Назад в блог

Monitoring API: kogda HTTP 200 nedostatochno

· 7 мин чтения

JSON API mozhet vernut HTTP 200 s oshibkoy v tele otveta - monitoring po kodu statusa obyavit UP. Nastoyashchiy monitoring API proveryaet i soderzhimoe otveta, a ne tolko HTTP.

Monitoring API: kogda HTTP 200 nedostatochno

Problema: HTTP 200 != rabotayushchee API

Soglasno konventsiyam REST API, kody statusa nuzhno ispolzovat pravilno (200 OK, 4xx client error, 5xx server error). Na praktike:

  • Nekotorye API vsegda vozvrashchayut 200, oshibka nakhoditsya v JSON body
  • API gateway mozhet preobrazovat 5xx v 200 s error JSON
  • Frontend BFF endpointy chasto oborachivayut bekendy i vozvrashchayut 200, esli kommunikatsiya proshla uspeshno, dazhe esli bekend upal
  • GraphQL endpointy obychno vozvrashchayut 200; oshibki (errors) nakhodyatsya v massive errors[]

S tochki zreniya klassicheskogo monitoringa (HTTP kod statusa) vse v poryadke. S tochki zreniya realnogo klienta API slomalos.

Content matching: klyuchevye slova

Prosteyshee dopolnenie k HTTP monitoringu - eto sovpadenie po klyuchevomu slovu. Vy zadaete stroku, kotoraya dolzhna prisutstvovat v otvete - esli ee net, prikhodit opoveshchenie.

Primer dlya health check endpointa:

GET /api/health HTTP/1.1

{
  "status": "ok",
  "checks": {
    "database": "ok",
    "redis": "ok",
    "queue": "ok"
  },
  "version": "1.42.3"
}

Ustanovite keyword match na "status":"ok". Esli BD upadet i endpoint vernet "status":"degraded", monitoring eto perekhvatit.

Negative matching: chego ne dolzhno byt

Inogda poleznee proveryat, chto opredelennoy stroki NET v otvete:

  • "error" - oshibka v tele otveta
  • "maintenance" - neozhidannyy rezhim obsluzhivaniya
  • "deprecated" - API endpoint pomechen kak ustarevshiy (deprecated)
  • fragmenty SQL oshibok: "SyntaxError", "undefined", "null pointer" - protekayushchie oshibki bekenda

Prodvinutye asserty

Sovpadenie po prostomu tekstu imeet svoi predely. Dlya seryeznogo monitoringa API podkhodyat strukturirovannye asserty nad strukturoy JSON (vyrazheniya JSONPath) i mnogoshagovye sinteticheskie tranzaktsii (login -> zashchishchennyy endpoint -> logout).

ePulz.io podderzhivaet eti vozmozhnosti napryamuyu. Multi-step / API monitoring pozvolyaet svyazyvat do 10 shagov (GET/POST/PUT/PATCH/DELETE/HEAD), na kazhdom shage proveryat kod statusa, soderzhimoe i znachenie JSONPath, a takzhe sokhranyat peremennye iz otveta dlya sleduyushchikh shagov. Funktsiya dostupna na tarifakh Profi i Business i rabotaet v pervichnom regione. Dlya bolee prostykh sluchaev na bolee nizkikh tarifakh vy mozhete skombinirovat HTTP monitor s otdelnym vspomogatelnym skriptom, kotoryy otpravlyaet rezultat cherez heartbeat monitor.

Authentication v monitoringe

Monitorimyy endpoint chasto trebuet auth. Varianty:

  • Bearer token v zagolovke Authorization - obychno dolgozhivushchiy monitoring token bez sroka deystviya (khranite ego bezopasno)
  • API key v query parametre - viden v logakh, nepredpochtitelno
  • HMAC podpis - timestamp + URL + khesh tela, podpisannye obshchim sekretom. Samyy bezopasnyy.
  • mTLS - klientskiy sertifikat na storone monitoringa. Podkhodit dlya vnutrennikh API.

Preduprezhdenie o bezopasnosti: Dlya monitoringa sozdayte vydelennyy akkaunt / token s minimalnymi pravami (read-only health endpoint, ne admin token). Regulyarno rotiruyte token. Esli servis monitoringa skomprometirovan, polnyy dostup k API ne utechet.

SLO vremeni otklika

Vremya otklika API stol zhe vazhno, kak HTTP kod. Klient s timeoutom 30 s ne vidit raznitsy mezhdu "API vozvrashchaet 200 za 25 s" i "API zavershilos timeoutom". S tochki zreniya UX oba varianta plokhi.

Nastroyte:

  • Hard timeout - cherez 10-15 s monitoring soobshchaet DOWN
  • Soft threshold - vremya otklika mezhdu 500-2000 ms = warning (degraded performance)
  • Trendovye opoveshcheniya - opoveshchenie, esli 95-y pertsentil vremeni otklika vyros na 50 % za poslednie 24 ch

Per-endpoint monitoring

U bolshogo API desyatki endpointov. Ne monitorte tolko /health - on tozhe mozhet vrat. Opredelite 3-5 kriticheskikh endpointov:

  • Naibolee ispolzuemye biznes-operatsii (POST /api/orders, GET /api/dashboard)
  • Chitayushchiy endpoint, proveryayushchiy cache hit (bystryy otvet)
  • Pishushchiy endpoint s roundtrip k BD
  • Endpoint vneshney integratsii (vyzyvaet tretyu storonu - obnaruzhivaet sboi zavisimostey)

Monitorte kazhdyy otdelno. Pri intsidente vy tak tochno vidite, kakaya chast API upala.

Zaklyuchenie

Monitoring API nelzya svesti k HTTP kodu statusa. Kachestvennyy monitoring sochetaet status + content match + vremya otklika + per-endpoint granulyarnost + authentication, chtoby verno imitirovat realnogo klienta - a ne tolko HTTP klienta.

Monitoring API s sovpadeniem po klyuchevomu slovu

Kod statusa + klyuchevoe slovo v soderzhimom + vremya otklika + auth headers. Per-endpoint granulyarnost.

Zapustit monitoring →

Svyazannoe

Поделиться: Ссылка скопирована

Попробуйте ePulz.io бесплатно - 7 дней без банковской карты.

Создать аккаунт