Being HAPI! Reverse Proxying on Purpose

67 %
33 %
Information about Being HAPI! Reverse Proxying on Purpose
Mobile

Published on May 30, 2014

Author: akohli

Source: slideshare.net

Description

This presentation was given to the Dublin Node (JS) Community on May 29th 2014.

Presented by: Chris Lawless, Kevin Yu Wei Xia, Fergal Carroll @phergalkarl, Ciarán Ó hUallacháin, and Aman Kohli @akohli

BEING HAPI! REVERSE PROXYING ON PURPOSE

DUBLIN NODE COMMUNITY TALK May 29 2014 Building a Reverse Proxy With Node Enterprise IT Scalability Testing Lots of Clients Tools Happy Second Anniversary! Chris Lawless | Kevin Yu Wei Xia |Fergal Carroll @phergalkarl| Ciarán Ó hUallacháin Aman Kohli @akohli

NODE IS MAINSTREAM

WHY NODE? ✔︎ Node • Everyone knows Javascript, right? • Community • Expediency • It was Cool in 2012

- @adam_baldwin “Walmart has had good success with HAPI and Node” - @ eoinbrazil “Node is good. I’ve heard good things about HAPI”

HOMOLOGATED It’s approved for internal usage Less Yak Shaving than other solutions • different at least • good internal community beware of dog, staff only

IT AIN’T EASY but we gotta try

ENTERPRISES • Plurality of systems, services • web resources • web sites • Connectivity challenges • direct • mediated • Security • AuthN • AuthZ • Data Encryption at rest

ENTERPRISES - DETAIL Accessing internal web resources Accessing internal web sites Lots of hoops connectivity, security Connectivity options Direct via opening firewall via gateway devie via meidated proxy

HOW WE DID IT

PROXYING IS EASY

WHAT IS INVOLVED

NOTES ON PREVIOUS SLIDE Node Component Security Who Identity (Authentication) What Permissions ing (Authorisation) Prevent Data Leakage Controls (cut and paste) Secure Sandbox Activation/Deactivation Connectivity + AuthN/Z Connectivity Gateway Appliance (~50ms overhead) Systems Dev SIT UAT Prod Not Production, Pre Production, and Mine

WHAT WE HAVE • Dual CPU Xeon 2.6GHz RHEL 6.3 • HTTP 1.1 no Keep-Alive, request payload is json • Client iOS ObjectiveC, Node + Hapi (with Some Good Monitoring) • Great Details on Best practice • https://gist.github.com/hueniverse/7686452

DETAILS

THE FLOW • The Protocol • Security - Gateway Access • Federated Identity, my foot • NTLM I hardly knew ye

PROTOCOL Request json body target headers body/post-data loginfo request = { URL = "http://www.citigroup.net/", method = "GET", timeout = 19500, clientInfo = { identifier = “…E”, model = "iPad Simulator", systemName = "iPhone OS", systemVersion = "7.1", }, headers = { Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", Cookie = "CGPLNG=ENG; JSESSIONID_CGNR3=..”, "User-Agent" = "Mozilla/5.0 (iPad; CPU OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Mobile/11D167" }, logEntries = [ { URL = “https://cinternal.site/target/fooa”, downstreamDuration = 656, httpMethod = "GET", roundtripDuration = 3461, statusCode = 200 }] }

RESPONSE body = “<base64>", code = 200, duration = 31, headers = { "Accept-Ranges" = [ "bytes" ], "Content-Length" = [ 225 ], "Content-Type" = [ "text/html" ], Date = [ "Thu, 29 May 2014 15:28:29 GMT" ], Etag = [ ""e1-4e50c74f"" ], "Last-Modified" = [ "Sun, 21 Aug 2011 08:52:31 GMT" ] }, message = "OK" }

NTLM Ouch

NTLM AUTHENTICATION Enterprise authentication protocol (Microsoft). NTLM requires all phases to take place across a single HTTP connection. NTLM messages are sent and received as request headers. The server’s response from the NTLM type 3 message is the requested content. This authentication process must be completed for every requested resource, unless an open connection is maintained.

