being hapi! reverse proxying on purpose

BEING HAPI!REVERSE PROXYING ON

PURPOSE

DUBLIN NODE COMMUNITY TALKMay 29 2014

Building a Reverse Proxy With Node Enterprise IT

Scalability Testing Lots of Clients

Tools

Happy Second Anniversary!

Chris Lawless | Kevin Yu Wei Xia |Fergal Carroll @phergalkarl| Ciarán Ó hUallacháin Aman Kohli @akohli

NODE IS MAINSTREAM

WHY NODE?

✔︎ Node• Everyone knows

Javascript, right?• Community • Expediency• It was Cool in 2012

- @adam_baldwin

“Walmart has had good success with HAPI and Node”

- @ eoinbrazil

“Node is good. I’ve heard good things about HAPI”

HOMOLOGATED

It’s approved for internal usage

Less Yak Shaving than other solutions

• different at least

• good internal community beware of dog, staff only

IT AIN’T EASYbut we gotta try

ENTERPRISES• Plurality of systems,

services • web resources• web sites

• Connectivity challenges• direct• mediated

• Security• AuthN• AuthZ• Data Encryption at rest

ENTERPRISES - DETAILAccessing internal web resources

Accessing internal web sites

Lots of hoops

connectivity, security

Connectivity options

Direct via opening firewall

via gateway devie

via meidated proxy

HOW WE DID IT

PROXYING IS EASY

WHAT IS INVOLVED

NOTES ON PREVIOUS SLIDE

Node Component

Security

Who Identity (Authentication)

What Permissions ing (Authorisation)

Prevent Data Leakage

Controls (cut and paste)

Secure Sandbox

Activation/Deactivation

Connectivity + AuthN/Z

Connectivity

Gateway Appliance (~50ms overhead)

Systems

Dev SIT UAT Prod

Not Production, Pre Production, and Mine

WHAT WE HAVE• Dual CPU Xeon 2.6GHz RHEL 6.3

• HTTP 1.1 no Keep-Alive, request payload is json

• Client iOS ObjectiveC, Node + Hapi (with Some Good Monitoring)

• Great Details on Best practice

• https://gist.github.com/hueniverse/7686452

DETAILS

THE FLOW

• The Protocol

• Security - Gateway Access

• Federated Identity, my foot• NTLM I hardly knew ye

PROTOCOL

Request

json body

target

headers

body/post-data

loginfo

request = { URL = "http://www.citigroup.net/",

method = "GET", timeout = 19500, clientInfo = { identifier = “…E”, model = "iPad Simulator", systemName = "iPhone OS", systemVersion = "7.1", }, headers = { Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", Cookie = "CGPLNG=ENG; JSESSIONID_CGNR3=..”, "User-Agent" = "Mozilla/5.0 (iPad; CPU OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Mobile/11D167" }, logEntries = [ { URL = “https://cinternal.site/target/fooa”, downstreamDuration = 656, httpMethod = "GET", roundtripDuration = 3461, statusCode = 200 } ] }

RESPONSE

body = “<base64>", code = 200, duration = 31, headers = { "Accept-Ranges" = [ "bytes" ], "Content-Length" = [ 225 ], "Content-Type" = [ "text/html" ], Date = [ "Thu, 29 May 2014 15:28:29 GMT" ], Etag = [ "\"e1-4e50c74f\"" ], "Last-Modified" = [ "Sun, 21 Aug 2011 08:52:31 GMT" ] }, message = "OK"}

NTLM

Ouch

NTLM AUTHENTICATIONEnterprise authentication protocol (Microsoft).

NTLM requires all phases to take place across a single HTTP connection.

NTLM messages are sent and received as request headers.

The server’s response from the NTLM type 3 message is the requested content.

This authentication process must be completed for every requested resource, unless an open connection is maintained.

NTLM TYPE 1 MESSAGE• Sent from the client to initiate the NTLM authentication process.• Includes flags and OS information (indicating version, build and

revision). • May or may not include hostname and domain information.

0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP“ (0x4e544c4d53535000)8 NTLM Message Type - long (0x01000000)12 Flags - long(16) Supplied Domain (optional) - security buffer(24) Supplied Workstation (optional) - security buffer(32) OS Version Structure (optional) - 8 bytes(32) (40)  Start of data block (if required)

NTLM TYPE 2 MESSAGE• Server responds to the client’s type 1 message.• Includes the challenge, flags, target name and target information.• Each of these will is used to construct message the type 3

message.

0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)8 NTLM Message Type - long (0x02000000)12 Target Name - security buffer20 Flags - long24 Challenge - 8 bytes(32) Context (optional) - 8 bytes (two consecutive longs)(40) Target Information (optional) - security buffer(48) OS Version Structure (optional) - 8 bytes

NTLM TYPE 3 MESSAGE• Final step in authentication.• Constructed using information from the type 2 server response

message.

