当前位置：首页 > news >正文

工作中最常用的6种API网关

news 2026/5/12 22:54:36

前言

API网关在项目中非常重要。

今天这篇文章跟大家一起聊聊工作最常用的6种网关，希望对你会有所帮助。

一、为什么需要API网关？

有些小伙伴在工作中可能会问：我们的系统直接调用微服务不是更简单吗？

为什么非要引入API网关这个"中间商"呢？

让我们先来看一个实际的例子。

没有网关的微服务困境

// 前端直接调用多个微服务 - 问题重重
@RestController
public class FrontendController {// 问题1：服务地址硬编码@Value("${user.service.url:http://localhost:8081}")private String userServiceUrl;@Value("${order.service.url:http://localhost:8082}")private String orderServiceUrl;@Autowiredprivate RestTemplate restTemplate;@GetMapping("/user-dashboard")public UserDashboard getUserDashboard(@RequestHeader("Authorization") String token) {// 问题2：每个服务都要重复认证逻辑if (!validateToken(token)) {throw new UnauthorizedException("Token invalid");}// 问题3：需要手动处理服务间调用顺序User user = restTemplate.getForObject(userServiceUrl + "/users/current", User.class);List<Order> orders = restTemplate.getForObject(orderServiceUrl + "/orders?userId=" + user.getId(), List.class);// 问题4：错误处理复杂if (user == null || orders == null) {throw new ServiceUnavailableException("Backend service unavailable");}return new UserDashboard(user, orders);}// 问题5：重复的认证代码private boolean validateToken(String token) {// 每个接口都要实现的认证逻辑return token != null && token.startsWith("Bearer ");}
}

引入网关后的优雅架构

// 网关统一处理所有横切关注点
@Configuration
public class GatewayConfig {@Beanpublic RouteLocator customRouteLocator(RouteLocatorBuilder builder) {return builder.routes().route("user_service", r -> r.path("/api/users/**").uri("lb://user-service")).route("order_service", r -> r.path("/api/orders/**").uri("lb://order-service")).route("product_service", r -> r.path("/api/products/**").uri("lb://product-service")).build();}
}// 前端只需调用网关
@RestController
public class FrontendController {@Autowiredprivate RestTemplate restTemplate;@GetMapping("/api/user-dashboard")public UserDashboard getUserDashboard() {// 网关已经处理了认证、路由、负载均衡等问题return restTemplate.getForObject("http://gateway/api/users/current/dashboard", UserDashboard.class);}
}

API网关的核心价值

让我们通过架构图来理解网关在微服务架构中的关键作用：

网关解决的8大核心问题：

统一入口：所有请求都通过网关进入系统
认证授权：集中处理身份验证和权限控制
流量控制：限流、熔断、降级等 resiliency 模式
监控统计：统一的日志、指标收集
协议转换：HTTP/1.1、HTTP/2、gRPC 等协议适配
缓存加速：响应缓存降低后端压力
安全防护：WAF、防爬虫、防重放攻击
服务治理：服务发现、负载均衡、路由转发