NTLM TYPE 1 MESSAGE • Sent from the client to initiate the NTLM authentication process. • Includes flags and OS information (indicating version, build and revision). • May or may not include hostname and domain information. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP“ (0x4e544c4d53535000) 8 NTLM Message Type - long (0x01000000) 12 Flags - long (16) Supplied Domain (optional) - security buffer (24) Supplied Workstation (optional) - security buffer (32) OS Version Structure (optional) - 8 bytes (32) (40) Start of data block (if required)

NTLM TYPE 2 MESSAGE • Server responds to the client’s type 1 message. • Includes the challenge, flags, target name and target information. • Each of these will is used to construct message the type 3 message. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000) 8 NTLM Message Type - long (0x02000000) 12 Target Name - security buffer 20 Flags - long 24 Challenge - 8 bytes (32) Context (optional) - 8 bytes (two consecutive longs) (40) Target Information (optional) - security buffer (48) OS Version Structure (optional) - 8 bytes

NTLM TYPE 3 MESSAGE • Final step in authentication. • Constructed using information from the type 2 server response message. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000) 8 NTLM Message Type - long (0x03000000) 12 LM/LMv2 Response - security buffer 20 NTLM/NTLMv2 Response - security buffer 28 Target Name - security buffer 36 User Name - security buffer 44 Workstation Name - security buffer (52) Session Key (optional) - security buffer (60) Flags (optional) - long (64) OS Version Structure (optional) - 8 bytes 52 (64) (72) Start of data block

WORKING Implementation Challenges • Storage of password on mobile device is prohibited, but is required in the authentication process. • Persistent connection not available. • Latency issues – 3 requests for every web resource. Solution • Ported from Apache Java implementation to Node.js. • Hashed username / password pair stored on device, transmitted to server for authentication rather than raw password. • hmac_md5(username, md4(password)) • NTLM message calculation split between client app and proxy server. • Defaults used and optional parameters omitted – simplified messages. • Observed desktop browsers wait for a 401 before beginning the authentication process. Pre-emptively sending the username / password hash eliminates the initial 401 response. Process is reduced from 3 direct requests to a single client request, mapped to 2 proxy requests.

GITHUB.COM/SPUMKO/FLO D flod -n 2000 -t 1500 -c 100..1000 -v http://target-place

FLOD OUTPUT ## 6k page results ec2-user@ip-10-199-51-233 node-hapi]$ flod -n 2000 -t 1500 -c 100..1000 -v http://localhost/loremipsum-6k-ish.html This is Flod, version 0.2.2 Copyright 2013 Walmart, http://github.com/spumko/flod Benchmarking (hold on)... Server Requests/sec Latency (ms) --------------------------------------- ------------ --------------- http://localhost/loremipsum-6k-ish.html 100 96.48 ± 18.54 http://localhost/loremipsum-6k-ish.html 200 164.24 ± 17.03 http://localhost/loremipsum-6k-ish.html 300 263.80 ± 62.44 http://localhost/loremipsum-6k-ish.html 400 359.61 ± 49.20 http://localhost/loremipsum-6k-ish.html 500 437.66 ± 58.69 http://localhost/loremipsum-6k-ish.html 600 481.29 ± 120.04 http://localhost/loremipsum-6k-ish.html 700 606.74 ± 114.45 http://localhost/loremipsum-6k-ish.html 800 555.08 ± 133.74 http://localhost/loremipsum-6k-ish.html 900 674.08 ± 190.91 http://localhost/loremipsum-6k-ish.html 1000 763.27 ± 69.25 ## running with high timeout - doubling responses times vs nginx direct [ec2-user@ip-10-199-51-233 node-hapi]$ ../node_modules/flod/bin/flod -n 2000 -t 4500 -c 100..1000 -v http://localhost:8000 This is Flod, version 0.2.2 Copyright 2013 Walmart, http://github.com/spumko/flod Benchmarking (hold on)... Server Requests/sec Latency (ms) --------------------- ------------ ---------------- http://localhost:8000 100 200.55 ± 39.40 http://localhost:8000 200 389.54 ± 67.39 http://localhost:8000 300 558.14 ± 112.57 http://localhost:8000 400 777.09 ± 160.01 http://localhost:8000 500 970.61 ± 305.76 http://localhost:8000 600 1032.37 ± 274.44 http://localhost:8000 700 1216.49 ± 249.94 http://localhost:8000 800 1483.31 ± 690.64 http://localhost:8000 900 1559.54 ± 805.31 http://localhost:8000 1000 1909.23 ± 845.81

