Gateway API plaginlari va middleware
1) Nima uchun plaginlar va middleware kerak
API-shlyuz - korporativ siyosatni majburiy ijro etish nuqtasi. Plaginlar zanjiri toʻgʻri yigʻilgan:- xavfsizlikni standartlashtiradi (authN/authZ, WAF, CORS),
- barqarorlikni himoya qiladi (rate limit, circuit breaker, retry-policies),
- kontraktni boshqaradi (sxemalarni validatsiya qilish, transformatsiya qilish),
- kuzatishni (metrika, loglar, trassalar),
- qiymatni kamaytiradi (keshlash, deduplikatsiya, kanareya qoidalari).
Kalit: minimal maxfiylik va aniq izchillik.
2) Plagin sinflari va ular nima qiladi
1. Identifikatsiya/autentifikatsiya
JWT/JWKS-provayderlar, OAuth2/OIDC, API-kalitlar, mTLS (client cert).
HMAC imzolari (vebxuklar/hamkorlar), DPoP/PoP chetida.
2. Avtorizatsiya
Mahalliy yechimlar keshiga ega RBAC/ABAC/OPA/Cedar (PDP).
BOLA-guard: sarlavha/kontekstda’tenant ’/’ owner’ni tekshirish.
3. Tarmoq va protokol himoyalari
WAF (OWASP CRS), antibot (rate/behavioral), Geo/IP/ASN-filtrlar, TLS-profillar.
CORS, CSP-sarlavhalar, Fetch-Metadata filtrlari, CORP/COOP/COEP.
4. Barqarorlik
Rate limiting (token bucket/GCRA), kvotalar va raqobatbardoshlik.
Circuit breaker, taymautlar, adaptive concurrency, load shedding.
Retry-policy per-try timeout va jitter bilan.
5. Transformatsiya va validatsiya
Yo’llar/sarlavhalar ro’yxati, body-rewrite, JSON/XML, gRPC, HTTP.
Sxemalarni validatsiya qilish (OpenAPI/JSON Schema/Protobuf), IDni normallashtirish.
6. Kesh qilish va ishlash
Response/fragment cache, ETag/If-None-Match, kompresssiya, brotli.
Bir xil kalitlar uchun request collapsing (coalescing).
7. Kuzatuv va audit
RED/USE metrikasi, yechimlarni loglash (429/403/5xx), trastirovka (W3C Trace-Context/OpenTelemetry), sampling (tail/adaptive).
Xavfsizlik sarlavhalari va siyosat versiyalarini audit qilish.
8. Hayot sikli va ekspluatatsiya
Canary/blue-green, feature-flags, shadow-echimlar (logotip, qo’llamang), versiyalar migratsiyasi.
3) Qo’llash tartibi (tavsiya etilayotgan zanjir)
[Ingress TLS]
→ Early-Deny (ASN/Geo, IP allow/deny)
→ mTLS / Client Cert Auth
→ JWT/OAuth2 AuthN (JWKS cache)
→ OPA/ABAC AuthZ (solution cache)
→ Rate Limit / Concurrency
→ Circuit / Timeout / Retries (пер-try)
→ Schema Validation (request)
→ Transform (headers/path/body) / CORS
→ Caching (lookup)
→ Upstream Proxy (app)
← Caching (store) / Compression
← Response Transform / Schema Validation (response)
← Logging / Tracing / Metrics / Security HeadersPrintsip: ilgari - arzonroq/halokatli (deny, auth, limitlar), keyinchalik - «kosmetika» (transformatsiyalar, kesh).
4) Unumdorlik va kardinallik
Qizgʻin yoʻlda tashqi talablarsiz O (1) qadamlarga amal qiling.
Plaginlarning barcha «tashqi qo’ng’iroqlari» (PDP/JWKS) - qisqa TTL va asynchronous refresh orqali.
Metriklar uchun belgilar/yorliqlar - cheklangan kardinallik (’tenant’,’plan’,’route’, lekin’user _ id’emas).
«Og’ir» plaginlar (WAF, body-transform) - per-route ni tanlab qo’yish.
