HTTP Server¶

TLS¶

App Suite Proxy can be used for TLS termination of HTTP requests. The Server can be configured to use one certificate for all incoming requests or utilize Server Name Indication (SNI) to choose a different certificate from the configured keystore for each host. Each certificate has to provide the hostname in its alternative name extension. If only one certificate is present in the keystore, this certificate is used without any hostname matching. Wildcard certificates are also supported, from first subdomain level, like *.appsuite.com or *.customer.appsuite.com.

Configuration¶

Configuration takes place via properties in application.properties.

zuul.ssl.openssl.allow

Optional Offloads TLS termination to OpenSSL via Java JNI. See https://netty.io/wiki/forked-tomcat-native.html for details. App Suite Proxy links and ships the io.netty:netty-tcnative-boringssl-static library for that purpose.

This will also affect outbound connections (Backend Pools::TLS)!

Default: false

Reloadable: true

proxy.tls.enabled

Optional: Enables TLS

Default: false

Reloadable: false

EnvVar: PROXY_TLS_ENABLED

proxy.tls.port

Manadatory for TLS: TLS port

Default: 8443

Reloadable: false

EnvVar: PROXY_TLS_PORT

proxy.tls.keystore.type

Manadatory for TLS: Keystore type

Default: PKCS12

Reloadable: false

EnvVar: PROXY_TLS_KEYSTORE_TYPE

proxy.tls.keystore

Manadatory for TLS: Path to keystore file

Default: <empty>

Reloadable: false

EnvVar: PROXY_TLS_KEYSTORE

proxy.tls.keystore.pass

Manadatory for TLS: Password to open keystore

Default: <empty>

Reloadable: false

EnvVar: PROXY_TLS_KEYSTORE_PASS

proxy.tls.ciphers

Optional: Set the cipher suites that should be supported

Default:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384

EnvVar: PROXY_TLS_CIPHERS

proxy.tls.protocols

Optional: Set the protocols that should be supported

Default: TLSv1.3, TLSv1.2, TLSv1.1, TLSv1

Reloadable: false

EnvVar: PROXY_TLS_PROTOCOLS

Server Name Indication¶

Since SNI is enabled whenever TLS is enabled, this feature can be used by simply adding new certificates to the keystore and ensuring, that the hostname is provided in the certificates alternative name extension.

Note

So far, OpenSSL is not supported in cooperation with the SNI feature. If OpenSSL is desired, one single certificate should be present in the keystore.

Compression¶

GZip compression of HTTP response payload is supported and enabled by default. Response payloads are compressed, if the content type is known to be compressible and the HTTP request contained gzip as part of an Accept-Encoding header. In addition the content must exceed a certain size to be compressed.

Origin responses that are already compressed are streamed through as is and not re-compressed.

Configuration¶

Configuration takes place via properties in application.properties.

zuul.response.gzip.filter.enabled

Optional: En-/disable GZip compression

Default: true

Reloadable: true

zuul.min.gzip.body.size

Optional: Minimum response body size to apply compression in bytes

Default: 860

Reloadable: true

zuul.gzip.contenttypes

Optional: Comma-separated list of content types that apply for compression

Default:

text/html, application/x-javascript, text/css, application/javascript,
text/javascript, text/plain, text/xml, application/json,
application/vnd.ms-fontobject, application/x-font-opentype,
application/x-font-truetype, application/x-font-ttf,
application/xml, font/eot, font/opentype, font/otf, image/svg+xml,
image/vnd.microsoft.icon

Reloadable: true

PROXY Protocol¶

The PROXY protocol provides a convenient way to safely transport connection information such as a client’s address, client port and protocol across multiple layers of NAT or TCP proxies.

Configuration¶

The following settings are applicable to application.properties.

proxy.proxyprotocol.expected

Optional: A boolean value to enable/disable PROXY protocol support. If enabled and a request was sent using PROXY protocol:

the original client IP and port are used as input for X-Forwarded headers

the original client IP is checked against any client IP restriction

Default: false

Reloadable: false

EnvVar: PROXY_PROTOCOL_EXPECTED

Example Setup¶

Find below an example configuration for an HAProxy docker container that has PROXY protocol enabled.

## Docker Compose
version: '3'

services:
  haproxy:
    image: haproxy:1.9.6
    volumes:
      - ./haproxy.config:/usr/local/etc/haproxy/haproxy.cfg:ro
    ports:
      - 80:80
    expose:
      - "80"
    container_name: 'haproxy'

## Haproxy Config
global
    maxconn 50
    debug

defaults
    mode tcp
    timeout connect 5s
    timeout client 25s
    timeout server 25s
    timeout queue 10s

frontend local.ox
    bind 172.18.0.2:80
    default_backend proxy

backend proxy
   balance roundrobin
   server server1 host.docker.internal:8080 send-proxy


## IP's and Ports
172.18.0.2:80 -> Container IP : Port

host.docker.internal:8080 -> appsuite-proxy IP : Port

Enable proxy protocol in configfile with send-proxy or send-proxy-v2. Disable by deleting the keywords.

For a local setup replace container- and appsuite-proxy IP with localhost. Finally start the HAProxy with haproxy -f cfgfile

WebSockets¶

App Suite Proxy provides a way to handle WebSockets to support bidirectional real-time communication between client and server. Therefor the Proxy runtime can establish a tunnel between a client and a backend server. The client needs to simply send a valid WebSocket handshake request and if backend server accepts the handshake the tunnel will be opened.

Configuration¶

The settings to setup WebSockets needs to be done in application.properties and routing.yml

application.properties:

proxy.websockets.enabled

Manadatory for WebSockets: Enable WebSockets

Default: false

Reloadable: false

EnvVar: PROXY_WEBSOCKETS_ENABLED

proxy.websockets.port.offset

Optional: If WebSockets are enabled the given value can be used to start proxy with a dedicated port on which WebSockets are supported. The concrete port depends on the settings for zuul.server.port.main and proxy.tls.port. E.g. if proxy.tls.port is 8443 and proxy.websockets.port.offset is 10 the WebSocket port will be 8453 . This allows a dedicated management where request on port 8453 allow HTTPS as well as WebSockets but request on 8443 only allow plain HTTPS.

Default: 0

Reloadable: false

EnvVar: PROXY_WEBSOCKETS_PORT_OFFSET

proxy.websockets.port.offset

Optional: If WebSockets are enabled the given value can be used to override the settings in routing and backend configuration and set the timeout for all WebSocket connections. If set to 0 proxy will never close a connection no matter how long there was no read or write operation on opened connection. If set to -1 this property is disabled and the configuration in routing / backend will be used.

Default: -1

Reloadable: true

EnvVar: PROXY_WEBSOCKETS_GLOBAL_TIMEOUT

routing.yml:

WebSockets needs a specific action type. This enables the proxy to deal with incoming handshake requests. See section WebSocket tunnel in Routing Action.