MODIFYING FLOD • modified server to pull our decorated response timing information • modified reporting/logging to include this information • hope to contribute back to mainline

TESTING • Test Environment • Understanding the Results • Graphing the Results

SCENARIOS • Closed network, direct connection, Mac to Mac • Client server on a redhat VM, loopback. Redhat VM • Redhat client to Windows Server via network, Redhat to Windows • via Mobile network/wifi could only support 100 transactions/s because of latency Req/s Response (ms) Mac to Mac 1000 2000 Redhat VM 1000 8500 RD to Windows 1000 30, 000 External 100 17, 000

RESULTS

EXCELLENT

GITHUB.COM/ES- ANALYSIS/PLATOjavascript visualization and analysis tool. Plato can be used to estimate how maintainable code in project is. From the data it collects it generates easy to understand ,minimalist , interactive webpages.

PLATO Plato can also be used to estimate how many errors a project may contain. We can also use Plato to look more closely for potential problems in individual pieces of code.

• Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone. • It’s relying on heuristics that may not always be right, and it wont spot every bug.

More Plato Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone. It’s relying on heuristics that may not always be right, and it wont spot every bug. Plato is very easy to install: $ npm install -g plato And almost as easy to run: $ plato -r -d report src

JEST.JS Jest allows us to call up Javascript functions from other files so we can quickly pass them data and compare it to what should be returned. Jest minimizes the amount of code we have to write for tests and is setup so we can neatly bundle and keep our tests separate from our project code.

SCALABILITY PACKETS • Pile of VMs to auto-scale • Need elastic environment with a smart load balancer and configuration management

QUESTIONS? COMMENTS?

THANKS!

Add a comment

Related presentations

mPortal designs, develops and hosts mobile apps and services for cable, telecom an...

Vorstellung des 7. App Day in München mit Übersicht über den Show Your App Award u...

Доклад Галины Диваковой на конференции Appsconference на тему ". 1 НОЯБРЯ, 2014 ...

Vortrag von Anna-Maria Zahn und Stefan Hauck auf der AllFacebook Marketing Confere...

Мобио - кейсы по продвижению мобильных приложени

Related pages

Running a Reverse Proxy in Apache - AskApache - Crazy ...

Running a Reverse Proxy in Apache - ... replacingthe old mod_jk (itself a special-purpose reverse proxy module). Proxying with Apache ...
Read more

Reverse proxy - Wikipedia, the free encyclopedia

... a reverse proxy is a type of proxy server that ... In the case of reverse proxying in the ... It is a technique typically accepted as being bad ...
Read more

Reverse Proxy - F5 Networks Inc.

A reverse proxy is a device or service placed between a client ... Reverse proxies can also be deployed to offload services from applications as a ...
Read more

Running a Reverse Proxy with Apache:

... reverse proxying has been the preferred method of ... purpose reverse proxy ... requests will appear as though they are being fulfilled ...
Read more

javascript - More elegant way of creating reverse proxy ...

I'm using hapi.js for serving html content in an ... More elegant way of creating reverse proxy with ... Nginx Reverse Proxying to Node.js with ...
Read more

Understanding Proxying and Redirection: Exchange 2010 Help

Understanding Proxying and Redirection. Understanding Client Throttling Policies. ... This will result in the user being prompted for ...
Read more

Setting up a Reverse Proxy for SharePoint with TMG Server ...

Setting up a Reverse Proxy for SharePoint with ... idea to have general purpose SharePoint farm ... with reverse-proxying SharePoint 2013 ...
Read more

The art of proxying - Andrea Tino’s Blog - Site Home ...

The art of proxying. ... this will determine the type of proxying strategy being used. Reverse proxy. ... The purpose of such an architecture is having ...
Read more