Pular para conteúdo

API Firewall Metrics of the NGINX Node

This article describes the API Firewall metrics of the NGINX Node. The API Firewall provides the core functionality for API Specification Enforcement, which detects discrepancies between your API specification and actual REST API requests.

The metrics include data on HTTP request performance, request counts, and service errors. They help you monitor and troubleshoot the NGINX Node.

Enabling API Firewall metrics

API Firewall metrics are not enabled by default. You need to enable them differently depending on your deployment type.

For Docker image:

  1. Set the APIFW_METRICS_ENABLED environment variable to true when deploying the NGINX Node.

    Once enabled, metrics are available at http://<host>:9010/metrics unless custom host or path are used (see step 2 below).

  2. (Optional) You can change the default API Firewall metrics endpoint http://<host>:9010/metrics using the following environment variables:

    • APIFW_METRICS_ENDPOINT_NAME - the path at which the metrics endpoint is exposed.
    • APIFW_METRICS_HOST - the IP address and/or port for the metrics endpoint. When specifying a port, prefix it with a colon (:).
      Expose the metrics port in your container or deployment configuration (e.g., for the default state, use -p 9010:9010).

For NGINX Ingress Controller:

  1. Add the controller.wallarm.apiFirewall.metrics* values to the Helm Chart during NGINX Ingress Controller deployment or upgrade.

    controller:
    wallarm:
        apiFirewall:
        metrics:
            enabled: true
            port: 9010
            endpointPath: /metrics
            host: ":9010"
            service:
            servicePort: 9010
    

    Once enabled, metrics are available at http://<host>:9010/metrics unless custom host or path are used (see step 2 below).

  2. (Optional) You can change the default API Firewall metrics endpoint using the values described above.

For Sidecar:

  1. Add the config.wallarm.apiFirewall.metrics.* values to the Helm Chart during Sidecar deployment or upgrade.

    config:
    wallarm:
    # Other configuration values...
        apiFirewall:
        mode: "on"
        readBufferSize: 8192
        writeBufferSize: 8192
        maxRequestBodySize: 4194304
        disableKeepalive: false
        maxConnectionsPerIp: 0
        maxRequestsPerConnection: 0
        metrics:
            enabled: true
            endpointName: "metrics"
            host: ":9010"
        fallback: "on"
    

    Once enabled, metrics are available at http://<host>:9010/metrics unless custom host or path are used (see step 2 below).

  2. (Optional) You can change the default API Firewall metrics endpoint using the values described above.

For All-in-one installer and cloud images (AWS AMI, GCP Machine Image):

  1. Once you have deployed the NGINX Node, add APIFW_METRICS_ENABLED=true to /opt/wallarm/env.list.

  2. (Optional) You can change the default API Firewall metrics endpoint http://<host>:9010/metrics by adding the following to /opt/wallarm/env.list:

    • APIFW_METRICS_ENDPOINT_NAME - the path at which the metrics endpoint is exposed.
    • APIFW_METRICS_HOST - the IP address and/or port for the metrics endpoint. When specifying a port, prefix it with a colon (:).
  3. To apply the custom API Firewall metrics settings, restart NGINX and then restart the Wallarm service:

    sudo systemctl restart nginx
    sudo systemctl restart wallarm
    

Once enabled, metrics are available at http://<host>:9010/metrics unless custom host or path are used (see step 2 above).

Example of API Firewall metrics

See the example of API Firewall metrics below.

Each metric includes HELP and TYPE metadata lines, which describe its purpose and format in detail.

# HELP wallarm_apifw_http_request_duration_seconds HTTP request duration in seconds
# TYPE wallarm_apifw_http_request_duration_seconds histogram
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="0.001"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="0.005"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="0.025"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="0.05"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="0.25"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="0.5"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="1"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="2.5"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="5"} 2
wallarm_apifw_http_request_duration_seconds_bucket{schema_id="1",le="+Inf"} 2
wallarm_apifw_http_request_duration_seconds_sum{schema_id="1"} 0.00028954100000000004
wallarm_apifw_http_request_duration_seconds_count{schema_id="1"} 2
# HELP wallarm_apifw_http_requests_total Total number of HTTP requests
# TYPE wallarm_apifw_http_requests_total counter
wallarm_apifw_http_requests_total{schema_id="1",status_code="200"} 2
# HELP wallarm_apifw_service_errors_total Total number of errors occurred in the APIFW service.
# TYPE wallarm_apifw_service_errors_total counter
wallarm_apifw_service_errors_total 0