5) Konfiguratsiya namunalari
5. 1 Envoy: JWT + RateLimit + OPA + Retries (psevdo)
yaml static_resources:
listeners:
- name: public_listener filter_chains:
- filters:
- name: envoy. filters. network. http_connection_manager typed_config:
route_config:
name: main virtual_hosts:
- name: api domains: ["api. example. com"]
routes:
- match: { prefix: "/v1/payments" }
route:
cluster: payments timeout: 350ms retry_policy:
retry_on: connect-failure,reset,5xx,gateways num_retries: 1 per_try_timeout: 200ms http_filters:
- name: envoy. filters. http. jwt_authn typed_config:
providers:
oidc:
issuer: https://auth. example. com/
remote_jwks:
http_uri: { uri: https://auth. example. com/.well-known/jwks. json, cluster: jwks, timeout: 2s }
cache_duration: 300s forward: true
- name: envoy. filters. http. ext_authz # OPA/Cedar PDP typed_config:
http_service:
server_uri: { uri: http://opa:8181, cluster: opa, timeout: 50ms }
authorization_request: { allowed_headers: { patterns: [{ exact: "authorization" }, { exact: "x-tenant" }] } }
- name: envoy. filters. http. ratelimit typed_config:
domain: public-api rate_limit_service:
grpc_service: { envoy_grpc: { cluster_name: rl } }
- name: envoy. filters. http. router5. 2 NGINX/OpenResty: HMAC + Lua + Redis (psevdo)
nginx lua_shared_dict jwks 10m;
lua_shared_dict limits 10m;
server {
listen 443 ssl http2;
Early deny by ASN/Geo if ($bad_asn) { return 403; }
HMAC signature check (webhooks/partners)
set_by_lua_block $sig_ok {
return verify_hmac_signature(ngx. var. http_x_signature, ngx. var. request_time, ngx. var. request_body)
}
if ($sig_ok = 0) { return 401; }
Token bucket in Redis access_by_lua_block {
local key = ngx. var. binary_remote_addr.. ":".. ngx. var. request_uri local allowed, retry_after = ratelimit_allow(key, 50, 100)
if not allowed then ngx. header["Retry-After"] = retry_after return ngx. exit(429)
end
}
proxy_read_timeout 300ms;
proxy_connect_timeout 100ms;
proxy_pass http://app_backend;
}5. 3 Kong: yoʻnalishdagi plaginlar
yaml services:
- name: payments url: http://payments:8080 routes:
- service: payments paths: ["/v1/payments"]
plugins:
- name: jwt config: { key_claim_name: kid, secret_is_base64: false, run_on_preflight: false }
- name: opa config: { server_url: "http://opa:8181/v1/data/authz/allow", timeout: 50 }
- name: rate-limiting config: { second: 50, policy: redis, redis_host: redis, fault_tolerant: true }
- name: correlation-id config: { header_name: "traceparent" }
- name: response-transformer config: { add: { headers: ["Strict-Transport-Security:max-age=31536000"] } }5. 4 Apache APISIX: JWT + Limit + Proxy-Mirror (shadow)
yaml routes:
- uri: /v1/wallets/
plugins:
openid-connect:
client_id: wallet discovery: "https://auth. example. com/.well-known/openid-configuration"
scope: "openid"
limit-count:
count: 100 time_window: 60 key_type: "var"
key: "remote_addr"
proxy-mirror: # shadow traffic host: "http://shadow-backend:8080"
upstream_id: 15. 5 Traefik: Middleware zanjiri
yaml http:
middlewares:
hsts-headers:
headers:
stsSeconds: 31536000 stsIncludeSubdomains: true ratelimit:
rateLimit:
average: 50 burst: 100 routers:
api:
rule: "Host(`api. example. com`) && PathPrefix(`/v1`)"
service: app middlewares:
- hsts-headers
- ratelimit6) Siyosatning ko’p martabaliligi va versiyalari
’{tenant, plan, region, route, version}’.
Plaginlar mTLS SAN/JWT-tamg’asi/sarlavhasi → dan’tenant’ni o’qiydi.
Siyosatni versiya qiling (’policy _ version’), changelog va kanar rollout.
7) Test va rollout
Chiqarilgunga qadar
Zanjirning kontrakt testlari («agar» jadvali): auth → deny, auth → allow, rate → 429, schema → 422.
Yuklamali: burstlar × 10, uzun platolar, «iflos» patternlar (slow-POST).
Chaos: PDP/JWKS/Redis degradatsiyasi - fail-closed/minimal xavfsiz degradatsiya boʻlishi kerak.
