GH GambleHub

Revers-proksi va marshrut

1) Revers-proksining roli

Revers-proksi - platformaning «old chizig’i»: TLS qabul qiladi, trafikni apstrimlar o’rtasida taqsimlaydi, xavfsizlik va ishlash siyosatini qo’llaydi. Maqsad - minimal latentlik, oldindan aytib bo’ladigan yo’nalish va tanazzulga uchraydigan instans/zonalarni tezda izolyatsiya qilish.

2) Qatlamlar va protokollar

L4: TCP/UDP proxy (SNI-based TLS passthrough, QUIC). HTTP tushunmasdan past narx.
L7: HTTP/1. 1–2–3, gRPC, WebSocket. Boy marshrut (host, path, headers, cookies), transformatsiya va kesh.

TLS modeli: perimetrda terminlash (NGINX/Envoy), ichkarida - mTLS/mesh. SNI bitta IP’dagi virtual xostlarga imkon beradi.

3) Yo’naltirish strategiyasi (L7)

1. Host-based: domen boʻyicha (’api. brand. com’→ klaster’brand-api’).
2. Path-based: `/v1/payments` → `payments-svc`, `/v1/wallets` → `wallets-svc`.
3. Header-based: `X-Region: eu-central`, `X-Tenant: 42`, `User-Agent`/`Accept`.
4. Cookie-based: A/B testlari, «yopishqoq» sessiyalar.
5. Weighted/Canary: yangi versiyadagi trafik foizi (1-5% → 100%).
6. Geo/ASN: Mamlakat bo’yicha/ASNni eng yaqin XTR/mintaqaga yuboramiz.
7. Consistent hashing: kalit (user_id/tenant_id) ni instansiyaga bogʻlash → kesh lokalitasi/yopishqoqligi.
8. Shadow/Mirroring: trafikni javobga ta’sir qilmasdan (regress testlar uchun) «soyali» apstrimga ko’chiramiz.

4) Balanslash va nosozlikka chidamlilik

Algoritmlar: round-robin, least-request, random, ring-hash (consistent).
Health-checks: aktiv (HTTP/TCP) + passiv (kod/taymaut boʻyicha).
Outlier ejection: yuqori xatolik/yashirin xostni vaqtincha «urish».
Retries: cheklangan, per-try timeout va jitter bilan; xavfsiz bo’lmagan usullarni idempotentsiz qaytarmaslik.
Connection pooling: og’irlik uchun warm-pullarni ushlab turish, maksimal darajani cheklash.

5) Perimetr unumdorligi

Keshlash: kalit bo’yicha (method + host + path + Vary), shartlar’ETag/If-None-Match’, TTL va stale-while-revalidate.
Kompresssiya: matnli javoblar uchun brotli/gzip.
HTTP/2/3: multiplekslash, header-compression; WAF/IDS mosligiga ishonch hosil qilish.
Request coalescing: parallel soʻrovlarni bir xil kesh kaliti bilan yopish.

6) Proksida xavfsizlik

TLS: 1. 2 + (yaxshiroq 1. 3), OCSP stapling, HSTS.

WAF/bot-filtrlar:
  • CORS/CSP/Fetch-Metadata: siyosatga muvofiq.
  • Header-гигиена: `X-Forwarded-For/Proto`, `Forwarded`, `traceparent`; header-injection va oversize himoyasi.
  • Body/headers limits: DoS-patternlar uchun erta 413/431.
  • sheriklik integratsiyalari va ichki API uchun mTLS.

7) Deploy sxemalari: canary/blue-green/versiyalar

Weighted routing на level-7 (1%, 5%, 25%, 50%, 100%).
Header-gate: bayroqni/sarlavhani (internal/testing) yoqish.
Blue-green: butun DNS/route, tezkor rollback.
Shadow: Metrik/loglarni yozish bilan yangi versiyani parallel oʻtkazish.

8) Sticky-sessiyalar va xesh-yo’naltirish

Cookie-stickiness (`Set-Cookie: SRV=shard-a; Path=/; HttpOnly’) stateful-yuklamalari uchun.
Ring-hash/consistent bo’yicha’user _ id/tenant _ id’- keshning kross-nogironligini kamaytirish.
Ogohlantirish: write yuklamalari uchun «abadiy» yopishqoqlikdan qochish → hot-spot; kvotaning per-tenantidan foydalaning.

