API Gateway-daky pluginler we middleware

1) Näme üçin plugin we middleware gerek?

• howpsuzlygy standartlaşdyrýar (authN/authZ, WAF, CORS),
• durnuklylygy goraýar (rate limit, circuit breaker, retry-policies),
• şertnamany dolandyrýar (shemalary, üýtgeşmeleri tassyklamak),
• syn edilişini görkezýär (metrikler, loglar, ýollar),
• çykdajylary peseldýär (kesleşmek, de-duplikasiýa, kanareýa düzgünleri).

Açar: iň az gizlinlik we takyk yzygiderlilik.

2) Plugin synplary we näme edýärler

1. Tanamak/tanamak

JWT/JWKS-üpjün edijiler, OAuth2/OIDC, API-açarlar, mTLS (client cert).
HMAC gollary (webhuklar/hyzmatdaşlar), gyrada DPoP/PoP.

2. Ygtyýarnama

Ýerli çözgüt kesesi bilen RBAC/ABAC/OPA/Cedar (PDP).
BOLA-guard: sözbaşy/kontekstde 'tenant '/' owner' barlagy.

3. Tor we protokol goragy

WAF (OWASP CRS), antibot (rate/behavioral), Geo/IP/ASN-süzgüçler, TLS-profiller.
CORS, CSP-sözbaşylar, Fetch-Metadata süzgüçleri, CORP/COOP/COEP.

4. Durnuklylyk

Rate limiting (token bucket/GCRA), kwotalar we bäsdeşlik ukyby.
Circuit breaker, wagt, adaptive concurrency, load shedding.
Retry-policy per-try timeout we jitter bilen.

5. Üýtgetmek we tassyklamak

Ýollar/sözbaşylar, body-rewrite, JSON/XML, gRPC HTTP.
Shemalary tassyklamak (OpenAPI/JSON Schema/Protobuf), şahsyýetnamany kadalaşdyrmak.

6. Kesmek we ýerine ýetiriş

Response/fragment cache, ETag/If-None-Match, gysyş, brotli.
Birmeňzeş açarlar üçin request collapsing (coalescing).

7. Gözegçilik we audit

RED/USE metrikleri, çözgütleriň logistikasy (429/403/5xx), yzarlama (W3C Trace-Context/OpenTelemetry), sampling (tail/adaptive).
Howpsuzlyk sözbaşylarynyň we syýasatlaryň wersiýalarynyň barlagy.

8. Durmuş sikli we ekspluatasiýa

Canary/blue-green, feature-flags, shadow-solutions (loglamak, ulanmak däl), wersiýalaryň göçmegi.

3) Ulanmak tertibi (maslahat berilýän zynjyr)

[Ingress TLS]
→ Early-Deny (ASN/Geo, IP allow/deny)
→ mTLS / Client Cert Auth
→ JWT/OAuth2 AuthN (JWKS cache)
→ OPA/ABAC AuthZ (solution cache)
→ Rate Limit / Concurrency
→ Circuit / Timeout / Retries (пер-try)
→ Schema Validation (request)
→ Transform (headers/path/body) / CORS
→ Caching (lookup)
→ Upstream Proxy (app)
← Caching (store) / Compression
← Response Transform / Schema Validation (response)
← Logging / Tracing / Metrics / Security Headers

Prinsip: öň - arzan/ölümli (deny, auth, limitler), soň - "kosmetika" (transformasiýa, keş).

4) Öndürijilik we kardinallyk

Gyzgyn ýolda daşarky haýyşsyz O (1) ädimlere ýapyşyň.
Pluginleriň ähli "daşarky jaňlary" (PDP/JWKS) - gysga TTL we asynchronous refresh arkaly.
Metrikler üçin bellikler/bellikler - çäkli kardinallyk ('tenant', 'plan', 'route', ýöne 'user _ id' däl).
"Agyr" pluginler (WAF, body-transform) - saýlama per-route goşmak.

