{"id":45411,"date":"2025-07-29T23:55:18","date_gmt":"2025-07-29T15:55:18","guid":{"rendered":"https:\/\/www.wsisp.com\/helps\/45411.html"},"modified":"2025-07-29T23:55:18","modified_gmt":"2025-07-29T15:55:18","slug":"%e6%9c%8d%e5%8a%a1%e5%99%a8%e9%97%b4%e6%8e%a5%e5%8f%a3%e5%ae%89%e5%85%a8%e9%97%ae%e9%a2%98%e7%9a%84%e5%85%a8%e9%9d%a2%e5%88%86%e6%9e%90","status":"publish","type":"post","link":"https:\/\/www.wsisp.com\/helps\/45411.html","title":{"rendered":"\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790"},"content":{"rendered":"<h4>\u4e00\u3001\u670d\u52a1\u5668\u63a5\u53e3\u5b89\u5168\u6838\u5fc3\u5a01\u80c1<img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/07\/20250729155515-6888eee3c5766.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/h4>\n<\/p>\n<h4>\u6587\u7ae0\u76ee\u5f55<\/h4>\n<ul>\n<li>\n<ul>\n<li>\n<ul>\n<li>**\u4e00\u3001\u670d\u52a1\u5668\u63a5\u53e3\u5b89\u5168\u6838\u5fc3\u5a01\u80c1**![\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0](https:\/\/i-blog.csdnimg.cn\/direct\/6f54698b9a22439892f0c213bc0fd1f4.png)<\/li>\n<li>**\u4e8c\u3001\u516d\u5927\u5b89\u5168\u65b9\u6848\u6df1\u5ea6\u5bf9\u6bd4**<\/li>\n<li>\n<ul>\n<li>**1. IP\u767d\u540d\u5355\u673a\u5236**<\/li>\n<li>**2. \u53cc\u5411TLS\u8ba4\u8bc1(mTLS)**<\/li>\n<li>**3. JWT\u7b7e\u540d\u8ba4\u8bc1**<\/li>\n<li>**4. OAuth2.0\u5ba2\u6237\u7aef\u51ed\u8bc1\u6d41**<\/li>\n<li>**5. API\u7f51\u5173\u7edf\u4e00\u9274\u6743**<\/li>\n<li>**6. \u670d\u52a1\u7f51\u683c\u5b89\u5168&#xff08;Istio\u4e3a\u4f8b&#xff09;**<\/li>\n<\/ul>\n<\/li>\n<li>**\u4e09\u3001\u6027\u80fd\u4e0e\u5b89\u5168\u6307\u6807\u5bf9\u6bd4\u8868**<\/li>\n<li>**\u56db\u3001\u8fdb\u9636\u5b89\u5168\u589e\u5f3a\u63aa\u65bd**<\/li>\n<li>**\u4e94\u3001\u573a\u666f\u5316\u65b9\u6848\u63a8\u8350**<\/li>\n<li>**\u516d\u3001\u653b\u51fb\u9632\u62a4\u5b9e\u8df5**<\/li>\n<li>**\u4e03\u3001\u6f14\u8fdb\u8d8b\u52bf**<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/07\/20250729155516-6888eee479408.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<table>\n<tr>\u5a01\u80c1\u7c7b\u578b\u98ce\u9669\u63cf\u8ff0\u5178\u578b\u6848\u4f8b<\/tr>\n<tbody>\n<tr>\n<td>\u4e2d\u95f4\u4eba\u653b\u51fb(MITM)<\/td>\n<td>\u4f20\u8f93\u6570\u636e\u88ab\u7a83\u542c\/\u7be1\u6539<\/td>\n<td>SSLStrip\u653b\u51fb<\/td>\n<\/tr>\n<tr>\n<td>\u51ed\u8bc1\u6cc4\u9732<\/td>\n<td>API\u5bc6\u94a5\/\u4ee4\u724c\u88ab\u76d7\u7528<\/td>\n<td>GitHub API\u5bc6\u94a5\u6cc4\u6f0f\u4e8b\u4ef6<\/td>\n<\/tr>\n<tr>\n<td>\u91cd\u653e\u653b\u51fb(Replay)<\/td>\n<td>\u5408\u6cd5\u8bf7\u6c42\u88ab\u91cd\u590d\u4f7f\u7528<\/td>\n<td>\u652f\u4ed8\u63a5\u53e3\u91cd\u590d\u6263\u6b3e<\/td>\n<\/tr>\n<tr>\n<td>\u672a\u6388\u6743\u8bbf\u95ee<\/td>\n<td>\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e<\/td>\n<td>AWS S3\u6876\u914d\u7f6e\u9519\u8bef<\/td>\n<\/tr>\n<tr>\n<td>DDoS\u653b\u51fb<\/td>\n<td>\u670d\u52a1\u8d44\u6e90\u8017\u5c3d<\/td>\n<td>Memcached\u653e\u5927\u653b\u51fb<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u4e8c\u3001\u516d\u5927\u5b89\u5168\u65b9\u6848\u6df1\u5ea6\u5bf9\u6bd4<\/h4>\n<h5>1. IP\u767d\u540d\u5355\u673a\u5236<\/h5>\n<p><span class=\"token comment\"># Flask IP\u767d\u540d\u5355\u793a\u4f8b<\/span><br \/>\n<span class=\"token keyword\">from<\/span> flask <span class=\"token keyword\">import<\/span> request<span class=\"token punctuation\">,<\/span> abort<\/p>\n<p>ALLOWED_IPS <span class=\"token operator\">&#061;<\/span> <span class=\"token punctuation\">{<\/span><span class=\"token string\">&#039;192.168.1.0\/24&#039;<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">&#039;10.0.0.1&#039;<\/span><span class=\"token punctuation\">}<\/span><\/p>\n<p><span class=\"token decorator annotation punctuation\">&#064;app<span class=\"token punctuation\">.<\/span>before_request<\/span><br \/>\n<span class=\"token keyword\">def<\/span> <span class=\"token function\">check_ip<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span><br \/>\n    client_ip <span class=\"token operator\">&#061;<\/span> request<span class=\"token punctuation\">.<\/span>remote_addr<br \/>\n    <span class=\"token keyword\">if<\/span> <span class=\"token keyword\">not<\/span> <span class=\"token builtin\">any<\/span><span class=\"token punctuation\">(<\/span>client_ip <span class=\"token keyword\">in<\/span> network <span class=\"token keyword\">for<\/span> network <span class=\"token keyword\">in<\/span> ALLOWED_IPS<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span><br \/>\n        abort<span class=\"token punctuation\">(<\/span><span class=\"token number\">403<\/span><span class=\"token punctuation\">)<\/span>  <span class=\"token comment\"># Forbidden<\/span><\/p>\n<p>\u539f\u7406&#xff1a;<\/p>\n<ul>\n<li>\u7f51\u7edc\u5c42\u8fc7\u6ee4&#xff0c;\u57fa\u4e8eTCP\/IP\u5305\u5934\u6e90\u5730\u5740\u9a8c\u8bc1<\/li>\n<li>CIDR\u5757\u652f\u6301&#xff08;\u5982192.168.1.0\/24&#xff09;<\/li>\n<\/ul>\n<p>\u4f18\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u5b9e\u73b0\u7b80\u5355&#xff0c;\u6027\u80fd\u635f\u8017\u4f4e&#xff08;&lt;1ms&#xff09;<\/li>\n<li>\u6709\u6548\u9632\u5fa1\u5916\u90e8\u626b\u63cf<\/li>\n<\/ul>\n<p>\u52a3\u52bf&#xff1a;<\/p>\n<ul>\n<li>IP\u6b3a\u9a97\u98ce\u9669&#xff08;\u5982BGP\u52ab\u6301&#xff09;<\/li>\n<li>\u52a8\u6001IP\u73af\u5883\u96be\u7ef4\u62a4<\/li>\n<li>\u4e0d\u652f\u6301\u52a0\u5bc6\/\u5b8c\u6574\u6027\u6821\u9a8c<\/li>\n<\/ul>\n<hr \/>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/07\/20250729155516-6888eee4951b2.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<h5>2. \u53cc\u5411TLS\u8ba4\u8bc1(mTLS)<\/h5>\n<p><span class=\"token comment\"># \u751f\u6210CA\u8bc1\u4e66<\/span><br \/>\nopenssl genrsa -out ca.key <span class=\"token number\">2048<\/span><br \/>\nopenssl req -x509 -new -key ca.key -out ca.crt -days <span class=\"token number\">365<\/span><\/p>\n<p><span class=\"token comment\"># \u751f\u6210\u670d\u52a1\u7aef\u8bc1\u4e66<\/span><br \/>\nopenssl genrsa -out server.key <span class=\"token number\">2048<\/span><br \/>\nopenssl req -new -key server.key -out server.csr<br \/>\nopenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <span class=\"token number\">365<\/span><\/p>\n<p><span class=\"token comment\"># \u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66&#xff08;\u540c\u7406&#xff09;<\/span><\/p>\n<p>Java\u5ba2\u6237\u7aef\u5b9e\u73b0&#xff1a;<\/p>\n<p><span class=\"token class-name\">SSLContext<\/span> sslContext <span class=\"token operator\">&#061;<\/span> <span class=\"token class-name\">SSLContext<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">getInstance<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#034;TLS&#034;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n<span class=\"token class-name\">KeyStore<\/span> ks <span class=\"token operator\">&#061;<\/span> <span class=\"token class-name\">KeyStore<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">getInstance<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#034;PKCS12&#034;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\nks<span class=\"token punctuation\">.<\/span><span class=\"token function\">load<\/span><span class=\"token punctuation\">(<\/span><span class=\"token keyword\">new<\/span> <span class=\"token class-name\">FileInputStream<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#034;client.p12&#034;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">&#034;password&#034;<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">toCharArray<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<p><span class=\"token class-name\">KeyManagerFactory<\/span> kmf <span class=\"token operator\">&#061;<\/span> <span class=\"token class-name\">KeyManagerFactory<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">getInstance<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#034;SunX509&#034;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\nkmf<span class=\"token punctuation\">.<\/span><span class=\"token function\">init<\/span><span class=\"token punctuation\">(<\/span>ks<span class=\"token punctuation\">,<\/span> <span class=\"token string\">&#034;password&#034;<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">toCharArray<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<p>sslContext<span class=\"token punctuation\">.<\/span><span class=\"token function\">init<\/span><span class=\"token punctuation\">(<\/span>kmf<span class=\"token punctuation\">.<\/span><span class=\"token function\">getKeyManagers<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token keyword\">null<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token keyword\">null<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><\/p>\n<p><span class=\"token keyword\">try<\/span> <span class=\"token punctuation\">(<\/span><span class=\"token class-name\">CloseableHttpClient<\/span> client <span class=\"token operator\">&#061;<\/span> <span class=\"token class-name\">HttpClients<\/span><span class=\"token punctuation\">.<\/span><span class=\"token function\">custom<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><br \/>\n        <span class=\"token punctuation\">.<\/span><span class=\"token function\">setSSLContext<\/span><span class=\"token punctuation\">(<\/span>sslContext<span class=\"token punctuation\">)<\/span><br \/>\n        <span class=\"token punctuation\">.<\/span><span class=\"token function\">build<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n    <span class=\"token class-name\">HttpGet<\/span> request <span class=\"token operator\">&#061;<\/span> <span class=\"token keyword\">new<\/span> <span class=\"token class-name\">HttpGet<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">&#034;https:\/\/server\/api&#034;<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n    <span class=\"token keyword\">return<\/span> client<span class=\"token punctuation\">.