Document Center
edit-icon download-icon

1. Use a proxy to handle floating IP address issues

Last Updated: Oct 23, 2018

This section introduces how to use function A to access a service configured with access control and use function B to access a third-party service with access control.

Function A uses HTTP triggers to receive a request from external users, and then access function B to obtain the protected resources while processing the request. If function A obtains the resources, it proceeds to process the request. Otherwise, it stops.

Function B also uses HTTP triggers. Function B uses a whitelist to authenticate visitors and returns the requested resources when the visitors are validated. If the visitors fail to pass the authentication, an authentication error is returned.

Use ECS to build a proxy server and use NGINX to provide the proxy service.

Create functions for services A and B

  1. Log on to Function Compute console.

  2. See Service operation to create service A and service B.

  3. In the left-side navigation pane, click and enter the corresponding service page.

  4. Click Create Function in the service, go to the function creation page and perform the following tasks:

    1. Click Select All and choose Python2.7 from the drop-down list. All code in this example is based on Python.

    2. Select Empty Function.

    3. Select No Trigger.

    4. Create the function and specify the service name, function name, description, and runtime.

    5. Click Next.

    6. Make sure that all information is correct and then click Create.

  5. Write code.

    • Function A is created by using an HTTP trigger. You can directly copy the following code to function A and then click Save.

    • Function B is created by using the Django framework. Therefore, you must use command-line tool fcli or Python SDK to upload the code package. You can also use Object Storage Service (OSS) or directly upload a ZIP file.

  6. Create an HTTP trigger for both function A and function B.

If you have any issues during HTTP trigger creation, reference the document Samples of HTTP triggers.

Now service A and service B are successfully built. However, you cannot use service A to call service B to obtain permissions because the whitelist in function B only contains the public IP address of the proxy server. The following shows the content of functions A and B.

Write function A

Function A is triggered by using an HTTP trigger.

Write function

Function sample descriptions:

  • A handler is a function that the system can run when executing the code. It contains the logic for simulating the results of invoking function B with and without using the proxy.

  • get_data_by_url contains the logic for invoking function B.

  • my_http_request is used to send HTTP requests through the proxy.

  1. # -*- coding: utf-8 -*-
  2. import logging
  3. import urllib, urllib2, sys
  4. import ssl
  5. import json
  7. # Proxy service address
  8. proxy_address = 'ip:port'
  10. # Function B service address
  11. data_service_host = 'https://{id}.{region}.fc.aliyuncs.com'
  12. data_service_path = '/service/path'
  14. def handler(environ, start_response):
  15.     """
  16.     entrance
  17.     """
  18.     url = data_service_host + data_service_path
  19.     # Use a proxy
  20.     proxy_result = get_data_by_url(url, proxy_address)
  21.     # Not use a proxy
  22.     normal_result = get_data_by_url(url, None)
  23.     # Return and display the results of getting data with and without the proxy
  24.     result = {
  25.         "query_with_proxy_result": proxy_result,
  26.         "query_without_proxy_result": normal_result
  27.     }
  29.     status = '200 OK'
  30.     response_headers = [('Content-type', 'text/json')]
  31.     start_response(status, response_headers)
  32.     return json.dumps(result)
  34. def get_data_by_url(url, proxy):
  35.     """
  36.     Encapsulate user requests
  37.     """
  38.     result = {
  39.         "success": False,
  40.         "secret_data": '',
  41.         "data_service_raw_data": {}
  42.     }
  44.     content = my_http_request(url, proxy)
  45.     if content:
  46.       content = json.loads(content)
  48.     result["data_service_raw_data"] = content
  50.     # Simulate requested data processing
  51.     if "authorized" in content and content["authorized"]:
  52.         result["success"] = True
  53.         result["secret_data"] = content["protected_data"]
  55.     return result
  57. def my_http_request(url, proxy=None):
  58.     """
  59.     Request with proxy information
  60.     """
  61.     try:
  62.         ret = None
  63.         socket_fd = None
  64.         request = urllib2.Request(url)
  65.         request.add_header('User-Agent', 'Fake_browser/1.0')
  66.         if proxy:
  67.             request.set_proxy(proxy, 'http')
  68.         opener = urllib2.build_opener()
  69.         socket_fd = opener.open(request)
  70.         ret = socket_fd.read()
  71.     except Exception as e:
  72.         ret = json.dumps({"info": "exception in proxy query: %s" % e})
  73.     finally:
  74.         if socket_fd:
  75.             socket_fd.close()
  76.     return ret