0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)8 NTLM Message Type - long (0x03000000)12 LM/LMv2 Response - security buffer20 NTLM/NTLMv2 Response - security buffer28 Target Name - security buffer36 User Name - security buffer44 Workstation Name - security buffer(52) Session Key (optional) - security buffer(60) Flags (optional) - long(64) OS Version Structure (optional) - 8 bytes52 (64) (72) Start of data block

WORKING

Implementation Challenges

• Storage of password on mobile device is prohibited, but is required in the authentication process.

• Persistent connection not available.

• Latency issues – 3 requests for every web resource.

Solution• Ported from Apache Java implementation to

Node.js.

• Hashed username / password pair stored on device, transmitted to server for authentication rather than raw password.

• hmac_md5(username, md4(password))

• NTLM message calculation split between client app and proxy server.

• Defaults used and optional parameters omitted – simplified messages.

• Observed desktop browsers wait for a 401 before beginning the authentication process. Pre-emptively sending the username / password hash eliminates the initial 401 response.

Process is reduced from 3 direct requests to a single client request, mapped to 2 proxy requests.

GITHUB.COM/SPUMKO/FLOD

flod -n 2000 -t 1500 -c 100..1000 -v http://target-place

FLOD OUTPUT## 6k page resultsec2-user@ip-10-199-51-233 node-hapi]$ flod -n 2000 -t 1500 -c 100..1000 -v http://localhost/loremipsum-6k-ish.htmlThis is Flod, version 0.2.2Copyright 2013 Walmart, http://github.com/spumko/flod

Benchmarking (hold on)...

Server Requests/sec Latency (ms) --------------------------------------- ------------ ---------------http://localhost/loremipsum-6k-ish.html 100 96.48 ± 18.54 http://localhost/loremipsum-6k-ish.html 200 164.24 ± 17.03 http://localhost/loremipsum-6k-ish.html 300 263.80 ± 62.44 http://localhost/loremipsum-6k-ish.html 400 359.61 ± 49.20 http://localhost/loremipsum-6k-ish.html 500 437.66 ± 58.69 http://localhost/loremipsum-6k-ish.html 600 481.29 ± 120.04http://localhost/loremipsum-6k-ish.html 700 606.74 ± 114.45http://localhost/loremipsum-6k-ish.html 800 555.08 ± 133.74http://localhost/loremipsum-6k-ish.html 900 674.08 ± 190.91http://localhost/loremipsum-6k-ish.html 1000 763.27 ± 69.25

## running with high timeout - doubling responses times vs nginx direct [ec2-user@ip-10-199-51-233 node-hapi]$ ../node_modules/flod/bin/flod -n 2000 -t 4500 -c 100..1000 -v http://localhost:8000This is Flod, version 0.2.2Copyright 2013 Walmart, http://github.com/spumko/flod

Benchmarking (hold on)...

Server Requests/sec Latency (ms) --------------------- ------------ ----------------http://localhost:8000 100 200.55 ± 39.40 http://localhost:8000 200 389.54 ± 67.39 http://localhost:8000 300 558.14 ± 112.57 http://localhost:8000 400 777.09 ± 160.01 http://localhost:8000 500 970.61 ± 305.76 http://localhost:8000 600 1032.37 ± 274.44http://localhost:8000 700 1216.49 ± 249.94http://localhost:8000 800 1483.31 ± 690.64http://localhost:8000 900 1559.54 ± 805.31http://localhost:8000 1000 1909.23 ± 845.81

MODIFYING FLOD

• modified server to pull our decorated response timing information

• modified reporting/logging to include this information

• hope to contribute back to mainline

TESTING

• Test Environment

• Understanding the Results

• Graphing the Results

SCENARIOS• Closed network, direct

connection, Mac to Mac

• Client server on a redhat VM, loopback. Redhat VM

• Redhat client to Windows Server via network, Redhat to Windows

• via Mobile network/wifi could only support 100 transactions/s because of latency

Req/sResponse

(ms)

Mac to Mac

1000 2000

Redhat VM

1000 8500

RD to Windows

1000 30, 000

External 100 17, 000

RESULTS

EXCELLENT

GITHUB.COM/ES-ANALYSIS/PLATOjavascript visualization and analysis tool.

Plato can be used to estimate how maintainable code in project is.

From the data it collects it generates easy to understand ,minimalist , interactive webpages.

PLATOPlato can also be used to estimate how many errors a project may contain.

We can also use Plato to look more closely for potential problems in individual pieces of code.

• Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone.

• It’s relying on heuristics that may not always be right, and it wont spot every bug.

More Plato

Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone.

It’s relying on heuristics that may not always be right, and it wont spot every bug.

Plato is very easy to install: $ npm install -g plato

And almost as easy to run: $ plato -r -d report src

JEST.JSJest allows us to call up Javascript functions from other files so we can quickly pass them data and compare it to what should be returned.

Jest minimizes the amount of code we have to write for tests and is setup so we can neatly bundle and keep our tests separate from our project code.

SCALABILITY PACKETS

• Pile of VMs to auto-scale

• Need elastic environment with a smart load balancer and configuration management

QUESTIONS? COMMENTS?

THANKS!