right window, under Access restriction policies, click + Limit call rate per key.

  7. 將您的 rate-limit-by-key 程式碼 (位於 <inbound> 元素中) 修改為下列程式碼:Modify your rate-limit-by-key code (in the <inbound> element) to the following code:

    <rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
    

測試轉換Test the transformations

此時如果您在程式碼編輯器中查看程式碼,您的原則會顯示如下:At this point if you look at the code in the code editor, your policies look like this:

<policies>
    <inbound>
        <rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <set-header name="X-Powered-By" exists-action="delete" />
        <set-header name="X-AspNet-Version" exists-action="delete" />
        <find-and-replace from="://conferenceapi.azurewebsites.net:443" to="://apiphany.azure-api.net/conference"/>
        <find-and-replace from="://conferenceapi.azurewebsites.net" to="://apiphany.azure-api.net/conference"/>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

此節的其餘部分將測試您在此文章中設定的原則轉換。The rest of this section tests policy transformations that you set in this article.

測試已刪除的回應標頭Test the stripped response headers

  1. 選取 [Demo Conference API]。Select Demo Conference API.

  2. 選取 [測試] 索引標籤。Select the Test tab.

  3. 按一下 [GetSpeakers] 作業。Click the GetSpeakers operation.

  4. 按 [傳送]。Press Send.

    此時,您可以看到已刪除標頭:As you can see the headers have been stripped:

    原則

測試已取代的 URLTest the replaced URL

  1. 選取 [Demo Conference API]。Select Demo Conference API.

  2. 選取 [測試] 索引標籤。Select the Test tab.

  3. 按一下 [GetSpeakers] 作業。Click the GetSpeakers operation.

  4. 按 [傳送]。Press Send.

    此時,您可以看到已取代 URL。As you can see the URL has been replaced.

    原則

測試速率限制 (節流)Test the rate limit (throttling)

  1. 選取 [Demo Conference API]。Select Demo Conference API.

  2. 選取 [測試] 索引標籤。Select the Test tab.

  3. 按一下 [GetSpeakers] 作業。Click the GetSpeakers operation.

  4. 連續按三次 [傳送]。Press Send three times in a row.

    傳送要求 3 次之後,您會收到 429 太多要求的回應。After sending the request 3 times, you get 429 Too many requests response.

  5. 大約等候 15 秒之後,再按一次 [傳送]。Wait 15 seconds or so and press Send again. 此時,您應該得到 200 確定的回應。This time you should get a 200 OK response.

    節流

影片Video

後續步驟Next steps

在此教學課程中,您已了解如何:In this tutorial, you learned how to:

  • 轉換 API 以刪除回應標頭Transform an API to strip response headers
  • 使用 APIM 閘道 URL 取代 API 回應主體中的原始 URLReplace original URLs in the body of the API response with APIM gateway URLs
  • 新增速率限制原則 (節流) 來保護 APIProtect an API by adding rate limit policy (throttling)
  • 測試轉換Test the transformations

前進到下一個教學課程:Advance to the next tutorial: