mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
1ecac43d724c44f186f6d695342e8bdc7c99a3c7
meldestelle/docs/API_GATEWAY_ENHANCEMENTS.md
T
stefan f8eade8091 (fix) Umbau zu SCS 
### API-Gateway erweitern
- Bestehenden API-Gateway-Service mit zusätzlichen Funktionen ausstatten:
    - Rate Limiting implementieren
    - Request/Response Logging verbessern
    - Cross-Service Tracing mit eindeutigen Request-IDs einführen
2025-07-21 17:17:40 +02:00

202 lines
6.4 KiB
Markdown
Raw Blame History

# API Gateway Enhancements
This document describes the enhancements made to the API Gateway service, including rate limiting, improved request/response logging, and cross-service tracing with unique request IDs.
## Table of Contents
1. [Rate Limiting](#rate-limiting)
2. [Request/Response Logging](#requestresponse-logging)
3. [Cross-Service Tracing](#cross-service-tracing)
4. [Testing and Verification](#testing-and-verification)
## Rate Limiting
The API Gateway now includes enhanced rate limiting capabilities to protect the API from abuse and ensure fair usage.
### Features
- **Global Rate Limiting**: Limits the total number of requests across all endpoints
- **Endpoint-Specific Rate Limiting**: Different limits for different API endpoints
- **User-Type-Specific Rate Limiting**: Different limits based on user type (anonymous, authenticated, admin)
- **Sophisticated Request Key Generation**: Uses IP address, user agent, and user ID for more precise rate limiting
- **Rate Limit Headers**: Informs clients about rate limits and remaining requests
### Configuration
Rate limiting can be configured in the application properties:
```properties
# Enable/disable rate limiting
ratelimit.enabled=true
# Global rate limit settings
ratelimit.global.limit=100
ratelimit.global.periodMinutes=1
# Include rate limit headers in responses
ratelimit.includeHeaders=true
# Endpoint-specific rate limits can be configured in AppConfig.kt
```
### Response Headers
When rate limiting is enabled, the following headers are included in responses:
- `X-RateLimit-Enabled`: Indicates if rate limiting is enabled
- `X-RateLimit-Limit`: The global rate limit
- `X-RateLimit-Policy`: Description of the rate limit policy
- `X-RateLimit-Endpoint`: The endpoint being rate limited (if applicable)
- `X-RateLimit-Endpoint-Limit`: The limit for the specific endpoint (if applicable)
- `X-RateLimit-Endpoint-Period`: The period for the specific endpoint (if applicable)
- `X-RateLimit-UserType`: The user type (if authenticated)
- `X-RateLimit-UserType-Limit`: The limit for the user type (if authenticated)
- `X-RateLimit-UserType-Period`: The period for the user type (if authenticated)
- `Retry-After`: Seconds to wait before retrying (if rate limited)
## Request/Response Logging
The API Gateway now includes enhanced request and response logging to provide better visibility into API usage and performance.
### Features
- **Structured Logging**: JSON-like structured logging format for easier parsing
- **Sensitive Data Filtering**: Masks sensitive information in logs (passwords, tokens, etc.)
- **Performance Metrics**: Includes memory usage and other performance metrics
- **Configurable Logging Levels**: Different logging levels for different environments
- **Request/Response Correlation**: Links requests and responses with unique request IDs
### Configuration
Logging can be configured in the application properties:
```properties
# Logging level
logging.level=INFO
# Request/response logging
logging.requests=true
logging.responses=true
# Request header/parameter logging
logging.request.headers=true
logging.request.parameters=true
# Response header logging
logging.response.headers=true
logging.response.time=true
# Structured logging
logging.structured=true
# Exclude paths from logging
logging.exclude.paths=/health,/metrics,/favicon.ico
```
### Sensitive Data Filtering
The following types of data are automatically masked in logs:
- Authorization headers
- Cookies
- API keys
- Passwords
- Tokens
- Other sensitive parameters (configurable)
## Cross-Service Tracing
The API Gateway now includes enhanced cross-service tracing capabilities to track requests across multiple services.
### Features
- **Unique Request IDs**: Generates unique request IDs with context information
- **Request ID Propagation**: Propagates request IDs to downstream services
- **Additional Tracing Headers**: Includes additional headers for better correlation
- **W3C Trace Context Compatibility**: Compatible with the W3C Trace Context standard
- **Enhanced Logging**: Includes tracing information in logs
### Request ID Format
Request IDs now include more context information:
```
req-{environment}-{service}-{timestamp}-{uuid}
```
Example:
```
req-prod-gateway-1627384950123-550e8400-e29b-41d4-a716-446655440000
```
### Tracing Headers
The following headers are included in responses:
- `X-Request-ID`: The unique request ID
- `X-Correlation-ID`: Same as the request ID, for compatibility
- `X-Request-Start-Time`: When the request started
- `X-Service-Name`: The name of the service
- `X-Service-Version`: The version of the service
- `X-Response-Time`: How long the request took to process
- `traceparent`: W3C Trace Context compatible trace parent header
## Testing and Verification
### Rate Limiting
To test rate limiting:
1. Send multiple requests to the same endpoint in quick succession
2. Observe the rate limit headers in the responses
3. After exceeding the rate limit, you should receive a 429 Too Many Requests response
4. Check the logs for rate limit exceeded messages
Example using curl:
```bash
# Send multiple requests
for i in {1..150}; do
curl -i -X GET http://localhost:8080/api/v1/events
done
```
### Request/Response Logging
To verify enhanced logging:
1. Send requests to various endpoints
2. Check the logs for structured log entries
3. Verify that sensitive data is properly masked
4. Check for performance metrics in the logs
Example log entry:
```
timestamp=2025-07-21T16:45:23.456 method=GET path=/api/v1/events status=200 client=127.0.0.1 requestId=req-prod-gateway-1627384950123-550e8400-e29b-41d4-a716-446655440000 duration=42ms memoryUsage=1234567b
```
### Cross-Service Tracing
To verify cross-service tracing:
1. Send a request to an endpoint that calls other services
2. Check the response headers for tracing headers
3. Verify that the request ID is propagated to downstream services
4. Check the logs for correlated request and response entries
Example using curl:
```bash
# Send a request and check headers
curl -i -X GET http://localhost:8080/api/v1/events
```
Look for headers like:
```
X-Request-ID: req-prod-gateway-1627384950123-550e8400-e29b-41d4-a716-446655440000
X-Correlation-ID: req-prod-gateway-1627384950123-550e8400-e29b-41d4-a716-446655440000
X-Request-Start-Time: 1627384950123
X-Service-Name: API Gateway
X-Service-Version: 1.0.0
X-Response-Time: 42
traceparent: 00-550e8400e29b41d4a716446655440000-abcdef0123456789-01
```
Reference in New Issue View Git Blame Copy Permalink