API-shlyuz va yo’naltirish

1) Arxitekturada API-shlyuzning roli

• So’rovlarni yo’naltiradi (yo’l bo’yicha/xederam/geo/og’irlik/versiya).
• Perimetrni himoya qiladi (TLS/mTLS, WAF, DDoS, rate limits, authN/Z).
• Trafikni boshqaradi (canary/AB, shadow/mirror, circuit breaker, retray, taymaut).
• Protokollar (REST/gRPC/WebSocket), sarlavhalar, kodlarni standartlashtiradi.
• Kuzatadi (loglar, metriklar, trastirovkalar, korelatsiya).
• Transformatsiya va validatsiya (JSON/XML, normallashtirish, schema-validation).

iGaming uchun bu geo-komplayens (mamlakatlar/yoshlar bo’yicha blokirovka), to’lov smart-routing va chetdagi mas’uliyatli o’yin siyosati.

2) Yo’naltirish variantlari

Path-based: `/api/v1/payments/ → payments-svc`.
Host-based: `eu. api. example. com → eu-edge`, `psp. example. com → psp-proxy`.
Header-based:’X-Client: partner-A’→ sherik backend;’Accept: application/grpc’.
Geo-routing: IP/ASN/mamlakat bo’yicha (GDPR/mahalliy taqiqlar, latency).
Weighted/Canary:’90%’eski,’10%’yangi versiyaga; tez konkida uchish.
Claim-routing: по `JWT. claims. tier/role/region’(masalan, high-roller → premium-limitlar).
Failover: DPM/bulutlar va PSP o’rtasidagi aktiv-aktiv/aktiv-passiv.

3) Perimetr xavfsizligi

TLS everywhere: TLS 1. 2 + tashqi ko’rinishda, mTLS ichki (servislar shlyuzi).
OAuth2/JWT: imzoni tekshirish, audit’exp/nbf/aud/scope’, JWKS-rotatsiya; TTL bilan validatsiya keshi.
HMAC: webhooks/to’lovlar uchun tel imzosi.
API-kalitlar: tizimli mijozlar uchun; kvotalar/rollar bilan bog’laymiz.
WAF: asosiy qoidalar (injection, protocol anomalies), tana o’lchami, mamlakatlarning deny-ro’yxati.
DDoS himoyasi: connection limiting, SYN cookies, rate-limit uchun IP/kalit/endpoint.
Zero-Trust: mandat siyosati (SPIFFE/SPIRE, xizmatlarning o’ziga xosligi), eng kam huquqlar prinsipi.
Maxfiylik: PIIni loglarda tahrirlash, PAN/IBANni yashirish, saqlash siyosati.

4) Limitlar, kvotalar va burstlardan himoya qilish

Модели: token bucket, leaky bucket, fixed/sliding window.
Chegaralar: per-IP, per-key, per-user, per-route.

• Burst + sustained (masalan,’50 rps burst’,’10 rps sustain’).
• Retry-Budget va Slow-Loris himoyasi (o’qish vaqtlari).
• Hamkorlar uchun kunlik/oylik quota.

5) Transformatsiya va validatsiya

Sarlavhalar normalize (trace-id, locale, client-id).
Request/Response-mapping (maydon/kodlar, ichki atributlarni yashirish).
Schema validation (OpenAPI/JSON Schema) proksatlashdan oldin - erta rad etish 4xx.
Compression/’ Accept-Encoding’, caching (quyida qarang).

6) Keshlash va unumdorlik

Ma’lumotnomalar, ommaviy meta ma’lumotlar, konfiguratsiyalar uchun Edge-kesh (TTL,’ETag ’/’ If-None-Match’).
Micro-kesh 1-5 s issiq GET (eng yuqori yukni kamaytiradi).
Negative-cache qisqacha (404/empty) - ehtiyot bo’ling.
Xedging-requests va r95> chegarasida raqobatbardosh so’rovlar.

7) Taymautlar, retralar, barqarorlik

Taymautlar: connect/read/write alohida; oqilona p95-belgilar.
Retraylar: idempotent-usullar (GET/PUT) c backoff + jitter; retry-budget.
POST idempotentligi:’Idempotency-Key’+ servis/shlyuz tomonidagi deduplikatsiya.
Circuit-Breaker: xato/latency; half-open namunalari.
Bulkhead/Pool-apstrimlar bo’yicha izolyatsiya.

8) Versiyalash va muvofiqlik

• URI: ’/v1/...’(oddiy, lekin «shovqin»).
• Header/Content-Negotiation: `Accept: application/vnd. app. v2+json`.
• Feature-bayroqlar/server capability - minor-oʻzgarishlarning mosligi uchun.

Siyosat: SemVer, qo’llab-quvvatlash oynasi (masalan,’v1’= 12-18 oy), deprikatsiya jadvali, kengaytirishdagi mos javoblar (maydonlarni qo’shish - buzmaydi).

9) Kuzatuvchanlik va sifatni nazorat qilish

Korrelyatsiya:’traceparent ’/’ x-request-id’majburiy; pastga tashlaymiz.
OpenTelemetry: RPS/p50/p95/p99/5xx/4xx metrikasi, saturation, retry/circuit.
Logi: tarkibiy JSON; PIIni niqoblaymiz; kodlar bo’yicha darajalar.
Treyslarni sampllash: bazaviy 5-10% + xatolar uchun maqsadli/sekin.
SLO/alertlar: yo’nalishlar/mijozlar bo’yicha (aptaym, latency, xato).

10) Relizlar trafigini boshqarish

Blue-Green: DNS/LB almashtirish.
Canary: vazn ulushi/segmentlar (mintaqa, sherik, rol).
Shadow/Mirror: yangi versiyadagi trafikning nusxasi mijozga javobsiz.
Kill-switch: muammoli apstrim/fichni tezda oʻchirish uchun bayroq.

11) To’lovlarni aqlli yo’naltirish (iGaming)

PSPni tanlash qoidalari: geo, valyuta, summa, tavakkalchilik, foydalanish imkoniyati, komissiya.
Failover PSP:’5xx/timeout’da avtomatik oʻtish.
Same-method rule: dastlabki usul orqali qaytarish/natijalar - chetida tekshirish.
To’lovlarning idempotentligi:’userId + amount + currency + purpose’dagi kalit.
ETA-shaffoflik: shlyuzga nosozlik holatlari va sabablari qoʻshiladi (PSP kodlari emas).

12) Kross-mintaqalar siyosati va komplayens

Geo-filtrlar: mamlakatlarning oq/qora ro’yxatlari, yoshga oid cheklovlar, IP-reynjlar.
Rezidentlar ma’lumotlari: mintaqaviy klasterlarga yo’naltirish (GDPR/mahalliy qonunlar).
Logi va TTL: hududlar bo’yicha saqlash, avtomatik ravishda anonimlashtirish.

13) Konfiguratsiya namunalari

13. 1 NGINX (marshrut + limit + xederlar)

nginx http {
map $http_x_request_id $req_id { default $request_id; }
limit_req_zone $binary_remote_addr zone=per_ip:10m rate=20r/s;

server {
listen 443 ssl http2;
server_name api. example. com;

Security add_header Strict-Transport-Security "max-age = 31536000" always;
add_header X-Content-Type-Options nosniff;

Limit on IP location/api/v1/{
limit_req zone=per_ip burst=40 nodelay;
proxy_set_header X-Request-Id $req_id;
proxy_set_header X-Client-Ip $remote_addr;
proxy_read_timeout 5s;
proxy_connect_timeout 1s;
proxy_pass http://payments_v1;
}

Canary traffic by header location/api/v2/{
if ($http_x_canary = "1") { proxy_pass http://payments_v2; }
proxy_pass http://payments_v1;
}
}
}

13. 2 Envoy (JWT, rate limit, retries, outlier)

yaml static_resources:
listeners:
- name: https address: { socket_address: { address: 0. 0. 0. 0, port_value: 443 } }
filter_chains:
- filters:
- name: envoy. filters. network. http_connection_manager typed_config:
"@type": type. googleapis. com/envoy. extensions. filters. network. http_connection_manager. v3. HttpConnectionManager route_config:
name: local_route virtual_hosts:
- name: payments domains: ["api. example. com"]
routes:
- match: { prefix: "/api/v1/payments" }
route:
cluster: payments_v1 timeout: 5s retry_policy:
retry_on: "connect-failure,refused-stream,5xx,retriable-status-codes"
num_retries: 2 per_try_timeout: 2s http_filters:
- name: envoy. filters. http. jwt_authn typed_config:
"@type": type. googleapis. com/envoy. extensions. filters. http. jwt_authn. v3. JwtAuthentication providers:
main:
issuer: "https://auth. example. com/"
remote_jwks: { http_uri: { uri: "https://auth. example. com/.well-known/jwks. json" } }
forward: true rules:
- match: { prefix: "/api/" }
requires: { provider_name: "main" }
- name: envoy. filters. http. ratelimit
- name: envoy. filters. http. router clusters:
- name: payments_v1 connect_timeout: 0. 5s type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: { cluster_name: payments_v1, endpoints: [{ lb_endpoints: [{ endpoint: { address: { socket_address: { address: payments, port_value: 8080 }}}}]}] }
outlier_detection: { consecutive_5xx: 5, interval: 5s, base_ejection_time: 30s }

