Protect applications and services by using a dedicated host instance that acts as a broker between clients and the application or service, validates and sanitizes requests, and passes requests and data between them. This can provide an additional layer of security, and limit the attack surface of the system.

采用專用的主機實例，作為客戶和應用程序或服務之間的代理保護的應用程序和服務，驗證和清理的要求，并通過它們之間的請求數據。這種模式可以提供一個額外的安全層，并限制了對系統的攻擊。

Context and Problem 情境和問題

Applications expose their functionality to clients by accepting and processing requests. In cloud-hosted scenarios, applications expose endpoints to which clients connect, and typically include the code to handle the requests from clients. This code may perform authentication and validation, some or all request processing, and is likely to accesses storage and other services on behalf of the client.

應用程序對通過接受和處理請求對客戶端公開其功能。在云托管的情況下，應用程序暴露給客戶端終結點，并通常包括來自客戶端代碼的請求。此代碼可以執行認證和驗證，一些或全部通過的請求，并有可能訪問代表客戶端的存儲等服務。

If a malicious user is able to compromise the system and gain access to application’s hosting environment, the security mechanisms it uses such as credentials and storage keys, and the services and data it accesses, are exposed. As a result, the malicious user may be able to gain unrestrained access to sensitive information and other services.

如果惡意用戶能夠損害系統并訪問應用程序的主機環境，諸如憑證和存儲密鑰，以及訪問數據的服務，它使用安全機制暴露。其結果是，惡意用戶可能能夠獲得對敏感信息和其他服務的無節制的訪問。

Solution 解決方案

To minimize the risk of clients gaining access to sensitive information and services, decouple hosts or tasks that expose public endpoints from the code that processes requests and accesses storage. This can be achieved by using a façade or a dedicated task that interacts with clients and then hands off the request (perhaps through a decoupled interface) to the hosts or tasks that will handle the request. Figure 1 shows a high-level view of this approach.

為了盡量減少客戶獲取敏感信息和服務的風險，去耦揭露出從該處理請求和訪問存儲代碼公共端點的主機或任務。這可以通過使用一個方面或與客戶互動，然后分離請求（可能通過一個去耦接口）連接到主機或任務，將處理該請求的專用任務來實現。圖1示出了這種方法的一個高層次的圖。

Figure 1 - High level overview of this pattern 圖1 -這個模式的高層次概述

The gatekeeper pattern may be used simply to protect storage, or it may be used as a more comprehensive façade to protect all of the functions of the application. The important factors are:

守門人模式可能只是為了保護存儲，也可以作為一個更全面的外觀模式保護所有應用程序的功能。重要因素是：

• Controlled validation. The Gatekeeper validates all requests, and rejects those that do not meet validation requirements.
• 控制驗證。把關人模式驗證了所有的請求，并拒絕那些不符合驗證要求的請求。
• Limited risk and exposure. The Gatekeeper does not have access to the credentials or keys used by the trusted host to access storage and services. If the Gatekeeper is compromised, the attacker does not obtain access to these credentials or keys.
• 有限風險和暴露。守門人模式沒有訪問受信任的主機使用的憑據或鍵來訪問存儲和服務。如果守門人模式被攻破，攻擊者不獲得訪問這些憑據或密鑰。
• Appropriate security. The Gatekeeper runs in a limited privilege mode, whereas the remainder of the application runs in the full trust mode required to access storage and services. If the Gatekeeper is compromised, it cannot directly access the application services or data.
• 適當的安全。該看門人在有限的權限模式下運行，而應用程序的其余部分則運行在需要訪問存儲和服務的完全信任模式中。如果看門人被入侵，它不能直接訪問應用程序服務或數據。

This pattern effectively acts like a firewall in a typical network topography. It allows the Gatekeeper to examine requests and make a decision about whether to pass the request on to the trusted host (sometimes called the Keymaster) that performs the required tasks. This decision will typically require the Gatekeeper to validate and sanitize the request content before passing it on to the trusted host.