Chiqarish
’Report-Only ’/shadow-mode (echimlarni qo’ llamasdan tuzamiz).
Canary 1-5% trafik + metrik taqqoslash (p95/p99, 4xx/5xx/429).
SLO/alertlar boʻyicha avtomatik rollback.
8) Kuzatish va metrika
Metriklar:- `http_requests_total{route,tenant,plan,status}`
- `request_duration_seconds_bucket{route}` (p95/p99)
- `rate_limited_total{policy}`, `retry_total{reason}`, `circuit_state`
- `authn_fail_total{reason}`, `authz_denied_total{action}`
- `schema_validation_fail_total{route}`
- Treyslar: span per-filter,’policy _ version’,’tenant’,’limit _ key’atributlari.
- Logi (sampletlangan): sabablari va’trace _ id’boʻlgan deny/429/5xx yechimlari.
- Dashbordlar: Exec-xat, per-route, per-tenant, «issiq» siyosat.
9) Xavfsizlik va ekspluatatsiya
Barcha sirlar (HMAC, JWKS private, API-kalitlar) KMS/Vault’da, -fayllarda emas.
Sezgir yo’nalishlar uchun deny-by-default siyosati.
Qisqa TTL JWKS/PDP kesh, backoff bilan asinxron yangilanishlar.
Transformatsiya sxemalari migratsiyasi - versioned; «buzuvchilar» - dual-write orqali.
Body-size (DoS) va JSON chuqurligini cheklang.
10) Antipatternlar
Har bir yo’nalish bo’yicha universal plaginlar to’plami → ortiqcha millisekundlar va hisoblar.
Kesh/taymautsiz plaginlarning tashqi qaramligi → kaskad taymautlari.
Filtrlar tartibi yo’qligi: avval transformatsiya/mantiq, so’ngra limitlar noto’g’ri.
Metrik yorliqlarning yuqori kardinalligi (raw’user _ id ’/’ ip’).
Transformatsiya shablonlarida authN/authZ aralashtirish (noaniq echimlar Lua/Jinja).
Sirlarni/tokenlarni loglash.
Barcha chegaralar uchun bitta global Redis/klaster.
11) iGaming/Moliya xususiyatlari
Per-tenant/per-yurisdiksiya qoidalari: KYC/AML, sanksiyalar, mas’ul to’lovlar limitlari.
To’lov yo’nalishlari uchun qat’iy siyosatlar: qisqa vaqtlar, bir marta takrorlash, idempotentlik (’Idempotency-Key’).
PSP/KYC SDK uchun perimetrlarni ajratish (alohida domenlar/plagin zanjirlari).
Echimlarning o’zgarmas loglari auditi (xulosalar, blokirovka, sanksiya rad etish).
12) Prod-tayyorlik chek-varaqasi
- Filtrlar tartibi aniqlandi: authN → authZ → limits → circuit/timeout → schema → transform → cache.
- Per-marshrutli plaginlar to’plami; ogʻir - faqat kerak boʻlgan joyda.
- JWKS/PDP qisqa TTL va kesh bilan; taymautlar va fallback strategiyalari.
- Rate/Quota/Concurrency - omborning kalitlari loyihalashtirilgan.
- RED/USE metriklar toʻplami, OTel trassasi, tail/adaptive sampling.
- Canary + shadow-mode, SLO uchun auto-rollback.
- KMS/Vault’dagi sirlar; konfiglar - versionatsiya qilinadigan, migratsiyalar bilan.
- Body/headers limitlari; oversize/slow-POST dan himoya qilish.
- Mijozlar uchun hujjatlar: 401/403/409/422/429/5xx,’Retry-After’kodlari, sarlavhalar misollari.
13) TL; DR
«Erta rad etish → autentifikatsiya/avtorizatsiya → limitlar/barqarorlik → validatsiya → transformatsiya/kesh → telemetriya» zanjirini yarating. Faqat kerakli per-route plaginlarini yoqing, tashqi echimlarni keshlang (JWKS/PDP), taymautlar va retry-siyosatlarni belgilang, metriklarning kardinalligini nazorat qiling. Shadow/canary orqali chiqaring, KMS/Vault’da sirlarni saqlang va har bir plaginning p95/p99 ga ta’sirini o’lchang.