9) Mintaqaviy va geo-yo’naltirish

Eng yaqin POP uchun Anycast + geo-DNS.
Testlar va tuzatish uchun Header-override (masalan,’X-Region’).
Qonun hujjatlarida talab etiladigan ma’lumotlarni mahalliylashtirish (mintaqa/yurisdiksiya bo’yicha route) bilan kelishish.

10) Kuzatuv va nazorat

RED metrikasi: RPS, error-rate (sinflar bo’yicha), latency p95/p99 per-route/cluster.
Outlier/health: jektlar/takroriy qoʻshilishlar soni, slow-call-rate.
Logi: strukturalangan, PIIsiz; ’trace _ id ’/’ span _ id’.
Treysing (OTel): ingress → router → upstream uyqulari; exemplars p99 grafiklarida.

11) Konfiguratsiya namunalari

11. 1 NGINX: host/path/weighted + кэш

nginx map $http_x_canary $canary { default 0; "1" 1; }
upstream app_v1 { least_conn; server 10. 0. 0. 1:8080 max_fails=3 fail_timeout=10s; }
upstream app_v2 { least_conn; server 10. 0. 0. 2:8080; }

server {
listen 443 ssl http2;
server_name api. example. com;

Кэш proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=apicache:256m max_size=10g inactive=10m use_temp_path=off;

location /v1/ {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Request-ID $request_id;
proxy_read_timeout 300ms; proxy_connect_timeout 100ms;

Weighted: 5% on v2 if canary = 1, otherwise 0%
set $backend app_v1;
if ($canary) { set $backend app_v2; }
proxy_pass http://$backend;
}

Static with cache location/assets/{
proxy_cache apicache;
proxy_cache_valid 200 10m;
add_header Cache-Control "public, max-age=600";
proxy_pass http://static_cluster;
}
}

11. 2 Envoy: header-routing, canary, outlier-ejection, mirroring

yaml static_resources:
clusters:
- name: svc_v1 type: STRICT_DNS lb_policy: LEAST_REQUEST outlier_detection:
consecutive_5xx: 5 interval: 5s base_ejection_time: 30s max_ejection_percent: 50
- name: svc_v2 type: STRICT_DNS lb_policy: LEAST_REQUEST
- name: mirror_svc type: STRICT_DNS

listeners:
- name: https filter_chains:
- filters:
- name: envoy. filters. network. http_connection_manager typed_config:
route_config:
virtual_hosts:
- name: api domains: ["api. example. com"]
routes:
- match:
prefix: "/v1"
headers:
- name: "X-Region"
exact_match: "eu"
route:
cluster: svc_v1 timeout: 350ms retry_policy:
retry_on: connect-failure,reset,5xx num_retries: 1 per_try_timeout: 200ms request_mirror_policies:
- cluster: mirror_svc runtime_key: mirror. enabled
- match: { prefix: "/v1" }
route:
weighted_clusters:
clusters:
- name: svc_v1 weight: 95
- name: svc_v2 weight: 5

11. 3 Traefik: rules + middleware

yaml http:
routers:
api:
rule: "Host(`api. example. com`) && PathPrefix(`/v1`)"
service: svc middlewares: [hsts, compress]
middlewares:
hsts:
headers:
stsSeconds: 31536000 stsIncludeSubdomains: true compress:
compress: {}
services:
svc:
weighted:
services:
- name: v1 weight: 95
- name: v2 weight: 5

11. 4 Kubernetes: Ingress + canary uchun manifest (NGINX Ingress)

yaml apiVersion: networking. k8s. io/v1 kind: Ingress metadata:
name: api annotations:
nginx. ingress. kubernetes. io/canary: "true"
nginx. ingress. kubernetes. io/canary-weight: "5"
spec:
rules:
- host: api. example. com http:
paths:
- path: /v1 pathType: Prefix backend:
service:
name: svc-v1 port: { number: 8080 }

12) Transformatsiya va muvofiqlik

Sarlavhalar/yo’llarni normallashtirish,’Location’aholini ro’yxatga olish,’Cache-Control’boshqaruvi.
gRPC HTTP/JSON translatorlar orqali (grpc-json-transcoder).
WebSocket/HTTP2 upgrades: proksi’Upgrade ’/’ Connection’ni oʻtkazib yuborayotganiga ishonch hosil qiling.