這種模式有效扮演著在一個典型的網絡防火墻。它允許把關審查請求并決定是否請求傳遞到受信任的主機（有時稱為大師），完成要求的任務。這一決定將通常需要守門人模式驗證和把關請求的內容在將它傳遞到受信任的主機之前。

Issues and Considerations 問題與思考

Consider the following points when deciding how to implement this pattern:

在決定如何實施這一模式時，請考慮以下幾點：

• Ensure that the trusted hosts to which the Gatekeeper passes requests expose only internal or protected endpoints, and connect only to the Gatekeeper. The trusted hosts should not expose any external endpoints or interfaces.
• 確保所要傳遞的請求的受信任的主機只公開內部或受保護的端點，并只連接到“守門人”。受信任的主機不應公開任何外部端點或接口。
• The Gatekeeper must run in a limited privilege mode. Typically this means running the Gatekeeper and the trusted host in separate hosted services or virtual machines.
• 守關人模式必須在有限的特權模式下運行。通常，這意味著運行在單獨的托管服務或虛擬機中的守關人模式和受信任的主機。
• The Gatekeeper should not perform any processing related to the application or services, or access any data. Its function is purely to validate and sanitize requests. The trusted hosts may need to perform additional validation of requests, but the core validation should be performed by the Gatekeeper.
• 守關人模式G不應該執行與應用程序或服務相關的任何處理，或訪問任何數據。它的功能是純粹的驗證和審核請求。受信任的主機可能需要執行額外的請求驗證，但核心驗證應由守關人模式執行。
• Use a secure communication channel (HTTPS, SSL, or TLS) between the Gatekeeper and the trusted hosts or tasks where this is possible. However, some hosting environments may not support HTTPS on internal endpoints.
• 使用一個安全的通信通道（HTTPS、SSL，或TLS）在守門人模式和受信任的主機或任務之間，在任何可能的地方。然而，一些托管環境可能不支持在內部端點HTTPS。
• Adding the extra layer to the application to implement the Gatekeeper pattern is likely to have some impact on performance of the application due to the additional processing and network communication it requires.
• 添加額外的層的應用程序來實現的看門模式很可能有一定的影響，由于額外的處理和網絡通信，它需要的應用程序的性能。
• The Gatekeeper instance could be a single point of failure. To minimize the impact of a failure, consider deploying additional instances and using an autoscaling mechanism to ensure sufficient capacity to maintain availability.
• 守門人的實例可能是一個單一的故障點。盡量減少失敗的影響，考慮部署額外的實例和使用這個機制，確保有足夠的能力保持可用性。

When to Use this Pattern 何時使用本模式

This pattern is ideally suited for:

這種模式非常適合：

• Applications that handle sensitive information, expose services that must have high a degree of protection from malicious attacks, or perform mission-critical operations that must not be disrupted.
• 處理敏感信息的應用程序，公開必須具有高度保護的惡意攻擊的服務，或執行不可中斷的任務關鍵操作的服務。
• Distributed applications where it is necessary to perform request validation separately from the main tasks, or to centralize this validation to simplify maintenance and administration.
• 分布式應用程序需要執行請求驗證分別從主要任務，或集中驗證簡化維護和管理。

Example 例子

In a cloud-hosted scenario, this pattern can be implemented by decoupling the Gatekeeper role or virtual machine from the trusted roles and services in an application by using an internal endpoint, a queue, or storage as an intermediate communication mechanism. Figure 2 shows the basic principle when using an internal endpoint.

在云托管的情況下，這種模式可以實現的去耦的守門人角色或虛擬機從信任的角色和服務的應用程序通過使用一個內部端點，一個隊列，或存儲作為一個中間通信機制。圖2顯示了使用內部端點時的基本原則。

Figure 2 - An example of the pattern using Cloud Services web and worker roles 圖2 -使用云服務的Web和工作角色的模式的一個例子

Related Patterns and Guidance 相關模式與指導

The following pattern may also be relevant when implementing this pattern:

當實現此模式時，下列模式也可能是相關的：

• Valet Key Pattern. When communicating between the Gatekeeper and trusted roles it is good practice to enhance security by using keys or tokens that limit permissions for accessing resources. The Valet Key pattern describes how to use a token or key that provides clients with restricted direct access to a specific resource or service.
• 代客主要模式。當守門人和受信任的角色之間的溝通是很好的做法，以提高安全性，通過使用密鑰或令牌，限制訪問資源的權限。代客主要模式描述了如何使用，提供客戶限制直接訪問特定的資源或服務標記或關鍵。