下面我们一起看看工作中最常见的6种API网关有哪些。

二、Spring Cloud Gateway

有些小伙伴在Spring技术栈中开发微服务，Spring Cloud Gateway 无疑是最自然的选择。

作为Spring官方推出的第二代网关，它基于WebFlux响应式编程模型，性能卓越。

核心架构深度解析

@Configuration
public class AdvancedGatewayConfig {@Bean@Order(-1)public GlobalFilter customGlobalFilter() {return (exchange, chain) -> {// 前置处理long startTime = System.currentTimeMillis();ServerHttpRequest request = exchange.getRequest();// 添加追踪IDString traceId = UUID.randomUUID().toString();ServerHttpRequest mutatedRequest = request.mutate().header("X-Trace-Id", traceId).build();return chain.filter(exchange.mutate().request(mutatedRequest).build()).then(Mono.fromRunnable(() -> {// 后置处理long duration = System.currentTimeMillis() - startTime;log.info("Request {} completed in {}ms", traceId, duration);}));};}@Beanpublic RouteLocator advancedRoutes(RouteLocatorBuilder builder) {return builder.routes()// 用户服务 - 带熔断和重试.route("user_service", r -> r.path("/api/users/**").filters(f -> f.circuitBreaker(config -> config.setName("userServiceCB").setFallbackUri("forward:/fallback/user-service")).retry(config -> config.setRetries(3).setMethods(HttpMethod.GET, HttpMethod.POST).setBackoff(100L, 1000L, 2, true)).requestRateLimiter(config -> config.setRateLimiter(redisRateLimiter()).setKeyResolver(apiKeyResolver())).modifyRequestBody(String.class, String.class, (exchange, s) -> Mono.just(validateAndTransform(s)))).uri("lb://user-service"))// 订单服务 - 带JWT认证.route("order_service", r -> r.path("/api/orders/**").filters(f -> f.filter(jwtAuthenticationFilter()).prefixPath("/v1").addResponseHeader("X-API-Version", "1.0")).uri("lb://order-service"))// 商品服务 - 静态资源缓存.route("product_service", r -> r.path("/api/products/**").filters(f -> f.dedupeResponseHeader("Cache-Control", "RETAIN_FIRST").setResponseHeader("Cache-Control", "public, max-age=3600")).uri("lb://product-service")).build();}@Beanpublic JwtAuthenticationFilter jwtAuthenticationFilter() {return new JwtAuthenticationFilter();}@Beanpublic RedisRateLimiter redisRateLimiter() {return new RedisRateLimiter(10, 20);}@Beanpublic KeyResolver apiKeyResolver() {return exchange -> {String apiKey = exchange.getRequest().getHeaders().getFirst("X-API-Key");return Mono.just(Optional.ofNullable(apiKey).orElse("anonymous"));};}
}// JWT认证过滤器
@Component
class JwtAuthenticationFilter implements GatewayFilter {@Autowiredprivate JwtUtil jwtUtil;@Overridepublic Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {String token = extractToken(exchange.getRequest());if (token == null) {return onError(exchange, "Missing authentication token", HttpStatus.UNAUTHORIZED);}try {Claims claims = jwtUtil.parseToken(token);String username = claims.getSubject();// 将用户信息添加到headerServerHttpRequest mutatedRequest = exchange.getRequest().mutate().header("X-User-Name", username).header("X-User-Roles", String.join(",", claims.get("roles", List.class))).build();return chain.filter(exchange.mutate().request(mutatedRequest).build());} catch (Exception e) {return onError(exchange, "Invalid token: " + e.getMessage(), HttpStatus.UNAUTHORIZED);}}private String extractToken(ServerHttpRequest request) {String bearerToken = request.getHeaders().getFirst("Authorization");if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {return bearerToken.substring(7);}return null;}private Mono<Void> onError(ServerWebExchange exchange, String err, HttpStatus status) {exchange.getResponse().setStatusCode(status);DataBuffer buffer = exchange.getResponse().bufferFactory().wrap(("{\"error\":\"" + err + "\"}").getBytes());return exchange.getResponse().writeWith(Mono.just(buffer));}
}