13) Test va xaos-stsenariylar

Yuklamali: burstlar, uzun platolar, «uzun» tanalar (slow-POST).
Kechikishlar/yo’qotishlar inyeksiyasi → tekshirish retries/timeout/outlier.
Canary-metriklar: p95/p99, error-rate yangi versiyasi vs eski; SLO bo’yicha avtomatik rollback.
Shadow: javoblarni solishtirish va side-by-side-mantiq.

14) Antipatternlar

Global retralar idempotentlik va muddatdan tashqari → dubli va bo’ron.
Sticky-seanslar nazoratsiz «issiq» shardlar → yuk noto’g’ri.
Hovuzda health-checks/outlier-ejection → «chirigan» instantsiyalar yo’qligi.
Cheksiz sarlavhalar/tanalar → eng oddiy DoS.
Sxemalar versiyasisiz transformatsiya va xavfsizlikni aralashtirish → kutilmagan regress.
’Varisiz’ yagona global kesh kaliti → notoʻgʻri javoblar.

15) iGaming/Moliya xususiyatlari

Hududiylik: o’yinchi/brend yurisdiksiyasi bo’yicha yo’naltirish; to’lov zonalarini izolyatsiya qilish.
Tanqidiy yo’nalishlar (depozitlar/xulosalar): qisqa taymautlar, bitta takrorlash, idempotentlik; alohida klastyerlar.
PSP/KYC: ajratilgan upstream-pullar, qatʼiy retry/timeout, circuit-breaker, geo-pina siyosati.
AB-kanallar: faqat o’qish yo’li uchun to’lovlar/limitlar bilan xavfsiz tajribalar; write - bayroqlar va kichik foizlar orqali.

16) Prod-tayyorlik chek-varaqasi

  • TLS 1. 2+/1. 3, OCSP stapling, HSTS; ’X-Forwarded-’.
  • Aniq yo’naltirish qoidalari: host/path/header/cookie; hujjatlar.
  • Health-checks, outlier-ejection, per-try timeout, cheklangan retralar.
  • Weighted/canary + shadow; SLO/alertlar bo’yicha avto-rollback.
  • Kesh/kompresssiya/ETag; body/headers limitlari; request coalescing.
  • s’trace _ id’logi/treyslari; RED + outlier/health metrikalari; per-route/cluster dashbordlari.
  • WAF/bot-filtrlar/CORS; oversize va slow-POST dan himoya qilish.
  • Sticky/consistent hashing kerak bo’lganda; hot-shardlarni nazorat qilish.
  • Konfiguralar versiyalangan, migratsiya xavfsiz, KMS/Vault’dagi sirlar.

17) TL; DR

TLSni perimetrda terminlab, host/path/header/cookie orqali L7 ga yoʻnaltiring. Relizlar uchun - weighted canary va shadow; barqarorlik uchun - health-checks, outlier-ejection, per-try timeout bilan cheklangan retries. Kesh, siqish va consistent hashingdan p95 ni yaxshilaydigan joylarda foydalaning. RED signallari va klaster holatini o’lchang, WAF va o’lchov chegaralarini saqlang. Tanqidiy to’lov yo’llari uchun - alohida klasterlar, qisqa SLA va retraj/idempotentlikni qat’iy boshqarish.

Contact

Biz bilan bog‘laning

Har qanday savol yoki yordam bo‘yicha bizga murojaat qiling.Doimo yordam berishga tayyormiz.

Integratsiyani boshlash

Email — majburiy. Telegram yoki WhatsApp — ixtiyoriy.

Ismingiz ixtiyoriy
Email ixtiyoriy
Mavzu ixtiyoriy
Xabar ixtiyoriy
Telegram ixtiyoriy
@
Agar Telegram qoldirilgan bo‘lsa — javob Email bilan birga o‘sha yerga ham yuboriladi.
WhatsApp ixtiyoriy
Format: mamlakat kodi va raqam (masalan, +998XXXXXXXX).

Yuborish orqali ma'lumotlaringiz qayta ishlanishiga rozilik bildirasiz.