<\/span><span class=\"token function\">execute<\/span><span class=\"token punctuation\">(<\/span>request<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">;<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><\/p>\n<p>\u539f\u7406&#xff1a;<\/p>\n<ul>\n<li>\u53cc\u5411X.509\u8bc1\u4e66\u9a8c\u8bc1&#xff08;\u670d\u52a1\u7aef&#043;\u5ba2\u6237\u7aef&#xff09;<\/li>\n<li>TLS 1.3\u534f\u8bae\u52a0\u5bc6\u4f20\u8f93&#xff08;\u524d\u5411\u4fdd\u5bc6&#xff09;<\/li>\n<\/ul>\n<p>\u4f18\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u5f3a\u8eab\u4efd\u8ba4\u8bc1&#xff08;\u9632\u5192\u5145&#xff09;<\/li>\n<li>\u7aef\u5230\u7aef\u52a0\u5bc6&#xff08;AES-256&#xff09;<\/li>\n<li>\u7b26\u5408\u96f6\u4fe1\u4efb\u67b6\u6784<\/li>\n<\/ul>\n<p>\u52a3\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u8bc1\u4e66\u7ba1\u7406\u590d\u6742&#xff08;\u6709\u6548\u671f\/\u540a\u9500\u5217\u8868&#xff09;<\/li>\n<li>\u8fde\u63a5\u5efa\u7acb\u5ef6\u8fdf\u589e\u52a0&#xff08;50-100ms&#xff09;<\/li>\n<li>\u4e0d\u652f\u6301\u5e94\u7528\u7ea7\u6388\u6743<\/li>\n<\/ul>\n<hr \/>\n<p><img decoding=\"async\" src=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/07\/20250729155516-6888eee4b180a.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><\/p>\n<h5>3. JWT\u7b7e\u540d\u8ba4\u8bc1<\/h5>\n<p>\u4ee4\u724c\u751f\u6210&#xff1a;<\/p>\n<p><span class=\"token keyword\">import<\/span> jwt<br \/>\n<span class=\"token keyword\">from<\/span> datetime <span class=\"token keyword\">import<\/span> datetime<span class=\"token punctuation\">,<\/span> timedelta<\/p>\n<p>secret_key <span class=\"token operator\">&#061;<\/span> <span class=\"token string\">&#034;SUPER_SECRET_KEY&#034;<\/span><\/p>\n<p>payload <span class=\"token operator\">&#061;<\/span> <span class=\"token punctuation\">{<\/span><br \/>\n    <span class=\"token string\">&#034;iss&#034;<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token string\">&#034;auth_server&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n    <span class=\"token string\">&#034;aud&#034;<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token string\">&#034;api_server&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n    <span class=\"token string\">&#034;sub&#034;<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token string\">&#034;service_account&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n    <span class=\"token string\">&#034;iat&#034;<\/span><span class=\"token punctuation\">:<\/span> datetime<span class=\"token punctuation\">.<\/span>utcnow<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">,<\/span><br \/>\n    <span class=\"token string\">&#034;exp&#034;<\/span><span class=\"token punctuation\">:<\/span> datetime<span class=\"token punctuation\">.<\/span>utcnow<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token operator\">&#043;<\/span> timedelta<span class=\"token punctuation\">(<\/span>minutes<span class=\"token operator\">&#061;<\/span><span class=\"token number\">10<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">,<\/span><br \/>\n    <span class=\"token string\">&#034;scope&#034;<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token string\">&#034;read:data write:logs&#034;<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><\/p>\n<p>token <span class=\"token operator\">&#061;<\/span> jwt<span class=\"token punctuation\">.<\/span>encode<span class=\"token punctuation\">(<\/span>payload<span class=\"token punctuation\">,<\/span> secret_key<span class=\"token punctuation\">,<\/span> algorithm<span class=\"token operator\">&#061;<\/span><span class=\"token string\">&#034;HS256&#034;<\/span><span class=\"token punctuation\">)<\/span><\/p>\n<p>\u670d\u52a1\u7aef\u9a8c\u8bc1&#xff1a;<\/p>\n<p><span class=\"token keyword\">try<\/span><span class=\"token punctuation\">:<\/span><br \/>\n    decoded <span class=\"token operator\">&#061;<\/span> jwt<span class=\"token punctuation\">.<\/span>decode<span class=\"token punctuation\">(<\/span><br \/>\n        token<span class=\"token punctuation\">,<\/span><br \/>\n        secret_key<span class=\"token punctuation\">,<\/span><br \/>\n        algorithms<span class=\"token operator\">&#061;<\/span><span class=\"token punctuation\">[<\/span><span class=\"token string\">&#034;HS256&#034;<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">,<\/span><br \/>\n        audience<span class=\"token operator\">&#061;<\/span><span class=\"token string\">&#034;api_server&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n        issuer<span class=\"token operator\">&#061;<\/span><span class=\"token string\">&#034;auth_server&#034;<\/span><br \/>\n    <span class=\"token punctuation\">)<\/span><br \/>\n<span class=\"token keyword\">except<\/span> jwt<span class=\"token punctuation\">.<\/span>ExpiredSignatureError<span class=\"token punctuation\">:<\/span><br \/>\n    abort<span class=\"token punctuation\">(<\/span><span class=\"token number\">401<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">&#034;Token expired&#034;<\/span><span class=\"token punctuation\">)<\/span><br \/>\n<span class=\"token keyword\">except<\/span> jwt<span class=\"token punctuation\">.