14) Chek-varaqlar

Marshrutni chiqarishdan oldin

• Autentifikatsiya sxemasi (JWT/JWKS, kalitlar, TTL kesh).
• Taymautlar/retrajlar/idempotentlik sozlangan.
• Limitlar: per-IP, per-key, per-route; sheriklar kvotalari.
• Soʻrovlar/javoblar sxemasini validatsiya qilish.
• ’trace-id’, PII niqobli loglar va trastirovkalar.
• SLO/alertlar va dashbord.
• Geo-qoidalar/komplayens/yoshi tekshirildi.

Operatsiyalar va to’lovlar

• PSP aqlli routing: qoidalar, ustuvorliklar, feylover.
• Same-method chetida tekshirilmoqda.
• Mijoz uchun shaffof holatlar va xato kodlari (xom PSP kodisiz).

Relizlar

• Canary/AB va kill-switch, qaytarish rejasi.
• Yangi versiyadagi shadow-trafik, metriklarni taqqoslash.
• Yuk sinovi va p95 maqsadlar.

15) Sifat metrikasi (minimal)

yo’nalishlar bo’yicha Availability/SLO; error rate 5xx/4xx.
Latency p50/p95/p99 (tashqi va ichki).
Retry/timeout/circuit hodisa (shovqin darajasi).
Cache hit-ratio va RPS tejash.
Rate-limit hits va bekor qilingan soʻrovlar.
PSP-routing KPIs: muvaffaqiyat, TtW, feylover foizi, komissiya.

16) Anti-patternlar

Bitta umumiy limit «hammasi uchun».
Jittersiz «tezkor» retralar (bo’ronning kuchayishi).
Ishonch’X-Forwarded-For’ishonchli proksi roʻyxatisiz.
Qattiq taymautlar p95 hisobga olinmagan holda (soxta ishga tushirishlar).
Uyg’unlikni buzadigan qattiq transformatsiyalar.
PII/PAN/sirli loglar.
Ichki va tashqi APIlarni bitta domen/siyosat bilan aralashtirish.

17) Javob va xato namunalari (microcopy)

429 Too Many Requests: "So’rovlar chegarasiga erishildi. N soniyadan keyin takrorlang yoki sherik kabinetidagi kvotani oshiring"

401/403: "Token haqiqiy emas/tugagan. Qayta kiriting"

408/504: "Xizmat kutilganidan uzoqroq javob beradi. Talab qabul qilinmadi"

Idempotency-conflict: «Bunday Idempotency-Key soʻrovi allaqachon qayta ishlangan (maqomi: muvaffaqiyat/muvaffaqiyatsizlik).»

18) Joriy etish jarayoni (qadamlar bo’yicha)

1. Yo’nalishlar modeli: domenlar/yo’llar/mintaqalar xaritasi.
2. Xavfsizlik siyosati: TLS/mTLS, WAF, authN/Z, kalitlar/JWKS.
3. Ishonchlilik: taymautlar, retryalar, idempotency, circuit-breaker.
4. Kuzatilishi: logi/metrika/treys, korelatsiya.
5. Kesh/perf: edge/micro-cache, kompresssiya, konnekt-pullar.
6. To’lov routingi: qoidalar, testlar, monitoring.
7. Relizlar: canary/shadow, kill-switch, qaytarish rejasi.
8. Komplayens/geo: mamlakatlar filtrlari, ma’lumotlarni saqlash, yoshi.

Yakuniy shpargalka

Qattiq perimetr (TLS/mTLS, WAF, limitlar) + boshqariladigan trafik (retray, circuit, canary).
Chetdagi validatsiya va transformatsiyalar → «ichkarida» kam nuqsonlar.
Trace-id va PII niqoblari bilan kuzatish - variant emas, balki standart.
Smart-routing to’lovlari va komplayens-geo iGaming uchun juda muhimdir.
Versionizatsiya va deprikatsiya siyosati - sheriklar uchun oldindan aytish mumkin.