Spring Cloud Gateway 执行流程

优点：

与Spring Cloud生态完美集成
基于WebFlux，性能优秀
功能丰富，支持过滤器和断言
配置灵活，支持代码和配置文件两种方式

缺点：

对非Spring技术栈不友好
学习曲线相对陡峭
依赖Spring Cloud组件

使用场景：

Spring Cloud微服务架构
需要深度定制网关逻辑
团队熟悉Spring技术栈

三、Kong：企业级API网关标杆

有些小伙伴在企业级场景中需要更高的性能和更丰富的功能，Kong就是这样一个基于Nginx和OpenResty的高性能API网关。

Kong 配置实战

# kong.yml - 声明式配置
_format_version: "2.1"
_transform: trueservices:- name: user-serviceurl: http://user-service:8080routes:- name: user-routepaths: ["/api/users"]strip_path: trueplugins:- name: key-authconfig:key_names: ["apikey"]hide_credentials: true- name: rate-limitingconfig:minute: 10policy: redis- name: prometheusenabled: true- name: order-serviceurl: http://order-service:8080routes:- name: order-routepaths: ["/api/orders"]methods: ["GET", "POST", "PUT"]plugins:- name: corsconfig:origins: ["https://example.com"]methods: ["GET", "POST", "PUT"]headers: ["Accept", "Authorization", "Content-Type"]- name: request-transformerconfig:add:headers: ["X-From-Kong: true"]remove:headers: ["User-Agent"]consumers:- username: mobile-appkeyauth_credentials:- key: mobile-key-123- username: web-appkeyauth_credentials:- key: web-key-456plugins:- name: ip-restrictionconfig:allow: ["192.168.0.0/16", "10.0.0.0/8"]- name: correlation-idconfig:header_name: "X-Request-ID"generator: "uuid"

自定义Kong插件开发

-- kong/plugins/request-validator/handler.lua
local BasePlugin = require "kong.plugins.base_plugin"
local cjson = require "cjson"local RequestValidator = BasePlugin:extend()function RequestValidator:new()RequestValidator.super.new(self, "request-validator")
endfunction RequestValidator:access(conf)RequestValidator.super.access(self)local headers = kong.request.get_headers()local method = kong.request.get_method()local body = kong.request.get_raw_body()-- API Key验证local api_key = headers["X-API-Key"]if not api_key thenkong.response.exit(401, { message = "Missing API Key" })end-- 验证API Key格式if not string.match(api_key, "^%x%x%x%-%x%x%x%-%x%x%x$") thenkong.response.exit(401, { message = "Invalid API Key format" })end-- 请求体验证if method == "POST" or method == "PUT" thenif not body or body == "" thenkong.response.exit(400, { message = "Request body is required" })endlocal ok, json_body = pcall(cjson.decode, body)if not ok thenkong.response.exit(400, { message = "Invalid JSON format" })end-- 业务规则验证if json_body.amount and tonumber(json_body.amount) <= 0 thenkong.response.exit(400, { message = "Amount must be greater than 0" })endend-- 添加验证通过标记kong.service.request.set_header("X-Request-Validated", "true")kong.service.request.set_header("X-API-Key", api_key)-- 记录审计日志kong.log.info("Request validated for API Key: ", api_key)
endreturn RequestValidator

Kong 集群架构

优点：

基于Nginx，性能极高
插件生态丰富
支持集群部署
成熟的监控和管理界面

缺点：

依赖数据库（PostgreSQL/Cassandra）
插件开发需要Lua知识
配置相对复杂

使用场景：

高并发企业级应用
需要丰富插件功能的场景
已有Kong技术栈的团队

四、Nginx：经典反向代理网关

有些小伙伴在传统架构或简单场景中，Nginx仍然是最可靠的选择。它虽然功能相对简单，但性能卓越且稳定。

Nginx 配置详解

# nginx.conf - 生产环境配置
http {# 基础配置sendfile on;tcp_nopush on;tcp_nodelay on;keepalive_timeout 65;types_hash_max_size 2048;# 日志格式log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for" ''rt=$request_time uct="$upstream_connect_time" ''uht="$upstream_header_time" urt="$upstream_response_time"';# 上游服务配置upstream user_service {server user-service-1:8080 weight=3;server user-service-2:8080 weight=2;server user-service-3:8080 weight=1;# 健康检查check interval=3000 rise=2 fall=3 timeout=1000;}upstream order_service {server order-service-1:8080;server order-service-2:8080;# 会话保持hash $cookie_jsessionid;hash_again 1;}upstream product_service {server product-service:8080;# 备份服务器server backup-product-service:8080 backup;}# API网关配置server {listen 80;server_name api.example.com;# 全局限流limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;# 用户服务路由location /api/users/ {limit_req zone=api burst=20 nodelay;# 反向代理配置proxy_pass http://user_service;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 超时配置proxy_connect_timeout 5s;proxy_read_timeout 10s;proxy_send_timeout 10s;# 重试机制proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;proxy_next_upstream_tries 3;proxy_next_upstream_timeout 10s;# 缓存配置proxy_cache api_cache;proxy_cache_key "$scheme$request_method$host$request_uri";proxy_cache_valid 200 302 5m;proxy_cache_valid 404 1m;# 添加安全头add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff;add_header X-XSS-Protection "1; mode=block";}# 订单服务路由location /api/orders/ {# JWT验证auth_request /auth;auth_request_set $user $upstream_http_x_user;proxy_set_header X-User $user;proxy_pass http://order_service;# CORS配置if ($request_method = 'OPTIONS') {add_header 'Access-Control-Allow-Origin' '*';add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type';add_header 'Access-Control-Max-Age' 86400;return 204;}}# 认证端点location = /auth {internal;proxy_pass http://auth_service/validate;proxy_pass_request_body off;proxy_set_header Content-Length "";proxy_set_header X-Original-URI $request_uri;}# 健康检查端点location /health {access_log off;return 200 "healthy\n";add_header Content-Type text/plain;}# 监控端点location /nginx-status {stub_status on;access_log off;allow 192.168.0.0/16;deny all;}}
}

