GH GambleHub

Tersine proxy we marşrut

1) Revers-proxiniň roly

Ters proxy - platformanyň "öň hatary": TLS kabul edýär, akymlaryň arasynda traffigi paýlaýar, howpsuzlyk we öndürijilik syýasatyny ulanýar. Maksat - pese gaçýan ýagdaýlaryň/zolaklaryň iň az gizlinligi, öňünden aýdyp boljak ugry we çalt izolýasiýasy.

2) Gatlaklar we teswirnamalar

L4: TCP/UDP proxy (SNI-based TLS passthrough, QUIC). HTTP-e düşünmezden arzan baha.
L7: HTTP/1. 1–2–3, gRPC, WebSocket. Baý marşrut (host, path, headers, cookies), transformasiýa we nagt pul.

TLS modeli: perimetrde terminirlemek (NGINX/Envoy), içinde - mTLS/mesh. SNI bir IP-de wirtual hostlara mümkinçilik berýär.

3) Marşrut strategiýalary (L7)

1. Host-based: domen ('api. brand. com '→ klaster' brand-api ').
2. Path-based: `/v1/payments` → `payments-svc`, `/v1/wallets` → `wallets-svc`.
3. Header-based: `X-Region: eu-central`, `X-Tenant: 42`, `User-Agent`/`Accept`.
4. Cookie-based: A/B-synaglary, "ýelmeşýän" sessiýalar.
5. Weighted/Canary: täze wersiýa üçin traffigiň göterimi (1-5% → 100%).
6. Geo/ASN: ýurt boýunça/ASN iň ýakyn ROR/sebite iberýäris.
7. Consistent hashing: Açary (user_id/tenant_id) instanta baglamak → Kesh lokalizasiýasy/ýapyşyklygy.
8. Shadow/Mirroring: jogabyna täsir etmezden traffigi "kölege" akymyna göçürýäris (regress synaglary üçin).

4) Deňagramlylyk we şowsuzlyga çydamlylyk

Algoritmler: round-robin, least-request, random, ring-hash (consistent).
Health-checks: active (HTTP/TCP) + passiw (kod/wagt).
Outlier ejection: ýokary ýalňyşlyk/gizlinlik bilen host wagtlaýynça "urmak".
Retries: çäkli, per-try timeout we jitter bilen; idempotentlik bolmazdan howply usullary ret etmezlik.
Connection pooling: agrega warm-howuzlary saklamak, maksimumlary çäklendirmek.

5) Perimetriň öndürijiligi

Kesmek: açar boýunça (method + host + path + Vary), şertler 'ETag/If-None-Match', TTL we stale-while-revalidate.
Gysyş: tekst jogaplary üçin brotli/gzip.
HTTP/2/3: multiplexing, header-compression; WAF/IDS gabat gelýändigine göz ýetirmek.
Request coalescing: paralel soraglary birmeňzeş kesiş açaryna salyň.

6) Proxy howpsuzlygy

TLS: 1. 2 + (iň gowusy 1. 3), OCSP stapling, HSTS.
WAF/bot-süzgüçler: ABP ugrukdyrylýança.
CORS/CSP/Fetch-Metadata: syýasata laýyklykda.
Header-гигиена: `X-Forwarded-For/Proto`, `Forwarded`, `traceparent`; header-injection we oversize garşy gorag.
Body/headers limits: DoS-patternler üçin irki 413/431.
Hyzmatdaşlyk integrasiýalary we içerki API üçin mTLS.

7) Deploi shemalary: canary/blue-green/wersiýalary

Weighted routing на level-7 (1%, 5%, 25%, 50%, 100%).
Header-gate: baýdak/sözbaşy (internal/testing).
Gök-ýaşyl: DNS/route, çalt rollback.
Shadow: metrik/loglary ýazmak bilen täze wersiýanyň paralel geçişi.

8) Sticky-sessiýalar we heş-marşrut

Cookie-stickiness (`Set-Cookie: SRV=shard-a; Path=/; HttpOnly ') stateful-ýükler üçin.
Ring-hash/consistent by 'user _ id/tenant _ id' - keshiň maýyplyk nokatlarynyň azalmagy.
Duýduryş: write ýükleri üçin "baky" ýelmeşmekden gaça duruň → hot-spot; kwota per-tenantyny ulanyň.

