Protect applications and services by using a dedicated host instance that acts as a broker between clients and the application or service, validates and sanitizes requests, and passes requests and data between them. This can provide an additional layer of security, and limit the attack surface of the system.
采用专用的主机实例,作为客户和应用程序或服务之间的代理保护的应用程序和服务,验证和清理的要求,并通过它们之间的请求数据。这种模式可以提供一个额外的安全层,并限制了对系统的攻击。
Context and Problem 情境和问题
Applications expose their functionality to clients by accepting and processing requests. In cloud-hosted scenarios, applications expose endpoints to which clients connect, and typically include the code to handle the requests from clients. This code may perform authentication and validation, some or all request processing, and is likely to accesses storage and other services on behalf of the client.
应用程序对通过接受和处理请求对客户端公开其功能。在云托管的情况下,应用程序暴露给客户端终结点,并通常包括来自客户端代码的请求。此代码可以执行认证和验证,一些或全部通过的请求,并有可能访问代表客户端的存储等服务。
If a malicious user is able to compromise the system and gain access to application’s hosting environment, the security mechanisms it uses such as credentials and storage keys, and the services and data it accesses, are exposed. As a result, the malicious user may be able to gain unrestrained access to sensitive information and other services.
如果恶意用户能够损害系统并访问应用程序的主机环境,诸如凭证和存储密钥,以及访问数据的服务,它使用安全机制暴露。其结果是,恶意用户可能能够获得对敏感信息和其他服务的无节制的访问。
Solution 解决方案
To minimize the risk of clients gaining access to sensitive information and services, decouple hosts or tasks that expose public endpoints from the code that processes requests and accesses storage. This can be achieved by using a façade or a dedicated task that interacts with clients and then hands off the request (perhaps through a decoupled interface) to the hosts or tasks that will handle the request. Figure 1 shows a high-level view of this approach.
为了尽量减少客户获取敏感信息和服务的风险,去耦揭露出从该处理请求和访问存储代码公共端点的主机或任务。这可以通过使用一个方面或与客户互动,然后分离请求(可能通过一个去耦接口)连接到主机或任务,将处理该请求的专用任务来实现。图1示出了这种方法的一个高层次的图。
Figure 1 - High level overview of this pattern 图1 -这个模式的高层次概述
The gatekeeper pattern may be used simply to protect storage, or it may be used as a more comprehensive façade to protect all of the functions of the application. The important factors are:
守门人模式可能只是为了保护存储,也可以作为一个更全面的外观模式保护所有应用程序的功能。重要因素是:
- Controlled validation. The Gatekeeper validates all requests, and rejects those that do not meet validation requirements.
- 控制验证。把关人模式验证了所有的请求,并拒绝那些不符合验证要求的请求。
- Limited risk and exposure. The Gatekeeper does not have access to the credentials or keys used by the trusted host to access storage and services. If the Gatekeeper is compromised, the attacker does not obtain access to these credentials or keys.
- 有限风险和暴露。守门人模式没有访问受信任的主机使用的凭据或键来访问存储和服务。如果守门人模式被攻破,攻击者不获得访问这些凭据或密钥。
- Appropriate security. The Gatekeeper runs in a limited privilege mode, whereas the remainder of the application runs in the full trust mode required to access storage and services. If the Gatekeeper is compromised, it cannot directly access the application services or data.
- 适当的安全。该看门人在有限的权限模式下运行,而应用程序的其余部分则运行在需要访问存储和服务的完全信任模式中。如果看门人被入侵,它不能直接访问应用程序服务或数据。
This pattern effectively acts like a firewall in a typical network topography. It allows the Gatekeeper to examine requests and make a decision about whether to pass the request on to the trusted host (sometimes called the Keymaster) that performs the required tasks. This decision will typically require the Gatekeeper to validate and sanitize the request content before passing it on to the trusted host.
这种模式有效扮演着在一个典型的网络防火墙。它允许把关审查请求并决定是否请求传递到受信任的主机(有时称为大师),完成要求的任务。这一决定将通常需要守门人模式验证和把关请求的内容在将它传递到受信任的主机之前。
Issues and Considerations 问题与思考
Consider the following points when deciding how to implement this pattern:
在决定如何实施这一模式时,请考虑以下几点:
- Ensure that the trusted hosts to which the Gatekeeper passes requests expose only internal or protected endpoints, and connect only to the Gatekeeper. The trusted hosts should not expose any external endpoints or interfaces.