Nginx 请求处理流程

优点：

性能极高，C语言编写
配置相对简单
资源消耗低
社区成熟，资料丰富

缺点：

动态配置能力弱
功能相对基础
需要reload生效配置变更

使用场景：

高性能要求的简单路由
静态资源服务
传统架构升级

五、APISIX：云原生API网关新星

有些小伙伴在云原生环境中需要动态配置和高性能，APISIX就是这样一个基于etcd的云原生API网关。

APISIX 路由配置

# apisix-config.yaml
routes:- uri: /api/users/*name: user-servicemethods: [GET, POST, PUT, DELETE]upstream:type: roundrobinnodes:user-service-1:8080: 1user-service-2:8080: 2user-service-3:8080: 1plugins:proxy-rewrite:uri: "/users$1"limit-count:count: 100time_window: 60key: remote_addrrejected_code: 503jwt-auth:key: user-servicesecret: my-secret-keyexp: 86400- uri: /api/orders/*name: order-service  upstream:type: chashkey: arg_user_idnodes:order-service-1:8080: 1order-service-2:8080: 1plugins:cors:allow_origins: "https://example.com"allow_methods: "GET,POST,PUT,DELETE"allow_headers: "*"response-rewrite:body: '{"code": 0, "message": "success", "data": $body}'fault-injection:abort:http_status: 500body: "service unavailable"percentage: 5- uri: /api/products/*name: product-serviceupstream:type: roundrobinnodes:product-service:8080: 1plugins:proxy-cache:cache_key: ["$uri", "$args"]cache_zone: disk_cache_onecache_ttl: 300uri-blocker:block_rules: ["^/admin/", ".php$"]rejected_code: 403# 全局插件
plugins:- name: prometheusenable: true- name: zipkinenable: trueconfig:endpoint: http://zipkin:9411/api/v2/spanssample_ratio: 0.001

APISIX 插件开发

-- apisix/plugins/rate-limit-advanced/init.lua
local core = require("apisix.core")
local plugin_name = "rate-limit-advanced"local schema = {type = "object",properties = {rate = {type = "integer", minimum = 1},burst = {type = "integer", minimum = 0},key = {type = "string"},window = {type = "integer", minimum = 1},rejected_code = {type = "integer", default = 429},rejected_msg = {type = "string", default = "rate limit exceeded"}},required = {"rate", "key"}
}local _M = {version = 1.0,priority = 1000,name = plugin_name,schema = schema,
}function _M.check_schema(conf)return core.schema.check(schema, conf)
endfunction _M.access(conf, ctx)local key = conf.keyif key == "remote_addr" thenkey = ctx.var.remote_addrelseif key == "server_addr" thenkey = ctx.var.server_addrendlocal rate = conf.ratelocal burst = conf.burst or 0local window = conf.window or 60-- 使用redis进行分布式限流local redis = require("resty.redis")local red = redis:new()local ok, err = red:connect("127.0.0.1", 6379)if not ok thencore.log.error("failed to connect to redis: ", err)return 500endlocal current_time = ngx.now()local key_name = "rate_limit:" .. key-- 使用令牌桶算法local tokens = red:get(key_name)if tokens thentokens = tonumber(tokens)elsetokens = burstendlocal last_update = red:get(key_name .. ":time")if last_update thenlast_update = tonumber(last_update)local elapsed = current_time - last_updatelocal new_tokens = elapsed * rate / windowif new_tokens > 0 thentokens = math.min(tokens + new_tokens, burst)endendif tokens < 1 thenred:setex(key_name .. ":time", window, current_time)return conf.rejected_code, conf.rejected_msgendtokens = tokens - 1red:setex(key_name, window, tokens)red:setex(key_name .. ":time", window, current_time)
endreturn _M