5) Konfigurasiýa mysallary

5. 1 Envoy: JWT + RateLimit + OPA + Retries (psevdo)

yaml static_resources:
listeners:
- name: public_listener filter_chains:
- filters:
- name: envoy. filters. network. http_connection_manager typed_config:
route_config:
name: main virtual_hosts:
- name: api domains: ["api. example. com"]
routes:
- match: { prefix: "/v1/payments" }
route:
cluster: payments timeout: 350ms retry_policy:
retry_on: connect-failure,reset,5xx,gateways num_retries: 1 per_try_timeout: 200ms http_filters:
- name: envoy. filters. http. jwt_authn typed_config:
providers:
oidc:
issuer: https://auth. example. com/
remote_jwks:
http_uri: { uri: https://auth. example. com/.well-known/jwks. json, cluster: jwks, timeout: 2s }
cache_duration: 300s forward: true
- name: envoy. filters. http. ext_authz  # OPA/Cedar PDP typed_config:
http_service:
server_uri: { uri: http://opa:8181, cluster: opa, timeout: 50ms }
authorization_request: { allowed_headers: { patterns: [{ exact: "authorization" }, { exact: "x-tenant" }] } }
- name: envoy. filters. http. ratelimit typed_config:
domain: public-api rate_limit_service:
grpc_service: { envoy_grpc: { cluster_name: rl } }
- name: envoy. filters. http. router

5. 2 NGINX/OpenResty: HMAC + Lua + Redis (psevdo)

nginx lua_shared_dict jwks 10m;
lua_shared_dict limits 10m;

server {
listen 443 ssl http2;

Early deny by ASN/Geo if ($bad_asn) { return 403; }

HMAC signature check (webhooks/partners)
set_by_lua_block $sig_ok {
return verify_hmac_signature(ngx. var. http_x_signature, ngx. var. request_time, ngx. var. request_body)
}
if ($sig_ok = 0) { return 401; }

Token bucket in Redis access_by_lua_block {
local key = ngx. var. binary_remote_addr.. ":".. ngx. var. request_uri local allowed, retry_after = ratelimit_allow(key, 50, 100)
if not allowed then ngx. header["Retry-After"] = retry_after return ngx. exit(429)
end
}

proxy_read_timeout 300ms;
proxy_connect_timeout 100ms;
proxy_pass http://app_backend;
}

5. 3 Kong: marşrutdaky pluginler

yaml services:
- name: payments url: http://payments:8080 routes:
- service: payments paths: ["/v1/payments"]
plugins:
- name: jwt config: { key_claim_name: kid, secret_is_base64: false, run_on_preflight: false }
- name: opa config: { server_url: "http://opa:8181/v1/data/authz/allow", timeout: 50 }
- name: rate-limiting config: { second: 50, policy: redis, redis_host: redis, fault_tolerant: true }
- name: correlation-id config: { header_name: "traceparent" }
- name: response-transformer config: { add: { headers: ["Strict-Transport-Security:max-age=31536000"] } }

5. 4 Apache APISIX: JWT + Limit + Proxy-Mirror (shadow)

yaml routes:
- uri: /v1/wallets/
plugins:
openid-connect:
client_id: wallet discovery: "https://auth. example. com/.well-known/openid-configuration"
scope: "openid"
limit-count:
count: 100 time_window: 60 key_type: "var"
key: "remote_addr"
proxy-mirror:          # shadow traffic host: "http://shadow-backend:8080"
upstream_id: 1

5. 5 Traefik: Middleware zynjyry

yaml http:
middlewares:
hsts-headers:
headers:
stsSeconds: 31536000 stsIncludeSubdomains: true ratelimit:
rateLimit:
average: 50 burst: 100 routers:
api:
rule: "Host(`api. example. com`) && PathPrefix(`/v1`)"
service: app middlewares:
- hsts-headers
- ratelimit

6) Köp kärende we syýasatçylaryň wersiýalary

Marşrut açary: '{tenant, plan, region, route, version}'.
Pluginler mTLS SAN/JWT-markasyndan/→ sözbaşysyndan "tenant" okaýarlar.
Syýasatlary wersiýa ediň ('policy _ version'), changelog we kanar rollout ediň.

7) Synag we rollout

Çykarylýança

Zynjyryň şertnama synaglary ("eger" tablisasy): auth → deny, auth → allow, rate → 429, shema → 422.
Ýük göterijiler: × 10 burstlar, uzyn platolar, "hapa" patternler (slow-POST).
Chaos: PDP/JWKS/Redis-iň pese gaçmagy - iň az howpsuz/pese gaçmagy bolmaly.

