r37 - 31 May 2008 - 15:19:14 - EricTYou are here: Wiki >

AppLogic 2.3 Beta Documentation The latest production release is AppLogic 2.8.9

INSSL - HTTP Input Gateway with SSL Support

Latest version: 1.2.2

	At a Glance
	Catalog	System
	Category	Gateways
	User volumes	yes
	Min. memory	64M
	OS	Linux
	Constraints	no
	Questions/Comments	Ask Forum

The INSSL appliance is a layer-7 gateway for secure HTTP requests. It converts the requests to unencoded HTTP requests. This can be used whenever it is necessary to support secure HTTP on the client's side, but the back-end processing infrastructure does not or cannot support SSL, including:

using a fast and light-weight HTTP server that does not have SSL support
using multiple back-end servers, for performance or for redundancy, connected through a load-balancing switch
using multiple back-end servers for unrelated functions, connected through a URL switch
offloading the SSL encryption/decryption to a separate server to improve throughput

INSSL provides a firewalled entry point for network traffic into an AppLogic application, which can be configured with an Internet-accessible static IP address.

To support applications that need to appear at a single IP address for more than one service, SSL can be configured to direct non-HTTP traffic transparently to a separate output terminal. For such connections, the appliance acts as a layer-3 firewall/NAT router.

Boundary

Resources

Resource	Minimum	Maximum	Default
CPU	0.05	4	0.05
Memory	64M	2G	64M
Bandwidth	1 Mbps	1 Gbps	1 Mbps

Note: the amount of memory given to INSSL does not affect its throughput. Use more memory only to support more concurrent requests that have been forwarded to a back end server, pending a response, if the back-end servers hold up requests for excessively long times. Pound on INSSL uses 25 threads per 10MB available memory.

Terminals

name	dir	prot.	description
`http`	out	HTTP	HTTPS and/or HTTP requests received on the configured external IP address are directed to the output `http` as plain HTTP requests on the standard HTTP port 80. In addition to the client-supplied HTTP headers, the forwarded requests also contain the following informational headers: `X-Forwarded-For:` the remote client's IP address. This should be used by the server-side CGI scripts in place of the remote IP address. Note that in order to prevent spoofing, an X-Forwarded-For header received from the client iself will be discarded. `X-Forwarded-Proto: https` Marks that the client is connection over HTTPS. It is up to the back-end application to use this header to distinguish between HTTP and HTTPS connections.
`aux`	out	any	Output for other protocols, if configured - see the `l3_accept_*` properties.
`mon`	out	cce	Sends performance and resource usage statistics.

Properties

name	type	description
`ip_addr`	IP addr	external IP address of the gateway. This property has no default value and must be set.
`netmask`	IP addr	Netmask. This property has no default value and must be set. Default: (empty)
`gateway`	IP addr	Default gateway for outgoing traffic. Default: (empty)
`l7_accept`	enum	This specifies what kinds of HTTP traffic to accept for forwarding to the `http` terminal. Valid values: `https`, `http`, `both` , `none`. If set to `none` all traffic will be redirected only according to the `l3_accept_*` properties. Default: `both`.
`l3_accept_proto`	enum	Specifies which protocols will be forwarded to the `aux` terminal. Valid values: `none`, `tcp`, `udp`, `raw`, `all`. If set to `tcp` or `udp`, the `l3_accept_port` property may be used to specify the port. If set to `raw` the `l3_accept_port` property specifies the proto number. If set to `all` all incoming traffic on the external interface is forwarded to the `aux` terminal. Note that the `l7_accept` property takes precedence over this one - if you set `l7_accept` to value different from `none` all http(s) will be forwarded to the `http` terminal, the rest of the traffic will go to `aux` as specified by this property. Default: `none`.
`l3_accept_port`	string	A comma or space separated list of protocols to accept and route at the protocol specified by `l3_accept_proto` to the `aux` terminal; Protocols in the list may be specified either as port numbers or as standard protocol names (e.g., `ftp`, `smtp` etc. when specifying tcp/udp ports or `gre`, `tcp`, etc. when using raw protocols). Port ranges can also be specified (1024:10000, 0:1024). If left empty all ports of the specified protocol will be forwarded. Note: If you set `l3_accept_proto` to `raw` you must specify this property which in this case specifies the protocol number (more than one raw protocols may be specified but no proto range (e.g. 20:30) is allowed) Default: all
`allowed_hosts`	String	List of hosts and/or subnets allowed to connect. Separate multiple entries with spaces or commas. Supported format example: `192.168.1.2 192.168.1.0/24 192.168.2.0/255.255.255.0`. Default: `0.0.0.0/0` (all allowed)
`cert_file`	string	File name (relative to the data volume root) of the server certificate that this gateway instance should present to the client. Note that a valid certificate must be present on the configured data volume (see Volumes below) at the location specified by this property if you set `l7_accept` to `https` or `both`, otherwise SSL will fail to start. Default: server.pem
`webdav`	enum	Allow WebDAV requests to go through. Valid values: `off` - reject WebDAV requests; `on` - allow WebDAV requests; Default: `off`
`timeout`	int	Specify how many second Pound will wait for output from the backend server. If the backend server does not send output for `timeout` seconds, the connection is closed. Default: `300`

Volumes

name	description
`key`	A read-only data volume (placeholder) containing, as a minimum, the SSL server signing key. The file should be in PEM format located in the root directory of the `key` volume, named server.pem.

