API Gateway

The Ocelot Gateway is a crucial component of our platform, responsible for routing and managing incoming HTTP requests to various microservices. This document provides an overview of the architecture and functionality of the Ocelot Gateway, including its authentication modules and rate-limiting capabilities.

Architecture

The Ocelot Gateway follows a modular and extensible architecture, comprising the following key components:

1. Routing Configuration: The gateway is configured with routing rules to determine how incoming requests are directed to backend microservices. These routing rules can be defined based on URL patterns, HTTP methods, or other criteria.

2. Authentication Modules: The gateway supports multiple authentication modules to secure access to the underlying microservices. These authentication modules include:

   • Token-based Authentication: Allows clients to authenticate using bearer tokens, typically JWT (JSON Web Tokens).

   • HMAC Authentication: Provides a mechanism for request signing using Hash-based Message Authentication Code (HMAC) to ensure message integrity and authenticity.

   • Whitelisting: Enables whitelisting of specific IP addresses or ranges to allow unrestricted access to certain endpoints.

3. Rate Limiting: The gateway implements rate-limiting functionality to control the rate at which clients can make requests to the backend services. This helps prevent abuse and ensures fair usage of resources.

Functionality

The Ocelot Gateway offers the following core functionality:

1. Request Routing:

   • Incoming HTTP requests are routed based on predefined routing rules configured in the gateway.

   • Requests can be routed to specific microservices or backend servers based on the request URL, HTTP method, or other criteria.

2. Authentication:

   • Token-based Authentication: Clients can authenticate using bearer tokens included in the request headers. The gateway validates the tokens against a configured authentication provider.

   • HMAC Authentication: Requests are signed by clients using a secret key, and the gateway verifies the signatures to authenticate the requests.

   • Whitelisting: Requests from whitelisted IP addresses are allowed to bypass authentication checks and access protected resources directly.

3. Rate Limiting:

   • The gateway enforces rate limits on incoming requests to prevent excessive usage of backend services.

   • Requests exceeding the defined rate limits are throttled or rejected, depending on the configured behavior.

Usage Example

To illustrate the usage of the Ocelot Gateway, consider the following example:

1. Client Request:

   • A client sends an HTTP request to the Ocelot Gateway, specifying the desired endpoint and including authentication credentials if required.

2. Routing and Authentication:

   • The gateway receives the request and routes it to the appropriate backend microservice based on the configured routing rules.

   • If authentication is required, the gateway verifies the client's credentials using the specified authentication module.

3. Rate Limiting:

   • Before processing the request, the gateway checks whether the client has exceeded the configured rate limits.

   • If the request rate exceeds the limits, the gateway applies rate-limiting measures, such as delaying or rejecting the request.