Goýbermek

'Report-Only '/shadow-mode (çözgütleri ulanmazdan logirlemek).
Canary 1-5% traffigi + metrikleri deňeşdirmek (p95/p99, 4xx/5xx/429).
SLO/alertler boýunça awtomatiki rollback.

8) Synlamak we metrika

• `http_requests_total{route,tenant,plan,status}`
• `request_duration_seconds_bucket{route}` (p95/p99)
• `rate_limited_total{policy}`, `retry_total{reason}`, `circuit_state`
• `authn_fail_total{reason}`, `authz_denied_total{action}`
• `schema_validation_fail_total{route}`
• Söwda: span per-filter, atributlar 'policy _ version', 'tenant', 'limit _ key'.
• Logy (sample): sebäpleri we 'trace _ id' bilen deny/429/5xx çözgütleri.
• Daşbordlar: Exec-gysgaça maglumat, per-route, per-tenant, "gyzgyn" syýasatlar.

9) Howpsuzlyk we peýdalanmak

Ähli syrlar (HMAC, JWKS private, API-açarlar) - KMS/Vault-da, -faýllarda däl.
Duýgur ugurlar üçin deny-by-default syýasaty.
Gysga TTL JWKS/PDP keş, backoff bilen asinxron täzelenmeler.
Transformasiýa shemalarynyň göçmegi - versioned; "döwmek" - dual-write arkaly.
Body-size (DoS) we JSON çuňlugyny çäklendiriň.

10) Antipatternler

Her marşrutda pluginleriň ähliumumy "hemme zady öz içine alýar" → goşmaça millisekundlar we hasaplar.
Keshsiz/wagtsyz pluginleriň daşarky garaşlylygy → kaskad wagtlary.
Süzgüçleriň tertibi ýoklugy: ilki transformasiýa/logika, soň çäkler - nädogry.
Metrik bellikleriň ýokary kardinallygy (raw 'user _ id '/' ip').
Üýtgetmek şablonlarynda authN/authZ garyşdyrmak (Lua/Jinja-da ýalan çözgütler).
Syr/bellikleri ýazmak.
Şardlamasyz/ätiýaçsyz ähli çäkler üçin bir global Redis/klaster.

11) iGaming/Maliýe aýratynlyklary

Per-tenant/per-ýurisdiksiýa düzgünleri: KYC/AML, sanksiýalar, jogapkärli tölegleriň çäkleri.
Töleg ugurlary üçin berk syýasatlar: gysga wagtlar, bir gezek gaýtalamak, idempotentlik ('Idempotency-Key').
PSP/KYC SDK üçin perimetri bölmek (aýry-aýry domenler/plugin zynjyrlary).
Kararlaryň üýtgemeýän ýazgylarynyň barlagy (netijeler, blokirlemeler, sanksiýalaryň ret edilmegi).

12) Prod-taýynlyk çek-sanawy

• Süzgüçleriň tertibi kesgitlenildi: authN → authZ → limits → circuit/timeout → schema → transform → cache.
• Per-marşrut plugin toplumy; agyr - diňe zerur ýerlerde.
• JWKS/PDP gysga TTL we keş bilen; wagt we fallback strategiýalary.
• Rate/Quota/Concurrency - açarlar dizaýn edildi.
• RED/USE metrler toplumy, OTel ýoly, tail/adaptive sampling.
• Canary + shadow-mode, SLO boýunça awto-rollback.
• KMS/Vault-daky syrlar; konfigiler - göçmek bilen wersiýalanýar.
• body/headers çäkleri; oversize/slow-POST-dan goramak.
• Müşderiler üçin resminamalar: 401/403/409/422/429/5xx, 'Retry-After' kodlary, sözbaşy mysallary.

13) TL; DR

"Irki şowsuzlyk → Autentification/Authorization → Limits/Stability → Validation → Transformasiýa/Kesh → Telemetri" zynjyryny guruň. Diňe zerur per-route pluginlerini açyň, daşarky çözgütleri (JWKS/PDP) kesiň, wagtlary we retry syýasatlaryny beriň, metrleriň kardinallygyna gözegçilik ediň. Shadow/canary arkaly çykaryň, KMS/Vault-da syrlary saklaň we her bir pluginiň p95/p99-a täsirini ölçäň.