domain-routing.pptx

DOMAIN ROUTING USING
SPRING CLOUD GATEWAY
Ashraf Mahmoud
Software Cloud engineer at Rackspace (EGYPT)

AGENDA
Introduction
Primary goals
Host routing in spring cloud gateway
Sub domain
Custom domain
20XX
Domain routing
2

INTRODUCTION
Spring cloud gateway is api gateway that help you to
route all requests to different services based on some
request parameters , it might be .
• Headers
• Host
• Path
• Cookie
• Method
• Query
• ……
20XX Domain routing 3

PRIMARY GOALS
Building Sub domain and Custom Domain Service
Using Host routing in spring cloud gateway

PRIMARY GOALS
Think about building application like
Shopify , Zendesk , medium

SUB DOMAIN &CUSTOM
DOMAIN
Let's take Zendesk as example
It’s a customer service solution
When you signup for Zendesk It will ask you to choose your unique domain
for example, asrevo.zendesk.com
also, you could add your custom domain for example , asrevo.com
and your users will be able to login from any of those domains (asrevo.zendesk.com,
asrevo.com)

SUB DOMAIN &CUSTOM
DOMAIN
Could we build a sub domain & custom domain for our users using spring cloud
gateway ?
Answer: YES
Challenges:
• Sub domain : easy
• Custom domain : https problems

SUB DOMAIN
Spring support URI Template variables like ={sub}.{x}.{y}, www.{x}.{y}, {x}.{y}
spring:
cloud:
gateway:
routes:
- id: app-ui
uri: http://localhost:8081
predicates:
- Host=www.{x}.{y},{x}.{y}
- id: profile-ui
predicates:
- Host={sub}.{x}.{y}
- id: profile
predicates:
- Path=/profile/**

SUB DOMAIN
What is app & profile (it’s an angular nginx container ) so those are the static website
that will call beckend via rest to get dynamic content
App-ui (nginx angular ): Its main entry for your domain will work under
www.domain.com or domain.com might have logic for sign-in and sign-up for admin,
mange subscription plane , selecting unique domain , attaching your custom domain
Profile-ui (nginx angular): will serve profiles for example
https://ashraf.domain.com, https://ahmed.domain.com , https://jhone.domain.com also
custom domain https://asrevo.com , https://jone.me
Profile: backend application using spring boot responsible for calling database to save
or fetch profile data

SUB DOMAIN
Profile challenge
How our backend translate https://ashraf.domain.com or https://asrevo.com to an id and
fetch profile data for those id?
Answer: building spring cloud gateway filter that map host to id and rewrite
URL before calling backend services
For example, convert https://asrevo.com/profile/find-one
to https://asrevo.com/profile/find-one?id={value-from-cache-based-on-host}

SUB DOMAIN
Profile challenge
We decided to build a filter that will convert host to an id before sending it to backend service
Nice features to have in this filter:
1. Fetch data from in memory cache for example caffeine cache
2. Reject requests that not in your cache for example if jone.domain.com is not taken by any
of your customer reject it and don’t forward it to your backend services
Some links to help you to build your own filter
1. Writing Custom Spring Cloud Gateway Filters | Baeldung
2. Spring Cloud Gateway - Creating Custom Route Filters
(AbstractGatewayFilterFactory) – Woolha
3. Spring-Cloud-Gateway Custom Gateway Filter - SoByte

SUB DOMAIN
Cache structure
If your domain is asrevo.com
Key is your domain
Value is your id
Key Value
ashraf.asrevo.com 1
jone.asrevo.com 2

SUB DOMAIN
Profile challenge
Finally
Using DNS for example AWS route53 add A record for *.yourdomain and yourdomain to your gateway IP,
or LB
If you want support only sub domain routing not custom domain also , you can use AWS certificate
manger to generate SSL certificate for your website(*.yourdomain and yourdomain) and use AWS ALB to
point to this certificate