Performance

Request Rate

INSSL routes no less than 700 http or 120 https transactions (request/response pairs) per second, when operating on a single 2GHz CPU.

Data Throughput

INSSL routes no less than 3MB/s over http or 0.5MB/s over https, on a 3K average packet size (request and response).

Concurrent Connections

When given its maximum memory requirement, SSL should be able to handle no less than 300 concurrently pending requests. (A "pending request" being an open TCP connection from the client, on which there is one or more un-completed HTTP request in progress).

Error Messages

The following messages may appear in either the appliance log file or the system log of the grid controller when the appliance fails to start:

Firewall configuration failed
'Pound failed to start
The RSA private key is pass protected
You specified raw l3 proto but did not specify proto number (l3_accept_port)

Certificates

In order to use SSL you need both the signed certificate and the private key it was encrypted with. The key and the certificate should be in PEM format and put in a single file specified by the cert_file property.

Generating a certificate

First, you need a private key. You can generate one by executing:

openssl genrsa -out privkey.pem 2048

To generate a pass protected key, use the following (note that in order to use the key with INSSL you need a passwordless key, if you create a pass protected key you need to remove the password before using it in INSSL)

openssl genrsa -des3 -out privkey.pem 2048

Next you need a certificate. You have two options here - create a certificate request and have it signed by a trusted CA (for which they will charge you), or create a self-signed certificate for test purposes (in this case browsers requesting your site will issue warnings that the certificate is not signed by a trusted CA).

To generate a certificate request, execute the following:

openssl req -new -key privkey.pem -out server.csr

After you send the .csr file to your trusted CA, it will give you back a signed certificate ( .crt file) which you can use.

To generate a self signed certificate, execute the following:

openssl req -new -x509 -key privkey.pem -out server.crt -days 1095

Using the certificate

You can now put the certificate and the key in a file and use it in INSSL:

cat privkey.pem server.crt > server.pem

If your key is password protected, you can remove the password by executing the following:

openssl rsa -in key_with_pass.pem -out privkey.pem

Using existing apache+mod_ssl certificate

If you have an existing certificate that you use in Apache, you can use it in INSSL as well. Just make sure the key is not password protected (see above) and put the private key and the certificate in one file in that order. Example:

cat privkey.pem server.csr > server.pem

If you are using a chained certificate, you should also include the intermediate certificate provided by the issuer. Put the private key, the certificate and the intermediate certificate in one file in that order. Example:

cat privkey.pem server.csr sf_issuing.crt > server.pem

The server signing key is your Web site's "proof of identity". It is also vulnerable, since it is not password-encrypted (so that the appliance can read it without your help). Take the necessary measures to protect the key file, when installing it on the data volume. Do not use the same data volume for other purposes and don't make it visible to a Web server, e.g., to host Web-accessible data (HTML pages, scripts and such).

Typical Usage

Web applications

To provide http(s) access to your application, connect the http terminal directly to the WEB appliance.

If you need a scalable web application hook the http terminal to a HLB appliance.

Configuration for web applications

Note: the configuration examples list only properties set to non-default values and lack the network configuration (ip_addr, netmask, gateway).

The MAIL appliance shown within the examples is not shipped with AppLogic.

Property	Value	Notes
`l7_accept`	http/https/both	Specifies what l7 protocol will be used. NOTE: if `https` or `both` is specified, the `key` volume should contain the ssl certificate as specified by the `cert_file` property

Web application with additional services

If you have more services than just http in your application, you can use INSSL to pass http traffic to its http terminal and use the aux terminal for other services.

Property	Value	Notes
`l7_accept`	http/https/both	Specifies what l7 protocol will be used. NOTE: if `https` or `both` is specified, the `key` volume should contain the ssl certificate as specified by the `cert_file` property
`l3_accept_proto`	tcp	Redirect tcp ports 25,110,143 to aux terminal.
`l3_accept_port`	25 110 143	Redirect tcp ports 25,110,143 to aux terminal.

Web applications with > 1 additional services

If you have multiple tcp/udp services and http, you can use INSSL to pass http traffic to its http terminal and use the aux to feed the rest of the traffic to PS8, which will feed the desired traffic to the backend servers.

Property	Value	Notes
`l7_accept`	http/https/both	Specifies what l7 protocol will be used. NOTE: if `https` or `both` is specified, the `key` volume should contain the ssl certificate as specified by the `cert_file` property
`l3_accept_proto`	all	Redirect to aux terminal all IP (except icmp) traffic that is not passed to the http terminal.

Notes and Links

Notes

the INSSL input supports HTTP 1.0 and HTTP 1.1, but if the client identifies itself as MSIE, HTTP 1.1 support is turned off for that connection (to avoid bugs in some versions of MSIE).
if the client is not MSIE, the SSL appliance will support HTTP 1.1 for the client (incl, the multiple requests per TCP session ability), even if the back-end server uses supports only HTTP 1.0.
The INSSL class supports a single external IP and therefore a single SSL certificate may be used.

Questions and Comments

To post a question or comment on this appliance, visit our forum.

-- NetClime - 13 Mar 2007

AppLogic23

Documentation
- Home

References
- Dashboard
- Configurator
- Editor
- Monitor
- Volume Browser
- Shell
- Catalog
- Applications
- Glossary

Guides
- App Provisioning?
- App Deployment
- Appliance Creation

Helpdesk| Bugzilla| Wiki