- 确保所要传递的请求的受信任的主机只公开内部或受保护的端点,并只连接到“守门人”。受信任的主机不应公开任何外部端点或接口。
- The Gatekeeper must run in a limited privilege mode. Typically this means running the Gatekeeper and the trusted host in separate hosted services or virtual machines.
- 守关人模式必须在有限的特权模式下运行。通常,这意味着运行在单独的托管服务或虚拟机中的守关人模式和受信任的主机。
- The Gatekeeper should not perform any processing related to the application or services, or access any data. Its function is purely to validate and sanitize requests. The trusted hosts may need to perform additional validation of requests, but the core validation should be performed by the Gatekeeper.
- 守关人模式G不应该执行与应用程序或服务相关的任何处理,或访问任何数据。它的功能是纯粹的验证和审核请求。受信任的主机可能需要执行额外的请求验证,但核心验证应由守关人模式执行。
- Use a secure communication channel (HTTPS, SSL, or TLS) between the Gatekeeper and the trusted hosts or tasks where this is possible. However, some hosting environments may not support HTTPS on internal endpoints.
- 使用一个安全的通信通道(HTTPS、SSL,或TLS)在守门人模式和受信任的主机或任务之间,在任何可能的地方。然而,一些托管环境可能不支持在内部端点HTTPS。
- Adding the extra layer to the application to implement the Gatekeeper pattern is likely to have some impact on performance of the application due to the additional processing and network communication it requires.
- 添加额外的层的应用程序来实现的看门模式很可能有一定的影响,由于额外的处理和网络通信,它需要的应用程序的性能。
- The Gatekeeper instance could be a single point of failure. To minimize the impact of a failure, consider deploying additional instances and using an autoscaling mechanism to ensure sufficient capacity to maintain availability.
- 守门人的实例可能是一个单一的故障点。尽量减少失败的影响,考虑部署额外的实例和使用这个机制,确保有足够的能力保持可用性。
When to Use this Pattern 何时使用本模式
This pattern is ideally suited for:
这种模式非常适合:
- Applications that handle sensitive information, expose services that must have high a degree of protection from malicious attacks, or perform mission-critical operations that must not be disrupted.
- 处理敏感信息的应用程序,公开必须具有高度保护的恶意攻击的服务,或执行不可中断的任务关键操作的服务。
- Distributed applications where it is necessary to perform request validation separately from the main tasks, or to centralize this validation to simplify maintenance and administration.
- 分布式应用程序需要执行请求验证分别从主要任务,或集中验证简化维护和管理。
Example 例子
In a cloud-hosted scenario, this pattern can be implemented by decoupling the Gatekeeper role or virtual machine from the trusted roles and services in an application by using an internal endpoint, a queue, or storage as an intermediate communication mechanism. Figure 2 shows the basic principle when using an internal endpoint.
在云托管的情况下,这种模式可以实现的去耦的守门人角色或虚拟机从信任的角色和服务的应用程序通过使用一个内部端点,一个队列,或存储作为一个中间通信机制。图2显示了使用内部端点时的基本原则。
Figure 2 - An example of the pattern using Cloud Services web and worker roles 图2 -使用云服务的Web和工作角色的模式的一个例子
Related Patterns and Guidance 相关模式与指导
The following pattern may also be relevant when implementing this pattern:
当实现此模式时,下列模式也可能是相关的:
- Valet Key Pattern. When communicating between the Gatekeeper and trusted roles it is good practice to enhance security by using keys or tokens that limit permissions for accessing resources. The Valet Key pattern describes how to use a token or key that provides clients with restricted direct access to a specific resource or service.
- 代客主要模式。当守门人和受信任的角色之间的沟通是很好的做法,以提高安全性,通过使用密钥或令牌,限制访问资源的权限。代客主要模式描述了如何使用,提供客户限制直接访问特定的资源或服务标记或关键。