BEING HAPI!
REVERSE PROXYING ON
PURPOSE
DUBLIN NODE COMMUNITY TALK
May 29 2014
Building a Reverse Proxy With Node
Enterprise IT
Scalability Testing
Lots of Client...
NODE IS MAINSTREAM
WHY NODE?
✔︎ Node
• Everyone knows
Javascript, right?
• Community
• Expediency
• It was Cool in 2012
- @adam_baldwin
“Walmart has had good success with HAPI and
Node”
- @ eoinbrazil
“Node is good. I’ve heard good things abo...
HOMOLOGATED
It’s approved for internal
usage
Less Yak Shaving than
other solutions
• different at least
• good internal
co...
IT AIN’T EASY
but we gotta try
ENTERPRISES
• Plurality of systems, services
• web resources
• web sites
• Connectivity challenges
• direct
• mediated
• S...
ENTERPRISES - DETAIL
Accessing internal web resources
Accessing internal web sites
Lots of hoops
connectivity, security
Co...
HOW WE DID IT
PROXYING IS EASY
WHAT IS INVOLVED
NOTES ON PREVIOUS
SLIDE
Node Component
Security
Who Identity (Authentication)
What Permissions ing (Authorisation)
Prevent...
WHAT WE HAVE
• Dual CPU Xeon 2.6GHz RHEL 6.3
• HTTP 1.1 no Keep-Alive, request payload is json
• Client iOS ObjectiveC, No...
DETAILS
THE FLOW
• The Protocol
• Security - Gateway Access
• Federated Identity, my foot
• NTLM I hardly knew ye
PROTOCOL
Request
json body
target
headers
body/post-data
loginfo
request = {
URL = "http://www.citigroup.net/",
method = "...
RESPONSE
body = “<base64>",
code = 200,
duration = 31,
headers = {
"Accept-Ranges" = [
"bytes"
],
"Content-Length" = [
225...
NTLM
Ouch
NTLM AUTHENTICATION
Enterprise authentication protocol
(Microsoft).
NTLM requires all phases to take place
across a single...
NTLM TYPE 1 MESSAGE
• Sent from the client to initiate the NTLM authentication process.
• Includes flags and OS informatio...
NTLM TYPE 2 MESSAGE
• Server responds to the client’s type 1 message.
• Includes the challenge, flags, target name and tar...
NTLM TYPE 3 MESSAGE
• Final step in authentication.
• Constructed using information from the type 2 server response messag...
WORKING
Implementation Challenges
• Storage of password on mobile device is
prohibited, but is required in the authenticat...
GITHUB.COM/SPUMKO/FLO
D
flod -n 2000 -t 1500 -c 100..1000 -v http://target-place
FLOD OUTPUT
## 6k page results
ec2-user@ip-10-199-51-233 node-hapi]$ flod -n 2000 -t 1500 -c 100..1000 -v http://localhost...
MODIFYING FLOD
• modified server to pull our decorated
response timing information
• modified reporting/logging to include...
TESTING
• Test Environment
• Understanding the Results
• Graphing the Results
SCENARIOS
• Closed network, direct
connection, Mac to Mac
• Client server on a redhat VM,
loopback. Redhat VM
• Redhat cli...
RESULTS
EXCELLENT
GITHUB.COM/ES-
ANALYSIS/PLATOjavascript visualization
and analysis tool.
Plato can be used to
estimate how
maintainable co...
PLATO
Plato can also be used
to estimate how many
errors a project may
contain. We can also use
Plato to look more
closely...
• Plato is good for spotting area such as large
nests of code which could be hard to read
,maintain and may be error prone...
More Plato
Plato is good for spotting area such as large nests of code
which could be hard to read ,maintain and may be er...
JEST.JS
Jest allows us to call up Javascript functions from other files so we can quickly
pass them data and compare it to...
SCALABILITY PACKETS
• Pile of VMs to auto-scale
• Need elastic environment with a smart load
balancer and configuration ma...
QUESTIONS? COMMENTS?
THANKS!
Upcoming SlideShare
Loading in …5
×

Being HAPI! Reverse Proxying on Purpose

2,698 views

Published on

This presentation was given to the Dublin Node (JS) Community on May 29th 2014.

Presented by: Chris Lawless, Kevin Yu Wei Xia, Fergal Carroll @phergalkarl, Ciarán Ó hUallacháin, and Aman Kohli @akohli