Write function B

In function B, use Django to build a Web service and set a whitelist for authentication. Data is returned only when the visitors pass the authentication. The structure of the code is as follows:

  1. project/
  2. ├── lib
  3.    ├── Django-1.11.13.dist-info
  4.    ├── django
  5.    ├── pytz
  6.    └── pytz-2018.4.dist-info
  7. ├── main.py
  8. └── src
  9.     ├── __init__.py
  10.     ├── bin
  11.        ├── __init__.py
  12.        └── manage.py
  13.     ├── conf
  14.        ├── __init__.py
  15.        ├── settings.py
  16.        ├── urls.py
  17.        └── wsgi.py
  18.     ├── data
  19.     └── views
  20.           ├── __init__.py
  21.           └── view.py

The code shows the structure of the code package.

Write function

  1. Function entry
  1. #!/usr/bin/env python
  2. # coding=utf-8
  3. import sys
  4. import os
  6. # load local django
  7. sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)) + '/lib')
  8. sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), "src"))
  10. import django
  12. print (django.__version__)
  14. import views.view
  16. from conf.wsgi import application
  18. def handler(environ, start_response):
  19.     import urlparse
  20.     parsed_tuple = urlparse.urlparse(environ['fc.request_uri'])
  21.     li = parsed_tuple.path.split('/')
  22.     global base_path
  23.     if not views.view.base_path:
  24.         views.view.base_path = "/".join(li[0:5])
  25.     return application(environ, start_response)
  1. urls.py
  1. from django.conf.urls import url
  2. from django.contrib import admin
  3. from views import view
  5. urlpatterns = [
  6.     url(r'^index$', view.index),
  7.     url(r'^get_data$', view.get_data),
  8. ]
  1. views.py 
  1. #!/usr/bin/env python
  2. # coding=utf-8
  3. from django.http import HttpResponse
  4. from django.conf import settings
  5. import logging
  6. import json
  7. logger = logging.getLogger()
  9. base_path = ""
  11. def index(request):
  12.     """
  13.     Testing entry
  14.     """
  15.     logger.info("Django request detected! url: index")
  16.     white_list = settings.WHITE_LIST
  17.     allowed_hostlist = ' '
  19.     for allowed_host in white_list:
  20.         allowed_hostlist += allowed_host
  21.         allowed_hostlist += ' '
  23.     return HttpResponse("<h1>It works! Copyright: jianyi</h1> Whitelist: %s" % allowed_hostlist, status=200)
  25. def get_data(request):
  26.     """
  27.     Operation for obtaining data
  28.     """
  29.     result = {
  30.         "remote_ip": '',
  31.         "white_list": [],
  32.         "authorized": False,
  33.         "protected_data": ''
  34.     }
  36.     if request.META.has_key('HTTP_X_FORWARDED_FOR'):
  37.         remote_ip = request.META['HTTP_X_FORWARDED_FOR']
  38.     else:
  39.         remote_ip = request.META['REMOTE_ADDR']
  41.     result["remote_ip"] = remote_ip
  42.     result["white_list"] = settings.WHITE_LIST
  44.     if remote_ip in result["white_list"]:
  45.         result["authorized"] = True
  46.         result["protected_data"] = "Alibaba"
  48.     return HttpResponse(json.dumps(result), status=200)
  1. settings.py

Add the whitelist setting to the bottom of the default settings.py file: add the public IP address of the proxy server to the whitelist.

  1. # User conf
  2. WHITE_LIST = [
  3.     "127.0.0.1",
  4.     "xx.xx.xx.xx"
  5. ]

Build a proxy

Use NGINX to provide the proxy service. You can deploy NGINX on an ECS instance or a normal server. After the deployment is complete, set the proxy settings in the configuration file as follows:

  1. server{
  2.     resolver x.x.x.x;
  3.     listen 8080;
  4.     location / {
  5.         proxy_pass http://$http_host$request_uri;
  6.     }
  7. }

Notes:

  • Do not include the hostname.
  • You must include the resolver (DNS). Replace x.x.x.x in the proxy settings with the IP address of the DNS resolver.
  • Do not change NGINX system variables $http_host and $request_uri.
  • In the actual environment, we recommend that you use NGINX or Keepalived to build SLB clusters and proxy clusters to provide proxy service. This improves the availability and performance of the system.

To view the DNS resolver information, run the cat /etc/resolv.conf command.

You can start testing after uploading the code of functions A and B and starting NGINX.

What to do next

Testing procedure and results

Thank you! We've received your feedback.
Free Trial Free Trial