9) Sebitleýin we geo-marşrutlaşdyryş

Iň ýakyn POP üçin Anycast + geo-DNS.
Synaglar we düzedişler üçin Header-override (mysal üçin 'X-Region').
Kanuny taýdan talap edilýän maglumatlaryň lokalizasiýasy bilen ylalaşmak (sebit/ýurisdiksiýa boýunça route).

10) Gözegçilik we gözegçilik

RED metrikleri: RPS, error-rate (synplar boýunça), latency p95/p99 per-route/cluster.
Outlier/health: edjektleriň/gaýtalanmalaryň sany, slow-call-rate.
Loglar: gurluşly, PII-siz; 'trace _ id '/' span _ id'.
Treýsing (OTel): ingress → router → upstream; p99 grafikalaryndaky exemplars.

11) Konfigurasiýa mysallary

11. 1 NGINX: host/path/weighted + кэш

nginx map $http_x_canary $canary { default 0; "1" 1; }
upstream app_v1 { least_conn; server 10. 0. 0. 1:8080 max_fails=3 fail_timeout=10s; }
upstream app_v2 { least_conn; server 10. 0. 0. 2:8080; }

server {
listen 443 ssl http2;
server_name api. example. com;

Кэш proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=apicache:256m max_size=10g inactive=10m use_temp_path=off;

location /v1/ {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Request-ID $request_id;
proxy_read_timeout 300ms; proxy_connect_timeout 100ms;

Weighted: 5% on v2 if canary = 1, otherwise 0%
set $backend app_v1;
if ($canary) { set $backend app_v2; }
proxy_pass http://$backend;
}

Static with cache location/assets/{
proxy_cache apicache;
proxy_cache_valid 200 10m;
add_header Cache-Control "public, max-age=600";
proxy_pass http://static_cluster;
}
}

11. 2 Envoy: header-routing, canary, outlier-ejection, mirroring

yaml static_resources:
clusters:
- name: svc_v1 type: STRICT_DNS lb_policy: LEAST_REQUEST outlier_detection:
consecutive_5xx: 5 interval: 5s base_ejection_time: 30s max_ejection_percent: 50
- name: svc_v2 type: STRICT_DNS lb_policy: LEAST_REQUEST
- name: mirror_svc type: STRICT_DNS

listeners:
- name: https filter_chains:
- filters:
- name: envoy. filters. network. http_connection_manager typed_config:
route_config:
virtual_hosts:
- name: api domains: ["api. example. com"]
routes:
- match:
prefix: "/v1"
headers:
- name: "X-Region"
exact_match: "eu"
route:
cluster: svc_v1 timeout: 350ms retry_policy:
retry_on: connect-failure,reset,5xx num_retries: 1 per_try_timeout: 200ms request_mirror_policies:
- cluster: mirror_svc runtime_key: mirror. enabled
- match: { prefix: "/v1" }
route:
weighted_clusters:
clusters:
- name: svc_v1 weight: 95
- name: svc_v2 weight: 5

11. 3 Traefik: rules + middleware

yaml http:
routers:
api:
rule: "Host(`api. example. com`) && PathPrefix(`/v1`)"
service: svc middlewares: [hsts, compress]
middlewares:
hsts:
headers:
stsSeconds: 31536000 stsIncludeSubdomains: true compress:
compress: {}
services:
svc:
weighted:
services:
- name: v1 weight: 95
- name: v2 weight: 5

11. 4 Kubernetes: Ingress + canary üçin manifest (NGINX Ingress)

yaml apiVersion: networking. k8s. io/v1 kind: Ingress metadata:
name: api annotations:
nginx. ingress. kubernetes. io/canary: "true"
nginx. ingress. kubernetes. io/canary-weight: "5"
spec:
rules:
- host: api. example. com http:
paths:
- path: /v1 pathType: Prefix backend:
service:
name: svc-v1 port: { number: 8080 }

12) Üýtgeşmeler we gabat gelmek

Başlyklaryň/ýollaryň kadalaşmagy, 'Location' ilat ýazuwy, 'Cache-Control' dolandyryşy.
gRPC HTTP/JSON (grpc-json-transcoder) arkaly.
WebSocket/HTTP2 upgrades: proxiniň 'Upgrade '/' Connection' -ni sypdyrýandygyna göz ýetiriň.

