.. _http_server: *********** HTTP Server *********** TLS === App Suite Proxy can be used for TLS termination of HTTP requests. The Server can be configured to use one certificate for all incoming requests or utilize Server Name Indication (SNI) to choose a different certificate from the configured keystore for each host. Each certificate has to provide the hostname in its alternative name extension. If only one certificate is present in the keystore, this certificate is used without any hostname matching. Wildcard certificates are also supported, from first subdomain level, like ``*.appsuite.com or *.customer.appsuite.com``. Configuration ------------- Configuration takes place via properties in ``application.properties``. :zuul.ssl.openssl.allow: **Optional** Offloads TLS termination to OpenSSL via Java JNI. See https://netty.io/wiki/forked-tomcat-native.html for details. App Suite Proxy links and ships the ``io.netty:netty-tcnative-boringssl-static`` library for that purpose. This will also affect outbound connections (:ref:`Backend Pools::TLS `)! Default: ``false`` Reloadable: ``true`` :proxy.tls.enabled: **Optional:** Enables TLS Default: ``false`` Reloadable: ``false`` EnvVar: ``PROXY_TLS_ENABLED`` :proxy.tls.port: **Manadatory for TLS:** TLS port Default: ``8443`` Reloadable: ``false`` EnvVar: ``PROXY_TLS_PORT`` :proxy.tls.keystore.type: **Manadatory for TLS:** Keystore type Default: ``PKCS12`` Reloadable: ``false`` EnvVar: ``PROXY_TLS_KEYSTORE_TYPE`` :proxy.tls.keystore: **Manadatory for TLS:** Path to keystore file Default: ```` Reloadable: ``false`` EnvVar: ``PROXY_TLS_KEYSTORE`` :proxy.tls.keystore.pass: **Manadatory for TLS:** Password to open keystore Default: ```` Reloadable: ``false`` EnvVar: ``PROXY_TLS_KEYSTORE_PASS`` :proxy.tls.ciphers: **Optional:** Set the cipher suites that should be supported Default:: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384 EnvVar: ``PROXY_TLS_CIPHERS`` :proxy.tls.protocols: **Optional:** Set the protocols that should be supported Default: ``TLSv1.3, TLSv1.2, TLSv1.1, TLSv1`` Reloadable: ``false`` EnvVar: ``PROXY_TLS_PROTOCOLS`` Server Name Indication `````````````````````` Since SNI is enabled whenever TLS is enabled, this feature can be used by simply adding new certificates to the keystore and ensuring, that the hostname is provided in the certificates alternative name extension. .. note:: So far, OpenSSL is not supported in cooperation with the SNI feature. If OpenSSL is desired, one single certificate should be present in the keystore. .. _compression: Compression =========== GZip compression of HTTP response payload is supported and enabled by default. Response payloads are compressed, if the content type is known to be compressible and the HTTP request contained ``gzip`` as part of an ``Accept-Encoding`` header. In addition the content must exceed a certain size to be compressed. Origin responses that are already compressed are streamed through as is and not re-compressed. Configuration ------------- Configuration takes place via properties in ``application.properties``. :zuul.response.gzip.filter.enabled: **Optional:** En-/disable GZip compression Default: ``true`` Reloadable: ``true`` :zuul.min.gzip.body.size: **Optional:** Minimum response body size to apply compression in bytes Default: ``860`` Reloadable: ``true`` :zuul.gzip.contenttypes: **Optional:** Comma-separated list of content types that apply for compression Default:: text/html, application/x-javascript, text/css, application/javascript, text/javascript, text/plain, text/xml, application/json, application/vnd.ms-fontobject, application/x-font-opentype, application/x-font-truetype, application/x-font-ttf, application/xml, font/eot, font/opentype, font/otf, image/svg+xml, image/vnd.microsoft.icon Reloadable: ``true`` .. _proxy_protocol: PROXY Protocol ============== The PROXY protocol provides a convenient way to safely transport connection information such as a client's address, client port and protocol across multiple layers of NAT or TCP proxies. .. _protocol_config: Configuration ------------- The following settings are applicable to ``application.properties``. :proxy.proxyprotocol.expected: **Optional:** A boolean value to enable/disable PROXY protocol support. If enabled and a request was sent using PROXY protocol: - the original client IP and port are used as input for :ref:`X-Forwarded headers ` - the original client IP is checked against any client :ref:`IP restriction ` Default: ``false`` Reloadable: ``false`` EnvVar: ``PROXY_PROTOCOL_EXPECTED`` Example Setup ------------- Find below an example configuration for an HAProxy docker container that has PROXY protocol enabled. .. literalinclude:: config-examples/haproxy_setup_example.yml :language: yaml Enable proxy protocol in configfile with **send-proxy** or **send-proxy-v2**. Disable by deleting the keywords. For a local setup replace container- and appsuite-proxy IP with localhost. Finally start the HAProxy with **haproxy -f cfgfile** .. _websockets: WebSockets ========== App Suite Proxy provides a way to handle WebSockets to support bidirectional real-time communication between client and server. Therefor the Proxy runtime can establish a tunnel between a client and a backend server. The client needs to simply send a valid WebSocket handshake request and if backend server accepts the handshake the tunnel will be opened. .. _ws_configuration: Configuration ------------- The settings to setup WebSockets needs to be done in ``application.properties`` and ``routing.yml`` **application.properties:** :proxy.websockets.enabled: **Manadatory for WebSockets:** Enable WebSockets Default: ``false`` Reloadable: ``false`` EnvVar: ``PROXY_WEBSOCKETS_ENABLED`` :proxy.websockets.port.offset: **Optional:** If WebSockets are enabled the given value can be used to start proxy with a dedicated port on which WebSockets are supported. The concrete port depends on the settings for ``zuul.server.port.main`` and ``proxy.tls.port``. E.g. if ``proxy.tls.port`` is ``8443`` and ``proxy.websockets.port.offset`` is ``10`` the WebSocket port will be ``8453`` . This allows a dedicated management where request on port ``8453`` allow HTTPS as well as WebSockets but request on ``8443`` only allow plain HTTPS. Default: ``0`` Reloadable: ``false`` EnvVar: ``PROXY_WEBSOCKETS_PORT_OFFSET`` :proxy.websockets.port.offset: **Optional:** If WebSockets are enabled the given value can be used to override the settings in routing and backend configuration and set the timeout for all WebSocket connections. If set to 0 proxy will never close a connection no matter how long there was no read or write operation on opened connection. If set to -1 this property is disabled and the configuration in routing / backend will be used. Default: ``-1`` Reloadable: ``true`` EnvVar: ``PROXY_WEBSOCKETS_GLOBAL_TIMEOUT`` **routing.yml:** WebSockets needs a specific action type. This enables the proxy to deal with incoming handshake requests. See section WebSocket tunnel in :ref:`Routing Action`.