优点：

配置热更新，无需重启
性能卓越
插件生态丰富
云原生友好

缺点：

相对较新，生态不如Kong成熟
依赖etcd
学习成本较高

使用场景：

云原生环境
需要动态配置的场景
高性能要求的微服务架构

六、Zuul：Netflix经典网关

有些小伙伴在传统Spring Cloud项目中可能还在使用Zuul，虽然它已被Spring Cloud Gateway取代，但了解其原理仍有价值。

Zuul 过滤器实战

// Zuul前置过滤器 - 认证和限流
@Component
public class AuthPreFilter extends ZuulFilter {@Autowiredprivate RateLimiterService rateLimiter;@Autowiredprivate JwtTokenProvider tokenProvider;@Overridepublic String filterType() {return "pre";}@Overridepublic int filterOrder() {return 1;}@Overridepublic boolean shouldFilter() {return true;}@Overridepublic Object run() throws ZuulException {RequestContext ctx = RequestContext.getCurrentContext();HttpServletRequest request = ctx.getRequest();// 1. 限流检查String clientId = getClientId(request);if (!rateLimiter.tryAcquire(clientId)) {ctx.setSendZuulResponse(false);ctx.setResponseStatusCode(429);ctx.setResponseBody("{\"error\": \"Rate limit exceeded\"}");return null;}// 2. JWT认证String token = extractToken(request);if (token == null && requiresAuth(request)) {ctx.setSendZuulResponse(false);ctx.setResponseStatusCode(401);ctx.setResponseBody("{\"error\": \"Authentication required\"}");return null;}if (token != null) {try {Claims claims = tokenProvider.parseToken(token);ctx.addZuulRequestHeader("X-User-Id", claims.getSubject());ctx.addZuulRequestHeader("X-User-Roles", String.join(",", claims.get("roles", List.class)));} catch (Exception e) {ctx.setSendZuulResponse(false);ctx.setResponseStatusCode(401);ctx.setResponseBody("{\"error\": \"Invalid token\"}");return null;}}// 3. 添加追踪信息ctx.addZuulRequestHeader("X-Request-ID", UUID.randomUUID().toString());ctx.addZuulRequestHeader("X-Forwarded-For", request.getRemoteAddr());return null;}private String getClientId(HttpServletRequest request) {String apiKey = request.getHeader("X-API-Key");return apiKey != null ? apiKey : request.getRemoteAddr();}private String extractToken(HttpServletRequest request) {String bearerToken = request.getHeader("Authorization");if (bearerToken != null && bearerToken.startsWith("Bearer ")) {return bearerToken.substring(7);}return null;}private boolean requiresAuth(HttpServletRequest request) {String path = request.getRequestURI();return !path.startsWith("/api/public/") && !path.equals("/health") && !path.startsWith("/actuator/");}
}// Zuul后置过滤器 - 响应处理
@Component
public class ResponsePostFilter extends ZuulFilter {private static final Logger logger = LoggerFactory.getLogger(ResponsePostFilter.class);@Overridepublic String filterType() {return "post";}@Overridepublic int filterOrder() {return 1000;}@Overridepublic boolean shouldFilter() {return true;}@Overridepublic Object run() throws ZuulException {RequestContext ctx = RequestContext.getCurrentContext();HttpServletRequest request = ctx.getRequest();HttpServletResponse response = ctx.getResponse();long startTime = (Long) ctx.get("startTime");long duration = System.currentTimeMillis() - startTime;// 记录访问日志logger.info("{} {} {} {} {}ms", request.getRemoteAddr(),request.getMethod(),request.getRequestURI(),response.getStatus(),duration);// 添加响应头response.setHeader("X-Response-Time", duration + "ms");response.setHeader("X-API-Version", "1.0");// 统一响应格式if (ctx.getResponseBody() != null && response.getContentType() != null && response.getContentType().contains("application/json")) {String originalBody = ctx.getResponseBody();String wrappedBody = "{\"code\": 0, \"data\": " + originalBody + ", \"timestamp\": " + System.currentTimeMillis() + "}";ctx.setResponseBody(wrappedBody);}return null;}
}