<\/span>InvalidTokenError<span class=\"token punctuation\">:<\/span><br \/>\n    abort<span class=\"token punctuation\">(<\/span><span class=\"token number\">401<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">&#034;Invalid token&#034;<\/span><span class=\"token punctuation\">)<\/span><\/p>\n<p>\u539f\u7406&#xff1a;<\/p>\n<ul>\n<li>Header.Payload.Signature\u4e09\u6bb5\u5f0f\u7ed3\u6784<\/li>\n<li>HMAC\u6216RSA\u7b7e\u540d\u9632\u7be1\u6539<\/li>\n<li>\u81ea\u5305\u542b\u58f0\u660e&#xff08;claims&#xff09;<\/li>\n<\/ul>\n<p>\u4f18\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u65e0\u72b6\u6001\u9a8c\u8bc1&#xff08;\u9002\u5408\u5fae\u670d\u52a1&#xff09;<\/li>\n<li>\u7ec6\u7c92\u5ea6\u6743\u9650\u63a7\u5236&#xff08;scope\u5b57\u6bb5&#xff09;<\/li>\n<li>\u8de8\u8bed\u8a00\u652f\u6301&#xff08;\u5e93\u4e30\u5bcc&#xff09;<\/li>\n<\/ul>\n<p>\u52a3\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u4ee4\u724c\u6cc4\u9732\u65e0\u6cd5\u5373\u65f6\u64a4\u9500<\/li>\n<li>\u7b97\u6cd5\u9009\u62e9\u4e0d\u5f53\u98ce\u9669&#xff08;\u5982none\u7b97\u6cd5&#xff09;<\/li>\n<li>Payload\u672a\u52a0\u5bc6\u65f6\u4fe1\u606f\u66b4\u9732<\/li>\n<\/ul>\n<hr \/>\n<h5>4. OAuth2.0\u5ba2\u6237\u7aef\u51ed\u8bc1\u6d41<\/h5>\n<p>  #mermaid-svg-iJkaZYSCkQW5yL61 {font-family:\\&#8221;trebuchet ms\\&#8221;,verdana,arial,sans-serif;font-size:16px;fill:#333;}#mermaid-svg-iJkaZYSCkQW5yL61 .error-icon{fill:#552222;}#mermaid-svg-iJkaZYSCkQW5yL61 .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-iJkaZYSCkQW5yL61 .edge-thickness-normal{stroke-width:2px;}#mermaid-svg-iJkaZYSCkQW5yL61 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-iJkaZYSCkQW5yL61 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-iJkaZYSCkQW5yL61 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-iJkaZYSCkQW5yL61 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-iJkaZYSCkQW5yL61 .marker{fill:#333333;stroke:#333333;}#mermaid-svg-iJkaZYSCkQW5yL61 .marker.cross{stroke:#333333;}#mermaid-svg-iJkaZYSCkQW5yL61 svg{font-family:\\&#8221;trebuchet ms\\&#8221;,verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-iJkaZYSCkQW5yL61 .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-iJkaZYSCkQW5yL61 text.actor&gt;tspan{fill:black;stroke:none;}#mermaid-svg-iJkaZYSCkQW5yL61 .actor-line{stroke:grey;}#mermaid-svg-iJkaZYSCkQW5yL61 .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-iJkaZYSCkQW5yL61 .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-iJkaZYSCkQW5yL61 #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-iJkaZYSCkQW5yL61 .sequenceNumber{fill:white;}#mermaid-svg-iJkaZYSCkQW5yL61 #sequencenumber{fill:#333;}#mermaid-svg-iJkaZYSCkQW5yL61 #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-iJkaZYSCkQW5yL61 .messageText{fill:#333;stroke:#333;}#mermaid-svg-iJkaZYSCkQW5yL61 .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-iJkaZYSCkQW5yL61 .labelText,#mermaid-svg-iJkaZYSCkQW5yL61 .labelText&gt;tspan{fill:black;stroke:none;}#mermaid-svg-iJkaZYSCkQW5yL61 .loopText,#mermaid-svg-iJkaZYSCkQW5yL61 .loopText&gt;tspan{fill:black;stroke:none;}#mermaid-svg-iJkaZYSCkQW5yL61 .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-iJkaZYSCkQW5yL61 .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-iJkaZYSCkQW5yL61 .noteText,#mermaid-svg-iJkaZYSCkQW5yL61 .noteText&gt;tspan{fill:black;stroke:none;}#mermaid-svg-iJkaZYSCkQW5yL61 .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-iJkaZYSCkQW5yL61 .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-iJkaZYSCkQW5yL61 .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-iJkaZYSCkQW5yL61 .actorPopupMenu{position:absolute;}#mermaid-svg-iJkaZYSCkQW5yL61 .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 \/ 0.4));}#mermaid-svg-iJkaZYSCkQW5yL61 .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-iJkaZYSCkQW5yL61 .actor-man circle,#mermaid-svg-iJkaZYSCkQW5yL61 line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-iJkaZYSCkQW5yL61 :root{&#8211;mermaid-font-family:\\&#8221;trebuchet ms\\&#8221;,verdana,arial,sans-serif;}<\/p>\n<p>      Client<\/p>\n<p>      Auth Server<\/p>\n<p>      Resource Server<\/p>\n<p>   1. POST \/token (client_id&#043;secret)<\/p>\n<p>   2. Access Token<\/p>\n<p>   3. API Request &#043; Token<\/p>\n<p>   4. Token\u9a8c\u8bc1<\/p>\n<p>   5. \u9a8c\u8bc1\u7ed3\u679c<\/p>\n<p>   6. \u8fd4\u56de\u6570\u636e<\/p>\n<p>     Client<\/p>\n<p>     Auth Server<\/p>\n<p>     Resource Server<\/p>\n<p>\u5173\u952e\u53c2\u6570&#xff1a;<\/p>\n<p>POST \/token HTTP\/1.1<br \/>\nContent-Type: application\/x-www-form-urlencoded<\/p>\n<p>grant_type&#061;client_credentials<br \/>\n&amp;client_id&#061;your_client_id<br \/>\n&amp;client_secret&#061;your_client_secret<br \/>\n&amp;scope&#061;api.read<\/p>\n<p>\u4f18\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u6807\u51c6\u5316\u534f\u8bae&#xff08;RFC6749&#xff09;<\/li>\n<li>\u4ee4\u724c\u751f\u547d\u5468\u671f\u7ba1\u7406&#xff08;\u5237\u65b0\/\u64a4\u9500&#xff09;<\/li>\n<li>\u96c6\u4e2d\u5f0f\u6743\u9650\u63a7\u5236<\/li>\n<\/ul>\n<p>\u52a3\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u4f9d\u8d56\u6388\u6743\u670d\u52a1\u5668&#xff08;\u5355\u70b9\u6545\u969c\u98ce\u9669&#xff09;<\/li>\n<li>\u914d\u7f6e\u590d\u6742\u5ea6\u9ad8<\/li>\n<li>\u9996\u6b21\u8bf7\u6c42\u5ef6\u8fdf&#xff08;\u589e\u52a0200-500ms&#xff09;<\/li>\n<\/ul>\n<hr \/>\n<h5>5. API\u7f51\u5173\u7edf\u4e00\u9274\u6743<\/h5>\n<p>\u67b6\u6784\u793a\u4f8b&#xff1a;<\/p>\n<p>[Client] \u2192 [API Gateway] \u2192 [JWT\u9a8c\u8bc1] \u2192 [Rate Limiter] \u2192 [Upstream Services]<br \/>\n                   \u2502            \u2502<br \/>\n                   \u2514\u2500[Auth