Published in: Mobile
  • Be the first to comment

Being HAPI! Reverse Proxying on Purpose

  1. 1. BEING HAPI! REVERSE PROXYING ON PURPOSE
  2. 2. DUBLIN NODE COMMUNITY TALK May 29 2014 Building a Reverse Proxy With Node Enterprise IT Scalability Testing Lots of Clients Tools Happy Second Anniversary! Chris Lawless | Kevin Yu Wei Xia |Fergal Carroll @phergalkarl| Ciarán Ó hUallacháin Aman Kohli @akohli
  3. 3. NODE IS MAINSTREAM
  4. 4. WHY NODE? ✔︎ Node • Everyone knows Javascript, right? • Community • Expediency • It was Cool in 2012
  5. 5. - @adam_baldwin “Walmart has had good success with HAPI and Node” - @ eoinbrazil “Node is good. I’ve heard good things about HAPI”
  6. 6. HOMOLOGATED It’s approved for internal usage Less Yak Shaving than other solutions • different at least • good internal community beware of dog, staff only
  7. 7. IT AIN’T EASY but we gotta try
  8. 8. ENTERPRISES • Plurality of systems, services • web resources • web sites • Connectivity challenges • direct • mediated • Security • AuthN • AuthZ • Data Encryption at rest
  9. 9. ENTERPRISES - DETAIL Accessing internal web resources Accessing internal web sites Lots of hoops connectivity, security Connectivity options Direct via opening firewall via gateway devie via meidated proxy
  10. 10. HOW WE DID IT
  11. 11. PROXYING IS EASY
  12. 12. WHAT IS INVOLVED
  13. 13. NOTES ON PREVIOUS SLIDE Node Component Security Who Identity (Authentication) What Permissions ing (Authorisation) Prevent Data Leakage Controls (cut and paste) Secure Sandbox Activation/Deactivation Connectivity + AuthN/Z Connectivity Gateway Appliance (~50ms overhead) Systems Dev SIT UAT Prod Not Production, Pre Production, and Mine
  14. 14. WHAT WE HAVE • Dual CPU Xeon 2.6GHz RHEL 6.3 • HTTP 1.1 no Keep-Alive, request payload is json • Client iOS ObjectiveC, Node + Hapi (with Some Good Monitoring) • Great Details on Best practice • https://gist.github.com/hueniverse/7686452
  15. 15. DETAILS
  16. 16. THE FLOW • The Protocol • Security - Gateway Access • Federated Identity, my foot • NTLM I hardly knew ye
  17. 17. PROTOCOL Request json body target headers body/post-data loginfo request = { URL = "http://www.citigroup.net/", method = "GET", timeout = 19500, clientInfo = { identifier = “…E”, model = "iPad Simulator", systemName = "iPhone OS", systemVersion = "7.1", }, headers = { Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", Cookie = "CGPLNG=ENG; JSESSIONID_CGNR3=..”, "User-Agent" = "Mozilla/5.0 (iPad; CPU OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Mobile/11D167" }, logEntries = [ { URL = “https://cinternal.site/target/fooa”, downstreamDuration = 656, httpMethod = "GET", roundtripDuration = 3461, statusCode = 200 }] }
  18. 18. RESPONSE body = “<base64>", code = 200, duration = 31, headers = { "Accept-Ranges" = [ "bytes" ], "Content-Length" = [ 225 ], "Content-Type" = [ "text/html" ], Date = [ "Thu, 29 May 2014 15:28:29 GMT" ], Etag = [ ""e1-4e50c74f"" ], "Last-Modified" = [ "Sun, 21 Aug 2011 08:52:31 GMT" ] }, message = "OK" }
  19. 19. NTLM Ouch
  20. 20. NTLM AUTHENTICATION Enterprise authentication protocol (Microsoft). NTLM requires all phases to take place across a single HTTP connection. NTLM messages are sent and received as request headers. The server’s response from the NTLM type 3 message is the requested content. This authentication process must be completed for every requested resource, unless an open connection is maintained.
  21. 21. NTLM TYPE 1 MESSAGE • Sent from the client to initiate the NTLM authentication process. • Includes flags and OS information (indicating version, build and revision). • May or may not include hostname and domain information. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP“ (0x4e544c4d53535000) 8 NTLM Message Type - long (0x01000000) 12 Flags - long (16) Supplied Domain (optional) - security buffer (24) Supplied Workstation (optional) - security buffer (32) OS Version Structure (optional) - 8 bytes (32) (40) Start of data block (if required)
  22. 22. NTLM TYPE 2 MESSAGE • Server responds to the client’s type 1 message. • Includes the challenge, flags, target name and target information. • Each of these will is used to construct message the type 3 message. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000) 8 NTLM Message Type - long (0x02000000) 12 Target Name - security buffer 20 Flags - long 24 Challenge - 8 bytes (32) Context (optional) - 8 bytes (two consecutive longs) (40) Target Information (optional) - security buffer (48) OS Version Structure (optional) - 8 bytes
  23. 23. NTLM TYPE 3 MESSAGE • Final step in authentication. • Constructed using information from the type 2 server response message. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000) 8 NTLM Message Type - long (0x03000000) 12 LM/LMv2 Response - security buffer 20 NTLM/NTLMv2 Response - security buffer 28 Target Name - security buffer 36 User Name - security buffer 44 Workstation Name - security buffer (52) Session Key (optional) - security buffer (60) Flags (optional) - long (64) OS Version Structure (optional) - 8 bytes 52 (64) (72) Start of data block
