🏠 Início / 📚 Documentação / APIs e Endpoints / Api Gateway

Api Gateway

API Gateway Unificado - C-Suite

Este documento descreve a configuração do API Gateway unificado usando Traefik para o ecossistema C-Suite.

Visão Geral

Traefik atua como API Gateway unificado, fornecendo:
- ✅ Ponto de entrada único para todos os apps
- ✅ Rate limiting centralizado
- ✅ Autenticação/autorização centralizada
- ✅ TLS/HTTPS automático
- ✅ Load balancing
- ✅ Health checks

Arquitetura

Internet
   |
   v
Traefik (API Gateway)
   |
   +---> 4c-suite (Orquestrador)
   +---> csuite-executive (API Executiva)
   +---> csuite-context (Context API)
   +---> csuite-sales-manager (Sales Manager API)
   +---> 4c Decision API
   +---> 4c UI App

Configuração Traefik

Stack File (4c/docker/stack/traefik.yml)

services:
  traefik:
    image: traefik:v3.0
    command:
      - --providers.swarm=true
      - --providers.swarm.exposedByDefault=false
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --entryPoints.web.http.redirections.entryPoint.to=websecure
      - --entryPoints.web.http.redirections.entryPoint.scheme=https
      - --certificatesResolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
      - --certificatesResolvers.letsencrypt.acme.storage=/acme/acme.json
      - --certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web
      - --log.level=INFO
      - --accesslog=true
    ports:
      - "80:80"
      - "443:443"

Configuração de Serviços

Exemplo: csuite-executive

services:
  csuite-executive-api:
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=superbot-swarm-network"
      - "traefik.http.routers.csuite-executive.rule=Host(`csuite-api.internut.com.br`)"
      - "traefik.http.routers.csuite-executive.entrypoints=websecure"
      - "traefik.http.routers.csuite-executive.tls=true"
      - "traefik.http.routers.csuite-executive.tls.certresolver=letsencrypt"
      - "traefik.http.services.csuite-executive.loadbalancer.server.port=8002"

Rate Limiting Centralizado

Middleware de Rate Limiting

labels:
  - "traefik.http.middlewares.ratelimit.ratelimit.average=100"
  - "traefik.http.middlewares.ratelimit.ratelimit.period=1m"
  - "traefik.http.routers.csuite-executive.middlewares=ratelimit"

Rate Limiting por IP

labels:
  - "traefik.http.middlewares.ipratelimit.ratelimit.average=60"
  - "traefik.http.middlewares.ipratelimit.ratelimit.period=1m"
  - "traefik.http.middlewares.ipratelimit.ratelimit.sourcecriterion.ipstrategy.depth=1"

Autenticação Centralizada

Basic Auth (Desenvolvimento)

labels:
  - "traefik.http.middlewares.auth.basicauth.users=user:$$apr1$$hashedpassword"
  - "traefik.http.routers.csuite-executive.middlewares=auth"

Forward Auth (Produção)

labels:
  - "traefik.http.middlewares.auth.forwardauth.address=http://auth-service:8080/auth"
  - "traefik.http.middlewares.auth.forwardauth.authResponseHeaders=X-User-Id,X-Org-Id"
  - "traefik.http.routers.csuite-executive.middlewares=auth"

Health Checks

Configuração

labels:
  - "traefik.http.services.csuite-executive.loadbalancer.healthcheck.path=/health"
  - "traefik.http.services.csuite-executive.loadbalancer.healthcheck.interval=10s"
  - "traefik.http.services.csuite-executive.loadbalancer.healthcheck.timeout=5s"

Load Balancing

Round Robin (Padrão)

labels:
  - "traefik.http.services.csuite-executive.loadbalancer.method=wrr"

Least Connections

labels:
  - "traefik.http.services.csuite-executive.loadbalancer.method=drr"

CORS

Configuração CORS

labels:
  - "traefik.http.middlewares.cors.headers.accessControlAllowMethods=GET,POST,PUT,DELETE,OPTIONS"
  - "traefik.http.middlewares.cors.headers.accessControlAllowOriginList=https://app.example.com"
  - "traefik.http.middlewares.cors.headers.accessControlMaxAge=3600"
  - "traefik.http.routers.csuite-executive.middlewares=cors"

Circuit Breaker

Configuração

labels:
  - "traefik.http.middlewares.circuitbreaker.circuitbreaker.expression=NetworkErrorRatio() > 0.30"
  - "traefik.http.routers.csuite-executive.middlewares=circuitbreaker"

Retry

Configuração

labels:
  - "traefik.http.middlewares.retry.retry.attempts=3"
  - "traefik.http.middlewares.retry.retry.initialInterval=100ms"
  - "traefik.http.routers.csuite-executive.middlewares=retry"

Headers de Segurança

Configuração

labels:
  - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
  - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
  - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
  - "traefik.http.middlewares.secure-headers.headers.frameDeny=true"
  - "traefik.http.middlewares.secure-headers.headers.browserXssFilter=true"
  - "traefik.http.routers.csuite-executive.middlewares=secure-headers"

Monitoramento

Métricas Traefik

Traefik expõe métricas em /metrics:

command:
  - --metrics.prometheus=true
  - --metrics.prometheus.entryPoint=metrics

Dashboard Traefik

Acesse dashboard em http://traefik:8080 (interno) ou configure rota pública.

Best Practices

  1. Sempre use HTTPS: Configure TLS para todos os serviços
  2. Rate Limiting: Configure rate limiting apropriado por serviço
  3. Health Checks: Configure health checks para todos os serviços
  4. Circuit Breaker: Use circuit breaker para serviços críticos
  5. Monitoramento: Monitore métricas do Traefik
  6. Logs: Configure access logs para auditoria

Referências

🔊 Text-to-Speech

1.0x
1.0
Pronto para reproduzir