Being HAPI! Reverse Proxying on Purpose
description
Transcript of Being HAPI! Reverse Proxying on Purpose
BEING HAPI!REVERSE PROXYING ON
PURPOSE
DUBLIN NODE COMMUNITY TALKMay 29 2014
Building a Reverse Proxy With Node Enterprise IT
Scalability Testing Lots of Clients
Tools
Happy Second Anniversary!
Chris Lawless | Kevin Yu Wei Xia |Fergal Carroll @phergalkarl| Ciarán Ó hUallacháin Aman Kohli @akohli
NODE IS MAINSTREAM
WHY NODE?
✔︎ Node• Everyone knows
Javascript, right?• Community • Expediency• It was Cool in 2012
- @adam_baldwin
“Walmart has had good success with HAPI and Node”
- @ eoinbrazil
“Node is good. I’ve heard good things about HAPI”
HOMOLOGATED
It’s approved for internal usage
Less Yak Shaving than other solutions
• different at least
• good internal community beware of dog, staff only
IT AIN’T EASYbut we gotta try
ENTERPRISES• Plurality of systems,
services • web resources• web sites
• Connectivity challenges• direct• mediated
• Security• AuthN• AuthZ• Data Encryption at rest
ENTERPRISES - DETAILAccessing internal web resources
Accessing internal web sites
Lots of hoops
connectivity, security
Connectivity options
Direct via opening firewall
via gateway devie
via meidated proxy
HOW WE DID IT
PROXYING IS EASY
WHAT IS INVOLVED
NOTES ON PREVIOUS SLIDE
Node Component
Security
Who Identity (Authentication)
What Permissions ing (Authorisation)
Prevent Data Leakage
Controls (cut and paste)
Secure Sandbox
Activation/Deactivation
Connectivity + AuthN/Z
Connectivity
Gateway Appliance (~50ms overhead)
Systems
Dev SIT UAT Prod
Not Production, Pre Production, and Mine
WHAT WE HAVE• Dual CPU Xeon 2.6GHz RHEL 6.3
• HTTP 1.1 no Keep-Alive, request payload is json
• Client iOS ObjectiveC, Node + Hapi (with Some Good Monitoring)
• Great Details on Best practice
• https://gist.github.com/hueniverse/7686452
DETAILS
THE FLOW
• The Protocol
• Security - Gateway Access
• Federated Identity, my foot• NTLM I hardly knew ye
PROTOCOL
Request
json body
target
headers
body/post-data
loginfo
request = { URL = "http://www.citigroup.net/",
method = "GET", timeout = 19500, clientInfo = { identifier = “…E”, model = "iPad Simulator", systemName = "iPhone OS", systemVersion = "7.1", }, headers = { Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", Cookie = "CGPLNG=ENG; JSESSIONID_CGNR3=..”, "User-Agent" = "Mozilla/5.0 (iPad; CPU OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Mobile/11D167" }, logEntries = [ { URL = “https://cinternal.site/target/fooa”, downstreamDuration = 656, httpMethod = "GET", roundtripDuration = 3461, statusCode = 200 } ] }
RESPONSE
body = “<base64>", code = 200, duration = 31, headers = { "Accept-Ranges" = [ "bytes" ], "Content-Length" = [ 225 ], "Content-Type" = [ "text/html" ], Date = [ "Thu, 29 May 2014 15:28:29 GMT" ], Etag = [ "\"e1-4e50c74f\"" ], "Last-Modified" = [ "Sun, 21 Aug 2011 08:52:31 GMT" ] }, message = "OK"}
NTLM
Ouch
NTLM AUTHENTICATIONEnterprise authentication protocol (Microsoft).
NTLM requires all phases to take place across a single HTTP connection.
NTLM messages are sent and received as request headers.
The server’s response from the NTLM type 3 message is the requested content.
This authentication process must be completed for every requested resource, unless an open connection is maintained.
NTLM TYPE 1 MESSAGE• Sent from the client to initiate the NTLM authentication process.• Includes flags and OS information (indicating version, build and
revision). • May or may not include hostname and domain information.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP“ (0x4e544c4d53535000)8 NTLM Message Type - long (0x01000000)12 Flags - long(16) Supplied Domain (optional) - security buffer(24) Supplied Workstation (optional) - security buffer(32) OS Version Structure (optional) - 8 bytes(32) (40) Start of data block (if required)
NTLM TYPE 2 MESSAGE• Server responds to the client’s type 1 message.• Includes the challenge, flags, target name and target information.• Each of these will is used to construct message the type 3
message.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)8 NTLM Message Type - long (0x02000000)12 Target Name - security buffer20 Flags - long24 Challenge - 8 bytes(32) Context (optional) - 8 bytes (two consecutive longs)(40) Target Information (optional) - security buffer(48) OS Version Structure (optional) - 8 bytes
NTLM TYPE 3 MESSAGE• Final step in authentication.• Constructed using information from the type 2 server response
message.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)8 NTLM Message Type - long (0x03000000)12 LM/LMv2 Response - security buffer20 NTLM/NTLMv2 Response - security buffer28 Target Name - security buffer36 User Name - security buffer44 Workstation Name - security buffer(52) Session Key (optional) - security buffer(60) Flags (optional) - long(64) OS Version Structure (optional) - 8 bytes52 (64) (72) Start of data block
WORKING
Implementation Challenges
• Storage of password on mobile device is prohibited, but is required in the authentication process.