Server] <\/p>\n<p>\u7f51\u5173\u529f\u80fd&#xff1a;<\/p>\n<li>\u52a8\u6001\u8def\u7531<\/li>\n<li>JWT\u9a8c\u8bc1<\/li>\n<li>\u9650\u6d41&#xff08;\u4ee4\u724c\u6876\u7b97\u6cd5&#xff09;<\/li>\n<li>\u8bf7\u6c42\u65e5\u5fd7\u5ba1\u8ba1<\/li>\n<li>\u6570\u636e\u8131\u654f<\/li>\n<p>Nginx\u914d\u7f6e\u7247\u6bb5&#xff1a;<\/p>\n<p>location \/api\/ {<br \/>\n    auth_request \/auth;<br \/>\n    proxy_pass http:\/\/upstream_servers;<br \/>\n}<\/p>\n<p>location &#061; \/auth {<br \/>\n    internal;<br \/>\n    proxy_pass http:\/\/auth_server\/validate;<br \/>\n    proxy_pass_request_body off;<br \/>\n    proxy_set_header Content-Length &#034;&#034;;<br \/>\n}<\/p>\n<p>\u4f18\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u5b89\u5168\u7b56\u7565\u96c6\u4e2d\u7ba1\u7406<\/li>\n<li>\u5c4f\u853d\u540e\u7aef\u670d\u52a1\u7ec6\u8282<\/li>\n<li>\u7edf\u4e00\u76d1\u63a7\u5165\u53e3<\/li>\n<\/ul>\n<p>\u52a3\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u7f51\u5173\u53ef\u80fd\u6210\u4e3a\u6027\u80fd\u74f6\u9888<\/li>\n<li>\u589e\u52a0\u7f51\u7edc\u8df3\u6570&#xff08;\u5ef6\u8fdf&#043;5-15ms&#xff09;<\/li>\n<li>\u914d\u7f6e\u9519\u8bef\u5bfc\u81f4\u5355\u70b9\u6545\u969c<\/li>\n<\/ul>\n<hr \/>\n<h5>6. \u670d\u52a1\u7f51\u683c\u5b89\u5168&#xff08;Istio\u4e3a\u4f8b&#xff09;<\/h5>\n<p>\u67b6\u6784\u6838\u5fc3&#xff1a;<\/p>\n<ul>\n<li>Sidecar\u4ee3\u7406&#xff08;Envoy&#xff09;<\/li>\n<li>mTLS\u81ea\u52a8\u7f16\u6392<\/li>\n<li>RBAC\u7b56\u7565\u5f15\u64ce<\/li>\n<\/ul>\n<p>RBAC\u7b56\u7565\u5b9a\u4e49&#xff1a;<\/p>\n<p><span class=\"token key atrule\">apiVersion<\/span><span class=\"token punctuation\">:<\/span> security.istio.io\/v1beta1<br \/>\n<span class=\"token key atrule\">kind<\/span><span class=\"token punctuation\">:<\/span> AuthorizationPolicy<br \/>\n<span class=\"token key atrule\">metadata<\/span><span class=\"token punctuation\">:<\/span><br \/>\n  <span class=\"token key atrule\">name<\/span><span class=\"token punctuation\">:<\/span> service<span class=\"token punctuation\">&#8211;<\/span>a<span class=\"token punctuation\">&#8211;<\/span>access<br \/>\n<span class=\"token key atrule\">spec<\/span><span class=\"token punctuation\">:<\/span><br \/>\n  <span class=\"token key atrule\">selector<\/span><span class=\"token punctuation\">:<\/span><br \/>\n    <span class=\"token key atrule\">matchLabels<\/span><span class=\"token punctuation\">:<\/span><br \/>\n      <span class=\"token key atrule\">app<\/span><span class=\"token punctuation\">:<\/span> service<span class=\"token punctuation\">&#8211;<\/span>b<br \/>\n  <span class=\"token key atrule\">rules<\/span><span class=\"token punctuation\">:<\/span><br \/>\n  <span class=\"token punctuation\">&#8211;<\/span> <span class=\"token key atrule\">from<\/span><span class=\"token punctuation\">:<\/span><br \/>\n    <span class=\"token punctuation\">&#8211;<\/span> <span class=\"token key atrule\">source<\/span><span class=\"token punctuation\">:<\/span><br \/>\n        <span class=\"token key atrule\">principals<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token string\">&#034;cluster.local\/ns\/default\/sa\/service-a&#034;<\/span><span class=\"token punctuation\">]<\/span><br \/>\n    <span class=\"token key atrule\">to<\/span><span class=\"token punctuation\">:<\/span><br \/>\n    <span class=\"token punctuation\">&#8211;<\/span> <span class=\"token key atrule\">operation<\/span><span class=\"token punctuation\">:<\/span><br \/>\n        <span class=\"token key atrule\">methods<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token string\">&#034;GET&#034;<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">&#034;POST&#034;<\/span><span class=\"token punctuation\">]<\/span><br \/>\n        <span class=\"token key atrule\">paths<\/span><span class=\"token punctuation\">:<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token string\">&#034;\/api\/v1\/*&#034;<\/span><span class=\"token punctuation\">]<\/span><\/p>\n<p>\u4f18\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u96f6\u4fe1\u4efb\u7f51\u7edc\u81ea\u52a8\u5b9e\u65bd<\/li>\n<li>\u7ec6\u7c92\u5ea6\u670d\u52a1\u95f4\u6388\u6743<\/li>\n<li>\u6d41\u91cf\u52a0\u5bc6\u900f\u660e\u5316<\/li>\n<\/ul>\n<p>\u52a3\u52bf&#xff1a;<\/p>\n<ul>\n<li>\u57fa\u7840\u8bbe\u65bd\u590d\u6742\u5ea6\u9ad8<\/li>\n<li>\u8d44\u6e90\u6d88\u8017\u589e\u52a0&#xff08;\u6bcfPod 100MB&#043;\u5185\u5b58&#xff09;<\/li>\n<li>\u5b66\u4e60\u66f2\u7ebf\u9661\u5ced<\/li>\n<\/ul>\n<hr \/>\n<h4>\u4e09\u3001\u6027\u80fd\u4e0e\u5b89\u5168\u6307\u6807\u5bf9\u6bd4\u8868<\/h4>\n<table>\n<tr>\u65b9\u6848\u8ba4\u8bc1\u5f3a\u5ea6\u52a0\u5bc6\u80fd\u529b\u5ef6\u8fdf\u589e\u52a0\u8fd0\u7ef4\u590d\u6742\u5ea6\u9002\u7528\u573a\u666f<\/tr>\n<tbody>\n<tr>\n<td>IP\u767d\u540d\u5355<\/td>\n<td>\u2605\u2606\u2606\u2606\u2606<\/td>\n<td>\u2718<\/td>\n<td>&lt;1ms<\/td>\n<td>\u2605\u2606\u2606\u2606\u2606<\/td>\n<td>\u5185\u90e8\u53ef\u4fe1\u7f51\u7edc<\/td>\n<\/tr>\n<tr>\n<td>mTLS<\/td>\n<td>\u2605\u2605\u2605\u2605\u2605<\/td>\n<td>\u2605\u2605\u2605\u2605\u2605<\/td>\n<td>50-100ms<\/td>\n<td>\u2605\u2605\u2605\u2606\u2606<\/td>\n<td>\u91d1\u878d\/\u533b\u7597\u7b49\u9ad8\u5b89\u5168\u8981\u6c42<\/td>\n<\/tr>\n<tr>\n<td>JWT<\/td>\n<td>\u2605\u2605\u2605\u2605\u2606<\/td>\n<td>\u53ef\u9009