优点：

与Netflix集成良好
过滤器机制灵活
文档资料丰富

缺点：

性能较差（阻塞IO）
已被Spring Cloud Gateway取代
社区活跃度下降

使用场景：

遗留Spring Cloud项目
Netflix技术栈
非性能敏感场景

七、Traefik：云原生动态网关

有些小伙伴在容器化环境中需要自动服务发现，Traefik就是为云原生而生的动态网关。

Traefik 配置示例

# traefik.yaml
api:dashboard: trueinsecure: trueentryPoints:web:address: ":80"http:redirections:entryPoint:to: websecurescheme: httpswebsecure:address: ":443"certificatesResolvers:myresolver:acme:email: admin@example.comstorage: /etc/traefik/acme.jsonhttpChallenge:entryPoint: webproviders:docker:endpoint: "unix:///var/run/docker.sock"exposedByDefault: falsefile:filename: /etc/traefik/dynamic.yamlwatch: truelog:level: INFOaccessLog:filePath: "/var/log/traefik/access.log"bufferingSize: 100metrics:prometheus:entryPoint: websecure# 动态配置
# dynamic.yaml
http:middlewares:# 认证中间件auth-middleware:basicAuth:users:- "admin:$2y$05$YOUR_HASHED_PASSWORD"# 限流中间件  rate-limit-middleware:rateLimit:burst: 100period: 1m# 重试中间件retry-middleware:retry:attempts: 3# 熔断中间件circuit-breaker-middleware:circuitBreaker:expression: "NetworkErrorRatio() > 0.5"# 压缩中间件compress-middleware:compress: {}routers:# 用户服务路由user-service:rule: "PathPrefix(`/api/users`)"entryPoints:- websecuremiddlewares:- rate-limit-middleware- compress-middlewareservice: user-servicetls:certResolver: myresolver# 订单服务路由  order-service:rule: "PathPrefix(`/api/orders`)"entryPoints:- websecuremiddlewares:- auth-middleware- rate-limit-middleware- circuit-breaker-middlewareservice: order-servicetls:certResolver: myresolverservices:user-service:loadBalancer:servers:- url: "http://user-service-1:8080"- url: "http://user-service-2:8080"healthCheck:path: /healthinterval: 10stimeout: 5sorder-service:loadBalancer:servers:- url: "http://order-service-1:8080"- url: "http://order-service-2:8080"

优点：

自动服务发现
配置简单
云原生友好
内置监控和Dashboard

缺点：

功能相对简单
性能不如Nginx系网关
高级功能需要企业版

使用场景：

容器化环境
需要自动服务发现的场景
快速原型开发

八、6大网关对比

通过前面的分析，我们现在对这六种API网关有了深入的了解。

让我们通过一个全面的对比来帮助大家做出正确的技术选型。

详细对比表格

特性维度	Spring Cloud Gateway	Kong	Nginx	APISIX	Zuul	Traefik
性能	高（WebFlux）	极高（Nginx）	极高（C）	极高（Nginx）	中（阻塞IO）	中
配置方式	代码/配置	声明式YAML	配置文件	动态配置	代码/配置	动态配置
服务发现	Spring Cloud	插件支持	需手动配置	支持	Spring Cloud	自动发现
K8s支持	良好	良好	需Ingress	优秀	一般	优秀
监控	Micrometer	Prometheus	基础监控	Prometheus	Hystrix	内置
学习曲线	中	中高	低	中高	中	低
适用场景	Spring Cloud	企业级	传统架构	云原生	传统Spring	容器化