• Persistent connection not available.
• Latency issues – 3 requests for every web resource.
Solution• Ported from Apache Java implementation to
Node.js.
• Hashed username / password pair stored on device, transmitted to server for authentication rather than raw password.
• hmac_md5(username, md4(password))
• NTLM message calculation split between client app and proxy server.
• Defaults used and optional parameters omitted – simplified messages.
• Observed desktop browsers wait for a 401 before beginning the authentication process. Pre-emptively sending the username / password hash eliminates the initial 401 response.
Process is reduced from 3 direct requests to a single client request, mapped to 2 proxy requests.
GITHUB.COM/SPUMKO/FLOD
flod -n 2000 -t 1500 -c 100..1000 -v http://target-place
FLOD OUTPUT## 6k page resultsec2-user@ip-10-199-51-233 node-hapi]$ flod -n 2000 -t 1500 -c 100..1000 -v http://localhost/loremipsum-6k-ish.htmlThis is Flod, version 0.2.2Copyright 2013 Walmart, http://github.com/spumko/flod
Benchmarking (hold on)...
Server Requests/sec Latency (ms) --------------------------------------- ------------ ---------------http://localhost/loremipsum-6k-ish.html 100 96.48 ± 18.54 http://localhost/loremipsum-6k-ish.html 200 164.24 ± 17.03 http://localhost/loremipsum-6k-ish.html 300 263.80 ± 62.44 http://localhost/loremipsum-6k-ish.html 400 359.61 ± 49.20 http://localhost/loremipsum-6k-ish.html 500 437.66 ± 58.69 http://localhost/loremipsum-6k-ish.html 600 481.29 ± 120.04http://localhost/loremipsum-6k-ish.html 700 606.74 ± 114.45http://localhost/loremipsum-6k-ish.html 800 555.08 ± 133.74http://localhost/loremipsum-6k-ish.html 900 674.08 ± 190.91http://localhost/loremipsum-6k-ish.html 1000 763.27 ± 69.25
## running with high timeout - doubling responses times vs nginx direct [ec2-user@ip-10-199-51-233 node-hapi]$ ../node_modules/flod/bin/flod -n 2000 -t 4500 -c 100..1000 -v http://localhost:8000This is Flod, version 0.2.2Copyright 2013 Walmart, http://github.com/spumko/flod
Benchmarking (hold on)...
Server Requests/sec Latency (ms) --------------------- ------------ ----------------http://localhost:8000 100 200.55 ± 39.40 http://localhost:8000 200 389.54 ± 67.39 http://localhost:8000 300 558.14 ± 112.57 http://localhost:8000 400 777.09 ± 160.01 http://localhost:8000 500 970.61 ± 305.76 http://localhost:8000 600 1032.37 ± 274.44http://localhost:8000 700 1216.49 ± 249.94http://localhost:8000 800 1483.31 ± 690.64http://localhost:8000 900 1559.54 ± 805.31http://localhost:8000 1000 1909.23 ± 845.81
MODIFYING FLOD
• modified server to pull our decorated response timing information
• modified reporting/logging to include this information
• hope to contribute back to mainline
TESTING
• Test Environment
• Understanding the Results
• Graphing the Results
SCENARIOS• Closed network, direct
connection, Mac to Mac
• Client server on a redhat VM, loopback. Redhat VM
• Redhat client to Windows Server via network, Redhat to Windows
• via Mobile network/wifi could only support 100 transactions/s because of latency
Req/sResponse
(ms)
Mac to Mac
1000 2000
Redhat VM
1000 8500
RD to Windows
1000 30, 000
External 100 17, 000
RESULTS
EXCELLENT
GITHUB.COM/ES-ANALYSIS/PLATOjavascript visualization and analysis tool.
Plato can be used to estimate how maintainable code in project is.
From the data it collects it generates easy to understand ,minimalist , interactive webpages.
PLATOPlato can also be used to estimate how many errors a project may contain.
We can also use Plato to look more closely for potential problems in individual pieces of code.
• Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone.
• It’s relying on heuristics that may not always be right, and it wont spot every bug.
More Plato
Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone.
It’s relying on heuristics that may not always be right, and it wont spot every bug.
Plato is very easy to install: $ npm install -g plato
And almost as easy to run: $ plato -r -d report src
JEST.JSJest allows us to call up Javascript functions from other files so we can quickly pass them data and compare it to what should be returned.
Jest minimizes the amount of code we have to write for tests and is setup so we can neatly bundle and keep our tests separate from our project code.
SCALABILITY PACKETS
• Pile of VMs to auto-scale
• Need elastic environment with a smart load balancer and configuration management
QUESTIONS? COMMENTS?
THANKS!