HTTP Server¶
TLS¶
App Suite Proxy can be used for TLS termination of HTTP requests. The Server can be configured to use one certificate for all incoming requests or utilize Server Name Indication (SNI) to choose a different certificate from the configured keystore for each host. Each certificate has to provide the hostname in its alternative name extension. If only one certificate is present in the keystore, this certificate is used without any hostname matching. Wildcard certificates are also supported, from first subdomain level, like *.appsuite.com or *.customer.appsuite.com
.
Configuration¶
Configuration takes place via properties in application.properties
.
- zuul.ssl.openssl.allow
Optional Offloads TLS termination to OpenSSL via Java JNI. See https://netty.io/wiki/forked-tomcat-native.html for details. App Suite Proxy links and ships the
io.netty:netty-tcnative-boringssl-static
library for that purpose.This will also affect outbound connections (Backend Pools::TLS)!
Default:
false
Reloadable:
true
- proxy.tls.enabled
Optional: Enables TLS
Default:
false
Reloadable:
false
EnvVar:
PROXY_TLS_ENABLED
- proxy.tls.port
Manadatory for TLS: TLS port
Default:
8443
Reloadable:
false
EnvVar:
PROXY_TLS_PORT
- proxy.tls.keystore.type
Manadatory for TLS: Keystore type
Default:
PKCS12
Reloadable:
false
EnvVar:
PROXY_TLS_KEYSTORE_TYPE
- proxy.tls.keystore
Manadatory for TLS: Path to keystore file
Default:
<empty>
Reloadable:
false
EnvVar:
PROXY_TLS_KEYSTORE
- proxy.tls.keystore.pass
Manadatory for TLS: Password to open keystore
Default:
<empty>
Reloadable:
false
EnvVar:
PROXY_TLS_KEYSTORE_PASS
- proxy.tls.ciphers
Optional: Set the cipher suites that should be supported
Default:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
EnvVar:
PROXY_TLS_CIPHERS
- proxy.tls.protocols
Optional: Set the protocols that should be supported
Default:
TLSv1.3, TLSv1.2, TLSv1.1, TLSv1
Reloadable:
false
EnvVar:
PROXY_TLS_PROTOCOLS
Server Name Indication¶
Since SNI is enabled whenever TLS is enabled, this feature can be used by simply adding new certificates to the keystore and ensuring, that the hostname is provided in the certificates alternative name extension.
Note
So far, OpenSSL is not supported in cooperation with the SNI feature. If OpenSSL is desired, one single certificate should be present in the keystore.
Compression¶
GZip compression of HTTP response payload is supported and enabled by default. Response payloads are compressed, if the content type is known to be compressible and the HTTP request contained gzip
as part of an Accept-Encoding
header. In addition the content must exceed a certain size to be compressed.
Origin responses that are already compressed are streamed through as is and not re-compressed.
Configuration¶
Configuration takes place via properties in application.properties
.
- zuul.response.gzip.filter.enabled
Optional: En-/disable GZip compression
Default:
true
Reloadable:
true
- zuul.min.gzip.body.size
Optional: Minimum response body size to apply compression in bytes
Default:
860
Reloadable:
true
- zuul.gzip.contenttypes
Optional: Comma-separated list of content types that apply for compression
Default:
text/html, application/x-javascript, text/css, application/javascript, text/javascript, text/plain, text/xml, application/json, application/vnd.ms-fontobject, application/x-font-opentype, application/x-font-truetype, application/x-font-ttf, application/xml, font/eot, font/opentype, font/otf, image/svg+xml, image/vnd.microsoft.icon
Reloadable:
true
PROXY Protocol¶
The PROXY protocol provides a convenient way to safely transport connection information such as a client’s address, client port and protocol across multiple layers of NAT or TCP proxies.
Configuration¶
The following settings are applicable to application.properties
.
- proxy.proxyprotocol.expected
Optional: A boolean value to enable/disable PROXY protocol support. If enabled and a request was sent using PROXY protocol:
the original client IP and port are used as input for X-Forwarded headers
the original client IP is checked against any client IP restriction
Default:
false
Reloadable:
false
EnvVar:
PROXY_PROTOCOL_EXPECTED
Example Setup¶
Find below an example configuration for an HAProxy docker container that has PROXY protocol enabled.
## Docker Compose
version: '3'
services:
haproxy:
image: haproxy:1.9.6
volumes:
- ./haproxy.config:/usr/local/etc/haproxy/haproxy.cfg:ro
ports:
- 80:80
expose:
- "80"
container_name: 'haproxy'
## Haproxy Config
global
maxconn 50
debug
defaults
mode tcp
timeout connect 5s
timeout client 25s
timeout server 25s
timeout queue 10s
frontend local.ox
bind 172.18.0.2:80
default_backend proxy
backend proxy
balance roundrobin
server server1 host.docker.internal:8080 send-proxy
## IP's and Ports
172.18.0.2:80 -> Container IP : Port
host.docker.internal:8080 -> appsuite-proxy IP : Port
Enable proxy protocol in configfile with send-proxy or send-proxy-v2. Disable by deleting the keywords.
For a local setup replace container- and appsuite-proxy IP with localhost. Finally start the HAProxy with haproxy -f cfgfile
WebSockets¶
App Suite Proxy provides a way to handle WebSockets to support bidirectional real-time communication between client and server. Therefor the Proxy runtime can establish a tunnel between a client and a backend server. The client needs to simply send a valid WebSocket handshake request and if backend server accepts the handshake the tunnel will be opened.
Configuration¶
The settings to setup WebSockets needs to be done in application.properties
and routing.yml
application.properties:
- proxy.websockets.enabled
Manadatory for WebSockets: Enable WebSockets
Default:
false
Reloadable:
false
EnvVar:
PROXY_WEBSOCKETS_ENABLED
- proxy.websockets.port.offset
Optional: If WebSockets are enabled the given value can be used to start proxy with a dedicated port on which WebSockets are supported. The concrete port depends on the settings for
zuul.server.port.main
andproxy.tls.port
. E.g. ifproxy.tls.port
is8443
andproxy.websockets.port.offset
is10
the WebSocket port will be8453
. This allows a dedicated management where request on port8453
allow HTTPS as well as WebSockets but request on8443
only allow plain HTTPS.Default:
0
Reloadable:
false
EnvVar:
PROXY_WEBSOCKETS_PORT_OFFSET
- proxy.websockets.port.offset
Optional: If WebSockets are enabled the given value can be used to override the settings in routing and backend configuration and set the timeout for all WebSocket connections. If set to 0 proxy will never close a connection no matter how long there was no read or write operation on opened connection. If set to -1 this property is disabled and the configuration in routing / backend will be used.
Default:
-1
Reloadable:
true
EnvVar:
PROXY_WEBSOCKETS_GLOBAL_TIMEOUT
routing.yml:
WebSockets needs a specific action type. This enables the proxy to deal with incoming handshake requests. See section WebSocket tunnel in Routing Action.