  24. 24. WORKING Implementation Challenges • Storage of password on mobile device is prohibited, but is required in the authentication process. • Persistent connection not available. • Latency issues – 3 requests for every web resource. Solution • Ported from Apache Java implementation to Node.js. • Hashed username / password pair stored on device, transmitted to server for authentication rather than raw password. • hmac_md5(username, md4(password)) • NTLM message calculation split between client app and proxy server. • Defaults used and optional parameters omitted – simplified messages. • Observed desktop browsers wait for a 401 before beginning the authentication process. Pre-emptively sending the username / password hash eliminates the initial 401 response. Process is reduced from 3 direct requests to a single client request, mapped to 2 proxy requests.
  25. 25. GITHUB.COM/SPUMKO/FLO D flod -n 2000 -t 1500 -c 100..1000 -v http://target-place
  26. 26. FLOD OUTPUT ## 6k page results ec2-user@ip-10-199-51-233 node-hapi]$ flod -n 2000 -t 1500 -c 100..1000 -v http://localhost/loremipsum-6k-ish.html This is Flod, version 0.2.2 Copyright 2013 Walmart, http://github.com/spumko/flod Benchmarking (hold on)... Server Requests/sec Latency (ms) --------------------------------------- ------------ --------------- http://localhost/loremipsum-6k-ish.html 100 96.48 ± 18.54 http://localhost/loremipsum-6k-ish.html 200 164.24 ± 17.03 http://localhost/loremipsum-6k-ish.html 300 263.80 ± 62.44 http://localhost/loremipsum-6k-ish.html 400 359.61 ± 49.20 http://localhost/loremipsum-6k-ish.html 500 437.66 ± 58.69 http://localhost/loremipsum-6k-ish.html 600 481.29 ± 120.04 http://localhost/loremipsum-6k-ish.html 700 606.74 ± 114.45 http://localhost/loremipsum-6k-ish.html 800 555.08 ± 133.74 http://localhost/loremipsum-6k-ish.html 900 674.08 ± 190.91 http://localhost/loremipsum-6k-ish.html 1000 763.27 ± 69.25 ## running with high timeout - doubling responses times vs nginx direct [ec2-user@ip-10-199-51-233 node-hapi]$ ../node_modules/flod/bin/flod -n 2000 -t 4500 -c 100..1000 -v http://localhost:8000 This is Flod, version 0.2.2 Copyright 2013 Walmart, http://github.com/spumko/flod Benchmarking (hold on)... Server Requests/sec Latency (ms) --------------------- ------------ ---------------- http://localhost:8000 100 200.55 ± 39.40 http://localhost:8000 200 389.54 ± 67.39 http://localhost:8000 300 558.14 ± 112.57 http://localhost:8000 400 777.09 ± 160.01 http://localhost:8000 500 970.61 ± 305.76 http://localhost:8000 600 1032.37 ± 274.44 http://localhost:8000 700 1216.49 ± 249.94 http://localhost:8000 800 1483.31 ± 690.64 http://localhost:8000 900 1559.54 ± 805.31 http://localhost:8000 1000 1909.23 ± 845.81
  27. 27. MODIFYING FLOD • modified server to pull our decorated response timing information • modified reporting/logging to include this information • hope to contribute back to mainline
  28. 28. TESTING • Test Environment • Understanding the Results • Graphing the Results
  29. 29. SCENARIOS • Closed network, direct connection, Mac to Mac • Client server on a redhat VM, loopback. Redhat VM • Redhat client to Windows Server via network, Redhat to Windows • via Mobile network/wifi could only support 100 transactions/s because of latency Req/s Response (ms) Mac to Mac 1000 2000 Redhat VM 1000 8500 RD to Windows 1000 30, 000 External 100 17, 000
  30. 30. RESULTS
  31. 31. EXCELLENT
  32. 32. GITHUB.COM/ES- ANALYSIS/PLATOjavascript visualization and analysis tool. Plato can be used to estimate how maintainable code in project is. From the data it collects it generates easy to understand ,minimalist , interactive webpages.
  33. 33. PLATO Plato can also be used to estimate how many errors a project may contain. We can also use Plato to look more closely for potential problems in individual pieces of code.
  34. 34. • Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone. • It’s relying on heuristics that may not always be right, and it wont spot every bug.
  35. 35. More Plato Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone. It’s relying on heuristics that may not always be right, and it wont spot every bug. Plato is very easy to install: $ npm install -g plato And almost as easy to run: $ plato -r -d report src
  36. 36. JEST.JS Jest allows us to call up Javascript functions from other files so we can quickly pass them data and compare it to what should be returned. Jest minimizes the amount of code we have to write for tests and is setup so we can neatly bundle and keep our tests separate from our project code.
  37. 37. SCALABILITY PACKETS • Pile of VMs to auto-scale • Need elastic environment with a smart load balancer and configuration management
  38. 38. QUESTIONS? COMMENTS?
  39. 39. THANKS!

×