<\/td>\n<td>5-10ms<\/td>\n<td>\u2605\u2605\u2606\u2606\u2606<\/td>\n<td>\u65e0\u72b6\u6001API\/\u5fae\u670d\u52a1<\/td>\n<\/tr>\n<tr>\n<td>OAuth2\u5ba2\u6237\u7aef\u51ed\u8bc1<\/td>\n<td>\u2605\u2605\u2605\u2605\u2606<\/td>\n<td>\u4f9d\u8d56\u4f20\u8f93<\/td>\n<td>200-500ms<\/td>\n<td>\u2605\u2605\u2605\u2605\u2606<\/td>\n<td>\u7b2c\u4e09\u65b9\u670d\u52a1\u96c6\u6210<\/td>\n<\/tr>\n<tr>\n<td>API\u7f51\u5173<\/td>\n<td>\u2605\u2605\u2605\u2605\u2606<\/td>\n<td>\u53ef\u9009<\/td>\n<td>5-15ms<\/td>\n<td>\u2605\u2605\u2605\u2606\u2606<\/td>\n<td>\u7edf\u4e00\u5165\u53e3\u7ba1\u7406<\/td>\n<\/tr>\n<tr>\n<td>\u670d\u52a1\u7f51\u683c<\/td>\n<td>\u2605\u2605\u2605\u2605\u2605<\/td>\n<td>\u2605\u2605\u2605\u2605\u2605<\/td>\n<td>10-20ms<\/td>\n<td>\u2605\u2605\u2605\u2605\u2605<\/td>\n<td>\u4e91\u539f\u751f\u67b6\u6784<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4>\u56db\u3001\u8fdb\u9636\u5b89\u5168\u589e\u5f3a\u63aa\u65bd<\/h4>\n<li>\n<p>\u8bf7\u6c42\u7b7e\u540d(HTTP Signatures)<\/p>\n<p> POST \/data HTTP\/1.1<br \/>\nHost: api.example.com<br \/>\nSignature: keyId&#061;&#034;client1&#034;,algorithm&#061;&#034;rsa-sha256&#034;,headers&#061;&#034;(request-target) date&#034;,signature&#061;&#034;Base64(RSA-SHA256(&#8230;))&#034;<br \/>\nDate: Tue, 20 Jun 2023 12:00:00 GMT<\/p>\n<ul>\n<li>\u9632\u6b62\u8bf7\u6c42\u7be1\u6539<\/li>\n<li>\u652f\u6301\u8bf7\u6c42\u65f6\u6548\u9a8c\u8bc1<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u52a8\u6001\u51ed\u8bc1\u8f6e\u8f6c<\/p>\n<ul>\n<li>\u81ea\u52a8\u5316\u5b9a\u671f\u66f4\u65b0\u5bc6\u94a5&#xff08;\u5982Hashicorp Vault\u52a8\u6001\u5bc6\u94a5&#xff09;<\/li>\n<li>\u6700\u5c0f\u5316\u51ed\u8bc1\u6cc4\u9732\u5f71\u54cd\u8303\u56f4<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u5ba1\u8ba1\u65e5\u5fd7\u6807\u51c6\u5316<\/p>\n<p> <span class=\"token punctuation\">{<\/span><br \/>\n  <span class=\"token string\">&#034;timestamp&#034;<\/span><span class=\"token operator\">:<\/span> <span class=\"token string\">&#034;2023-06-20T12:00:00Z&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n  <span class=\"token string\">&#034;client_ip&#034;<\/span><span class=\"token operator\">:<\/span> <span class=\"token string\">&#034;192.168.1.100&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n  <span class=\"token string\">&#034;user_agent&#034;<\/span><span class=\"token operator\">:<\/span> <span class=\"token string\">&#034;API-Client\/1.0&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n  <span class=\"token string\">&#034;endpoint&#034;<\/span><span class=\"token operator\">:<\/span> <span class=\"token string\">&#034;\/api\/v1\/users&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n  <span class=\"token string\">&#034;status_code&#034;<\/span><span class=\"token operator\">:<\/span> <span class=\"token number\">200<\/span><span class=\"token punctuation\">,<\/span><br \/>\n  <span class=\"token string\">&#034;request_id&#034;<\/span><span class=\"token operator\">:<\/span> <span class=\"token string\">&#034;a1b2c3d4&#034;<\/span><span class=\"token punctuation\">,<\/span><br \/>\n  <span class=\"token string\">&#034;latency_ms&#034;<\/span><span class=\"token operator\">:<\/span> <span class=\"token number\">45<\/span><br \/>\n<span class=\"token punctuation\">}<\/span><\/p>\n<ul>\n<li>\u6ee1\u8db3GDPR\/SOC2\u5408\u89c4\u8981\u6c42<\/li>\n<li>\u652f\u6301\u5f02\u5e38\u884c\u4e3a\u5206\u6790<\/li>\n<\/ul>\n<\/li>\n<hr \/>\n<h4>\u4e94\u3001\u573a\u666f\u5316\u65b9\u6848\u63a8\u8350<\/h4>\n<li>\n<p>\u91d1\u878d\u652f\u4ed8\u7cfb\u7edf mTLS &#043; JWT\u7ec6\u7c92\u5ea6\u6388\u6743 &#043; \u786c\u4ef6\u5b89\u5168\u6a21\u5757(HSM)<\/p>\n<ul>\n<li>\u6bcf\u7b14\u4ea4\u6613\u72ec\u7acbJWT&#xff08;\u77ed\u6709\u6548\u671f&#xff09;<\/li>\n<li>\u79c1\u94a5\u5b58\u50a8\u5728HSM\u4e2d<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u7269\u8054\u7f51\u8bbe\u5907\u901a\u4fe1 \u8bc1\u4e66\u9884\u7f6e(PKI) &#043; MQTT over TLS &#043; \u79bb\u7ebf\u540a\u9500\u5217\u8868(OCSP Stapling)<\/p>\n<ul>\n<li>\u8bbe\u5907\u552f\u4e00\u8bc1\u4e66<\/li>\n<li>\u8f7b\u91cf\u7ea7MQTT\u534f\u8bae<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u5fae\u670d\u52a1\u67b6\u6784 \u670d\u52a1\u7f51\u683c(Istio) &#043; OPA\u7b56\u7565\u5f15\u64ce &#043; \u5206\u5e03\u5f0f\u8ffd\u8e2a<\/p>\n<p> # OPA\u7b56\u7565\u793a\u4f8b<br \/>\ndefault allow &#061; false<br \/>\nallow {<br \/>\n    input.method &#061;&#061; &#034;GET&#034;<br \/>\n    input.path &#061; &#034;\/api\/v1\/products&#034;<br \/>\n    token.payload.scope[_] &#061;&#061; &#034;read:products&#034;<br \/>\n}\n <\/li>\n<hr \/>\n<h4>\u516d\u3001\u653b\u51fb\u9632\u62a4\u5b9e\u8df5<\/h4>\n<li>\n<p>\u91cd\u653e\u653b\u51fb\u9632\u5fa1<\/p>\n<ul>\n<li>Nonce\u673a\u5236&#xff08;\u4e00\u6b21\u6027\u968f\u673a\u6570&#xff09;<\/li>\n<\/ul>\n<p> SETEX nonce:${nonce} 60 1  # \u8bbe\u7f6e60\u79d2\u8fc7\u671f\n <\/li>\n<li>\n<p>DDoS\u7f13\u89e3<\/p>\n<p> http {<br \/>\n  limit_req_zone $binary_remote_addr zone&#061;api_zone:10m rate&#061;100r\/s;<\/p>\n<p>  server {<br \/>\n    location \/api\/ {<br \/>\n      limit_req zone&#061;api_zone burst&#061;50 nodelay;<br \/>\n    }<br \/>\n  }<br \/>\n}\n <\/li>\n<li>\n<p>\u6ce8\u5165\u653b\u51fb\u9632\u62a4<\/p>\n<ul>\n<li>\u4e25\u683cContent-Type\u68c0\u67e5&#xff08;\u62d2\u7eddtext\/xml&#xff09;<\/li>\n<li>\u8f93\u5165\u8f93\u51fa\u7f16\u7801&#xff08;JSON\u5e8f\u5217\u5316\u7981\u7528__proto__&#xff09;<\/li>\n<\/ul>\n<\/li>\n<hr \/>\n<h4>\u4e03\u3001\u6f14\u8fdb\u8d8b\u52bf<\/h4>\n<li>\n<p>\u91cf\u5b50\u5b89\u5168\u5bc6\u7801\u5b66<\/p>\n<ul>\n<li>\u8fc1\u79fb\u81f3\u6297\u91cf\u5b50\u7b97\u6cd5&#xff08;CRYSTALS-Kyber \/ SPHINCS&#043;&#xff09;<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u96f6\u4fe1\u4efb\u67b6\u6784\u6269\u5c55<\/p>\n<ul>\n<li>\u6301\u7eed\u8eab\u4efd\u9a8c\u8bc1&#xff08;BeyondCorp Enterprise&#xff09;<\/li>\n<li>\u57fa\u4e8eAI\u7684\u5f02\u5e38\u68c0\u6d4b<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\u673a\u5bc6\u8ba1\u7b97<\/p>\n<ul>\n<li>Intel SGX \/ AMD SEV\u5185\u5b58\u52a0\u5bc6<\/li>\n<li>\u786e\u4fdd\u4f7f\u7528\u4e2d\u6570\u636e\u5b89\u5168<\/li>\n<\/ul>\n<\/li>\n<p>\u7ec8\u6781\u5efa\u8bae&#xff1a;\u91c7\u7528\u6df1\u5ea6\u9632\u5fa1\u7b56\u7565&#xff0c;\u7ec4\u5408mTLS&#xff08;\u4f20\u8f93\u5c42&#xff09;&#043;JWT&#xff08;\u5e94\u7528\u5c42&#xff09;&#043;\u7f51\u5173\u5ba1\u8ba1&#xff08;\u76d1\u63a7\u5c42&#xff09;&#xff0c;\u5e76\u5b9a\u671f\u8fdb\u884c\u6e17\u900f\u6d4b\u8bd5&#xff08;\u5efa\u8bae\u4f7f\u7528Burp Suite Enterprise&#043;OWASP ZAP\u7ec4\u5408\u626b\u63cf&#xff09;\u3002<\/p>\n<p>\u6240\u6709\u65b9\u6848\u9700\u914d\u5957\u5b9e\u65bd&#xff1a;<\/p>\n<ul>\n<li>\u5bc6\u94a5\u7ba1\u7406\u7cfb\u7edf&#xff08;KMS&#xff09;<\/li>\n<li>\u5b89\u5168\u5f00\u53d1\u751f\u547d\u5468\u671f&#xff08;SDL&#xff09;<\/li>\n<li>\u5b9e\u65f6\u5165\u4fb5\u68c0\u6d4b&#xff08;\u5982Falco&#xff09;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb1k\u6b21\uff0c\u70b9\u8d5e51\u6b21\uff0c\u6536\u85cf31\u6b21\u3002\u670d\u52a1\u5668\u63a5\u53e3\u5b89\u5168\u89e3\u51b3\u65b9\u6848\u5bf9\u6bd4 \u672c\u6587\u5206\u6790\u4e86\u516d\u79cd\u670d\u52a1\u5668\u63a5\u53e3\u5b89\u5168\u65b9\u6848\u7684\u6838\u5fc3\u7279\u70b9\u4e0e\u9002\u7528\u573a\u666f\uff1a IP\u767d\u540d\u5355\uff1a\u7b80\u5355\u9ad8\u6548\u4f46\u6613\u53d7IP\u6b3a\u9a97\u5f71\u54cd \u53cc\u5411TLS\uff1a\u5f3a\u8eab\u4efd\u8ba4\u8bc1\u4f46\u8bc1\u4e66\u7ba1\u7406\u590d\u6742 JWT\u7b7e\u540d\uff1a\u65e0\u72b6\u6001\u9a8c\u8bc1\u4f46\u5b58\u5728\u4ee4\u724c\u6cc4\u9732\u98ce\u9669 OAuth2.0\uff1a\u6807\u51c6\u5316\u6d41\u7a0b\u4f46\u914d\u7f6e\u590d\u6742 API\u7f51\u5173\uff1a\u96c6\u4e2d\u7ba1\u63a7\u4f46\u53ef\u80fd\u6210\u4e3a\u6027\u80fd\u74f6\u9888 \u670d\u52a1\u7f51\u683c\uff1a\u81ea\u52a8\u5b89\u5168\u7f16\u6392\u4f46\u67b6\u6784\u590d\u6742 \u5178\u578b\u5b89\u5168\u5a01\u80c1\u5305\u62ec\u4e2d\u95f4\u4eba\u653b\u51fb\u3001\u51ed\u8bc1\u6cc4\u9732\u7b49\uff0c\u65b9\u6848\u9009\u62e9\u9700\u5e73\u8861\u5b89\u5168\u6027\u3001\u6027\u80fd\u4e0e\u8fd0\u7ef4\u6210\u672c\u3002\u5efa\u8bae\u9ad8\u654f\u611f\u573a\u666f\u91c7\u7528mTLS+JWT\u7ec4\u5408\uff0c\u5fae\u670d\u52a1\u67b6\u6784\u4f18\u5148\u8003\u8651API\u7f51\u5173\u6216\u670d\u52a1\u7f51\u683c\u65b9\u6848\u3002<\/p>\n","protected":false},"author":2,"featured_media":45407,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[895,128,4295,1717,847,61,43,44],"topic":[],"class_list":["post-45411","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-server","tag-net","tag-api","tag-jwt","tag-token","tag-847","tag-61","tag-43","tag-44"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.wsisp.com\/helps\/45411.html\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"og:description\" content=\"\u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb1k\u6b21\uff0c\u70b9\u8d5e51\u6b21\uff0c\u6536\u85cf31\u6b21\u3002\u670d\u52a1\u5668\u63a5\u53e3\u5b89\u5168\u89e3\u51b3\u65b9\u6848\u5bf9\u6bd4 \u672c\u6587\u5206\u6790\u4e86\u516d\u79cd\u670d\u52a1\u5668\u63a5\u53e3\u5b89\u5168\u65b9\u6848\u7684\u6838\u5fc3\u7279\u70b9\u4e0e\u9002\u7528\u573a\u666f\uff1a IP\u767d\u540d\u5355\uff1a\u7b80\u5355\u9ad8\u6548\u4f46\u6613\u53d7IP\u6b3a\u9a97\u5f71\u54cd \u53cc\u5411TLS\uff1a\u5f3a\u8eab\u4efd\u8ba4\u8bc1\u4f46\u8bc1\u4e66\u7ba1\u7406\u590d\u6742 JWT\u7b7e\u540d\uff1a\u65e0\u72b6\u6001\u9a8c\u8bc1\u4f46\u5b58\u5728\u4ee4\u724c\u6cc4\u9732\u98ce\u9669 OAuth2.0\uff1a\u6807\u51c6\u5316\u6d41\u7a0b\u4f46\u914d\u7f6e\u590d\u6742 API\u7f51\u5173\uff1a\u96c6\u4e2d\u7ba1\u63a7\u4f46\u53ef\u80fd\u6210\u4e3a\u6027\u80fd\u74f6\u9888 \u670d\u52a1\u7f51\u683c\uff1a\u81ea\u52a8\u5b89\u5168\u7f16\u6392\u4f46\u67b6\u6784\u590d\u6742 \u5178\u578b\u5b89\u5168\u5a01\u80c1\u5305\u62ec\u4e2d\u95f4\u4eba\u653b\u51fb\u3001\u51ed\u8bc1\u6cc4\u9732\u7b49\uff0c\u65b9\u6848\u9009\u62e9\u9700\u5e73\u8861\u5b89\u5168\u6027\u3001\u6027\u80fd\u4e0e\u8fd0\u7ef4\u6210\u672c\u3002\u5efa\u8bae\u9ad8\u654f\u611f\u573a\u666f\u91c7\u7528mTLS+JWT\u7ec4\u5408\uff0c\u5fae\u670d\u52a1\u67b6\u6784\u4f18\u5148\u8003\u8651API\u7f51\u5173\u6216\u670d\u52a1\u7f51\u683c\u65b9\u6848\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.wsisp.com\/helps\/45411.html\" \/>\n<meta property=\"og:site_name\" content=\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-29T15:55:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/07\/20250729155515-6888eee3c5766.