API gateway design: RESTful interface privilege control

What can proxy IPs do when APIs collide with privilege control?

Recently, a lot of API development friends and I complained that their own interfaces are always called by unidentified guys. Just like your security door is unlocked, anyone can come in and take things. This time we have to rely onProxy IP + Privilege ControlThis is the golden pair now. Proxy IP is the equivalent of issuing temporary access cards to each visitor, and access control is the list of visitors in the hands of the security guard.

Take the case of our ipipgo customers, an e-commerce platform was originally more than 2,000 requests per minute by the brush robot. After using our dynamic proxy pool, we first filtered out the suspicious traffic through IP whitelisting, and then used thetoken bucket algorithmControlling the frequency of calls per IP, malicious requests are now directly reduced by 90%.

Three Tips for Interface Protection

Here are a few practical tips for the guys:

First move: IP authentication

Don't be silly and just use the API key and put a proxy IP vest on every request. It's like going to the bank and having to show your ID (key) and check your reserved cell phone number (IP attribution). Our ipipgo proxy service supportsGeographical IP allocationThe North American business will use the US West IP, and the domestic business will be automatically cut to the Hangzhou node.

Tip #2: Traffic Limiter

Suggest a double insurance mechanism:

Tip #3: Abnormal Meltdowns

The following situations are directly blacklisted:

- Same proxy IP changes 3 API keys in 5 seconds
- Request parameters contain SQL special characters
- Sudden 10x traffic increase from 2-5am

This is the recommended time to use ipipgo'sReal-time IP blocking interfaceIf you find an anomaly, you can directly call the API to kick the problem IP out of the whitelist.

A practical guide to avoiding the pit

Three common mistakes newbies make:

1. Proxy IP as a master key (actually with HTTPS encryption)
2. Permission policies are written into the code (they should be dynamically adjusted through the ipipgo admin backend)
3. Ignoring IP quality testing (some proxy providers have long had their IPs labeled as high risk)

question-and-answer session

Q: Will using a proxy IP affect the API response speed?
A: Choose the right service provider do not have to worry at all. Like ipipgo's BGP transit line, the measured latency is 15ms lower than the direct connection, but be careful not to schedule IPs across continents, such as European users do not use the Asian nodes.

Q: What is the difference between a free agent and a paid agent?
A: Let's put it this way, free proxies are like paper towels in a public restroom. ipipgo's commercial pool of proxies has3 million + residential IPThe company has a dedicated compliance team that does audits.

Q: How to prevent the API key from being reverse cracked?
A: I'll teach you a trick: Bind the key to the proxy IP, even if the key is leaked, it's useless if the hacker doesn't whitelist it. Even if the key is leaked and the IP used by the hacker is not in the whitelist, it's useless. ipipgo's console has this configuration option, just check the box of "joint IP-key authentication".

Say something from the heart.

Engaging in privilege control is like putting bulletproof vests on APIs, and proxy IPs are bulletproof plug-ins. Don't wait until you're attacked before you remember to protect yourself, now use ipipgo's newcomer package and get the first three months free!50 Gigahertz. Their smart routing feature is a real treat, automatically avoiding flagged IP segments, which saves you a lot of work over manually maintaining a blacklist.

Lastly, I'd like to remind you that the permissions policy is not a one-off solution, so we recommend running a penetration test once a month. Encountering uncertainty, directly to ipipgo's work order system to find technical support, the engineers have dealt with a variety of strange attack cases, experience is very experienced.