CUSTOM DOMAIN
what is the problem? HTTPS
when you have a website that have certificate for *.asrevo.com and asrevo.com
If you add CNAME record to ashraf.me to ashraf.asrevo.com your browser will show you a
warning that you are trying to access ashraf.me but the certificate that it received is for
*.asrevo.com not ashraf.me

CUSTOM DOMAIN

CUSTOM DOMAIN
what is the solution?
Create your own certificate manger that generate certificates for every custom
domain your customer choose.
HOW?
You could build java application that generating certificates valid for 3 months once
your client asking you to accept his custom domain using https://letsencrypt.org
and shred/acme4j library
See acme4j/acme4j-example for how to generate certificate
I created my own with DNS challenge verification its easy
You should maintain those certificate and renew them every 3 months before it
expired

CUSTOM DOMAIN
We build our certificate manger that able to issue certificate for every domain
Nice feature to have
• Store those certificate in a centralized object storage like s3
Note
We should NLB not ALB because we will handle https from spring cloud gateway server not from Load
balancer

CUSTOM DOMAIN
What are is the missing step?
Telling spring cloud gateway to retrieve the certificate from s3 for every domain
For example, when calling ashraf.me from browser it should retrieve certificate from s3 for this
domain and serve the all the requests with this certificate
And at the same time should be able to handle other domains like jone.com, ali.me at the same
time
HOW

CUSTOM DOMAIN
Building Dynamic SSL Loading using spring cloud gateway
Spring cloud gateway is built on top of reactor netty which is built on top of netty
so we will customize the server using
org.springframework.boot.web.embedded.netty.NettyServerCustomizer

CUSTOM DOMAIN
import org.springframework.boot.web.embedded.netty.NettyServerCustomizer;
import org.springframework.context.annotation.Configuration;
import reactor.netty.http.server.HttpServer;
import reactor.netty.tcp.SslProvider;
@Configuration
public class DynamicSslLoaderNettyCustomizer implements NettyServerCustomizer {
private final String fallbackHost = "asrevo.com";
@Override
public HttpServer apply(HttpServer httpServer) {
return httpServer.secure(sslContextSpec -> {
sslContextSpec.sslContext(getSslProvider(fallbackHost).getSslContext())
.setSniAsyncMappings((host, promise) -> {
return promise.setSuccess(getSslProvider(host));
});
});
} /* return SslProvider for host */
private SslProvider getSslProvider(String host) {
/*write code to get certificate from amazon s3 && write code to cache certificate for some time */
/*if host.endWith(fallbackHost) && !host.equal(fallbackHost) then host="*."+fallbackHost*/
/* if no certificate for certificate generated for this host return fallback certificate for your
fallbackHost*/
return null;
}
}

CUSTOM DOMAIN
NettyServerCustomizer
@Override
public HttpServer apply(HttpServer httpServer) {
return httpServer.secure(sslContextSpec -> {
sslContextSpec.sslContext(getSslProvider(fallbackHost).getSslContext())
.setSniAsyncMappings((host, promise) -> {
return promise.setSuccess(getSslProvider(host));
});
});
}
The main method here is the setSniAsyncMappings
Its async function that take host as parameter and return a SslProvider
This will inspect the request header and extract host from the header and pass it to function you provide to
retrieve the SSL certificate for this host
it was not existed before version ` 1.0.19` until I asked from the reactor-Netty team to provide it an idea to
support dynamic https like (caddy server) ·

CUSTOM DOMAIN
Build Effective Dynamic SSL Loading
Its mandatory to cache the SSL certificates because it was so bad to retrieve the certificate from
s3 before every request to your backend
you could use caffeine cache to cache the certificates and retrieve them from in memory cache

ABOUT ME
Ashraf Mahmoud
Sof tware cloud engineer

THANK YOU
Email: ashraf1abdelrasool@gmail.com
GitHub: ashraf-revo (ashraf) (github.com)
LinkedIn: ashraf abd el rasool | LinkedIn

domain-routing.pptx

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to domain-routing.pptx

Similar to domain-routing.pptx (20)

Recently uploaded

Recently uploaded (20)

domain-routing.pptx