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/45411.html\",\"url\":\"https:\/\/www.wsisp.com\/helps\/45411.html\",\"name\":\"\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"isPartOf\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\"},\"datePublished\":\"2025-07-29T15:55:18+00:00\",\"dateModified\":\"2025-07-29T15:55:18+00:00\",\"author\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/45411.html#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.wsisp.com\/helps\/45411.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/45411.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.wsisp.com\/helps\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\",\"url\":\"https:\/\/www.wsisp.com\/helps\/\",\"name\":\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"description\":\"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"contentUrl\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"caption\":\"admin\"},\"sameAs\":[\"http:\/\/wp.wsisp.com\"],\"url\":\"https:\/\/www.wsisp.com\/helps\/author\/admin\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.wsisp.com\/helps\/45411.html","og_locale":"zh_CN","og_type":"article","og_title":"\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","og_description":"\u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb1k\u6b21\uff0c\u70b9\u8d5e51\u6b21\uff0c\u6536\u85cf31\u6b21\u3002\u670d\u52a1\u5668\u63a5\u53e3\u5b89\u5168\u89e3\u51b3\u65b9\u6848\u5bf9\u6bd4 \u672c\u6587\u5206\u6790\u4e86\u516d\u79cd\u670d\u52a1\u5668\u63a5\u53e3\u5b89\u5168\u65b9\u6848\u7684\u6838\u5fc3\u7279\u70b9\u4e0e\u9002\u7528\u573a\u666f\uff1a IP\u767d\u540d\u5355\uff1a\u7b80\u5355\u9ad8\u6548\u4f46\u6613\u53d7IP\u6b3a\u9a97\u5f71\u54cd \u53cc\u5411TLS\uff1a\u5f3a\u8eab\u4efd\u8ba4\u8bc1\u4f46\u8bc1\u4e66\u7ba1\u7406\u590d\u6742 JWT\u7b7e\u540d\uff1a\u65e0\u72b6\u6001\u9a8c\u8bc1\u4f46\u5b58\u5728\u4ee4\u724c\u6cc4\u9732\u98ce\u9669 OAuth2.0\uff1a\u6807\u51c6\u5316\u6d41\u7a0b\u4f46\u914d\u7f6e\u590d\u6742 API\u7f51\u5173\uff1a\u96c6\u4e2d\u7ba1\u63a7\u4f46\u53ef\u80fd\u6210\u4e3a\u6027\u80fd\u74f6\u9888 \u670d\u52a1\u7f51\u683c\uff1a\u81ea\u52a8\u5b89\u5168\u7f16\u6392\u4f46\u67b6\u6784\u590d\u6742 \u5178\u578b\u5b89\u5168\u5a01\u80c1\u5305\u62ec\u4e2d\u95f4\u4eba\u653b\u51fb\u3001\u51ed\u8bc1\u6cc4\u9732\u7b49\uff0c\u65b9\u6848\u9009\u62e9\u9700\u5e73\u8861\u5b89\u5168\u6027\u3001\u6027\u80fd\u4e0e\u8fd0\u7ef4\u6210\u672c\u3002\u5efa\u8bae\u9ad8\u654f\u611f\u573a\u666f\u91c7\u7528mTLS+JWT\u7ec4\u5408\uff0c\u5fae\u670d\u52a1\u67b6\u6784\u4f18\u5148\u8003\u8651API\u7f51\u5173\u6216\u670d\u52a1\u7f51\u683c\u65b9\u6848\u3002","og_url":"https:\/\/www.wsisp.com\/helps\/45411.html","og_site_name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","article_published_time":"2025-07-29T15:55:18+00:00","og_image":[{"url":"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/07\/20250729155515-6888eee3c5766.png"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"admin","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"5 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.wsisp.com\/helps\/45411.html","url":"https:\/\/www.wsisp.com\/helps\/45411.html","name":"\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","isPartOf":{"@id":"https:\/\/www.wsisp.com\/helps\/#website"},"datePublished":"2025-07-29T15:55:18+00:00","dateModified":"2025-07-29T15:55:18+00:00","author":{"@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41"},"breadcrumb":{"@id":"https:\/\/www.wsisp.com\/helps\/45411.html#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.wsisp.com\/helps\/45411.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.wsisp.com\/helps\/45411.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.wsisp.com\/helps"},{"@type":"ListItem","position":2,"name":"\u670d\u52a1\u5668\u95f4\u63a5\u53e3\u5b89\u5168\u95ee\u9898\u7684\u5168\u9762\u5206\u6790"}]},{"@type":"WebSite","@id":"https:\/\/www.wsisp.com\/helps\/#website","url":"https:\/\/www.wsisp.com\/helps\/","name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","description":"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"Person","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41","name":"admin","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/","url":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","contentUrl":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","caption":"admin"},"sameAs":["http:\/\/wp.wsisp.com"],"url":"https:\/\/www.wsisp.com\/helps\/author\/admin"}]}},"_links":{"self":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/45411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/comments?post=45411"}],"version-history":[{"count":0,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/45411\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media\/45407"}],"wp:attachment":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media?parent=45411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/categories?post=45411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/tags?post=45411"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/topic?post=45411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}