13) Synag we bulam-bujarlyk ssenariýalary

Ýük göterijiler: burstlar, uzyn platolar, "uzyn" jisimler (slow-POST).
Akymlara gijikdirmeler/ýitgiler → retries/timeout/outlier barlagy.
Canary-metrics: p95/p99, error-rate täze wersiýasy vs köne; SLO boýunça awtomatiki rollback.
Shadow: jogaplary deňeşdirmek we side-by-side-logika.

14) Antipatternler

Idempotentligi we möhleti hasaba almazdan global retralar → goşa we tupan.
"Gyzgyn" şardlara gözegçilik etmezden Sticky-sessiýalar → ýüküň üýtgemegi.
Howuzda health-checks/outlier-ejection → "çüýrän" ýagdaýlaryň ýoklugy.
Çäksiz sözbaşylar/jisimler → iň ýönekeý DoS.
Shemalaryň wersiýasy bolmazdan üýtgemeleriň we howpsuzlygyň garyşmagy → garaşylmadyk regresler.
'Vary' -siz ýekeje global nagt açar → nädogry jogaplar.

15) iGaming/Maliýe aýratynlyklary

Sebitlilik: oýunçynyň/markanyň ýurisdiksiýasy boýunça marşrut; töleg zolaklarynyň izolýasiýasy.
Möhüm ugurlar (goýumlar/netijeler): gysga wagtlar, bir gezek gaýtalamak, deňlik; aýry-aýry klasterler.
PSP/KYC: bölünen upstream-howuzlar, retry/timeout, circuit-breaker, geo-pinler.
AB kanallary: tölegler/çäkler bilen howpsuz synaglar diňe okamak ýoly üçin; write - baýdaklaryň we az göterimleriň üsti bilen.

16) Prod-taýynlyk çek-sanawy

  • TLS 1. 2+/1. 3, OCSP stapling, HSTS; dogry 'X-Forwarded-'.
  • Marşrutlaşdyrmagyň anyk düzgünleri: host/path/header/cookie; dokumentasiýa.
  • Health-checks, outlier-ejection, per-try timeout, çäklendirilen retralar.
  • Weighted/canary + shadow; SLO/alertler boýunça awto-rollback.
  • Nagt pul/gysyş/ETag; body/headers çäkleri; request coalescing.
  • Giriş/söwda 'trace _ id'; RED + outlier/health metrikleri; per-route/cluster.
  • WAF/bot-süzgüçler/CORS; oversize we slow-POST-dan goramak.
  • Sticky/consistent hashing gerek ýerinde; gyzgyn şard gözegçiligi.
  • Konfigigalar wersiýa edilýär, göçmek howpsuz, KMS/Vault-da syrlar.

17) TL; DR

TLS-i perimetrde kesgitläň we host/path/header/cookie arkaly L7-e ugrukdyryň. Relizler üçin - weighted canary we shadow; durnuklylyk üçin - health-checks, outlier-ejection, per-try timeout bilen çäkli retries. p95-i gowulaşdyrýan ýerlerde nagt, gysyş we consistent hashing ulanyň. RED signallaryny we toparlaryň ýagdaýyny ölçäň, WAF we ululyk çäklerini saklaň. Möhüm töleg ýollary üçin - aýry-aýry klasterler, gysga SLA we retralary/idempotentligi berk dolandyrmak.

Contact

Biziň bilen habarlaşyň

Islendik sorag ýa-da goldaw boýunça bize ýazyp bilersiňiz.Biz hemişe kömek etmäge taýýar.

Integrasiýany başlamak

Email — hökmany. Telegram ýa-da WhatsApp — islege görä.

Adyňyz obýýektiw däl / islege görä
Email obýýektiw däl / islege görä
Tema obýýektiw däl / islege görä
Habar obýýektiw däl / islege görä
Telegram obýýektiw däl / islege görä
@
Eger Telegram görkezen bolsaňyz — Email-den daşary şol ýerden hem jogap bereris.
WhatsApp obýýektiw däl / islege görä
Format: ýurduň kody we belgi (meselem, +993XXXXXXXX).

Düwmäni basmak bilen siz maglumatlaryňyzyň işlenmegine razylyk berýärsiňiz.