Node is used to build a reverse proxy to provide secure access to internal web resources and sites for mobile clients within a large enterprise. Performance testing shows the proxy can handle over 1000 requests per second with latency under 1 second. Code quality analysis tools like Plato and testing frameworks like Jest are useful for maintaining high quality code. Scalability is achieved through auto-scaling virtual machine instances with a load balancer and configuration management.
2. DUBLIN NODE COMMUNITY TALK
May 29 2014
Building a Reverse Proxy With Node
Enterprise IT
Scalability Testing
Lots of Clients
Tools
Happy Second Anniversary!
Chris Lawless | Kevin Yu Wei Xia |Fergal Carroll @phergalkarl| Ciarán Ó hUallacháin Aman Kohli @akohli
4. WHY NODE?
✔︎ Node
• Everyone knows
Javascript, right?
• Community
• Expediency
• It was Cool in 2012
5. - @adam_baldwin
“Walmart has had good success with HAPI and
Node”
- @ eoinbrazil
“Node is good. I’ve heard good things about
HAPI”
6. HOMOLOGATED
It’s approved for internal
usage
Less Yak Shaving than
other solutions
• different at least
• good internal
community beware of dog, staff only
8. ENTERPRISES
• Plurality of systems, services
• web resources
• web sites
• Connectivity challenges
• direct
• mediated
• Security
• AuthN
• AuthZ
• Data Encryption at rest
9. ENTERPRISES - DETAIL
Accessing internal web resources
Accessing internal web sites
Lots of hoops
connectivity, security
Connectivity options
Direct via opening firewall
via gateway devie
via meidated proxy
13. NOTES ON PREVIOUS
SLIDE
Node Component
Security
Who Identity (Authentication)
What Permissions ing (Authorisation)
Prevent Data Leakage
Controls (cut and paste)
Secure Sandbox
Activation/Deactivation
Connectivity + AuthN/Z
Connectivity
Gateway Appliance (~50ms overhead)
Systems
Dev SIT UAT Prod
Not Production, Pre Production, and Mine
14. WHAT WE HAVE
• Dual CPU Xeon 2.6GHz RHEL 6.3
• HTTP 1.1 no Keep-Alive, request payload is json
• Client iOS ObjectiveC, Node + Hapi (with Some
Good Monitoring)
• Great Details on Best practice
• https://gist.github.com/hueniverse/7686452
20. NTLM AUTHENTICATION
Enterprise authentication protocol
(Microsoft).
NTLM requires all phases to take place
across a single HTTP connection.
NTLM messages are sent and received as
request headers.
The server’s response from the NTLM type
3 message is the requested content.
This authentication process must be
completed for every requested resource,
unless an open connection is maintained.
21. NTLM TYPE 1 MESSAGE
• Sent from the client to initiate the NTLM authentication process.
• Includes flags and OS information (indicating version, build and revision).
• May or may not include hostname and domain information.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP“ (0x4e544c4d53535000)
8 NTLM Message Type - long (0x01000000)
12 Flags - long
(16) Supplied Domain (optional) - security buffer
(24) Supplied Workstation (optional) - security buffer
(32) OS Version Structure (optional) - 8 bytes
(32) (40) Start of data block (if required)
22. NTLM TYPE 2 MESSAGE
• Server responds to the client’s type 1 message.
• Includes the challenge, flags, target name and target information.
• Each of these will is used to construct message the type 3 message.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)
8 NTLM Message Type - long (0x02000000)
12 Target Name - security buffer
20 Flags - long
24 Challenge - 8 bytes
(32) Context (optional) - 8 bytes (two consecutive longs)
(40) Target Information (optional) - security buffer
(48) OS Version Structure (optional) - 8 bytes
23. NTLM TYPE 3 MESSAGE
• Final step in authentication.
• Constructed using information from the type 2 server response message.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)
8 NTLM Message Type - long (0x03000000)
12 LM/LMv2 Response - security buffer
20 NTLM/NTLMv2 Response - security buffer
28 Target Name - security buffer
36 User Name - security buffer
44 Workstation Name - security buffer
(52) Session Key (optional) - security buffer
(60) Flags (optional) - long
(64) OS Version Structure (optional) - 8 bytes
52 (64) (72) Start of data block
24. WORKING
Implementation Challenges
• Storage of password on mobile device is
prohibited, but is required in the authentication
process.
• Persistent connection not available.
• Latency issues – 3 requests for every web
resource.
Solution
• Ported from Apache Java implementation to
Node.js.
• Hashed username / password pair stored on
device, transmitted to server for authentication
rather than raw password.
• hmac_md5(username, md4(password))
• NTLM message calculation split between client
app and proxy server.
• Defaults used and optional parameters omitted –
simplified messages.
• Observed desktop browsers wait for a 401 before
beginning the authentication process. Pre-emptively
sending the username / password hash eliminates
the initial 401 response.
Process is reduced from 3 direct requests to a
single client request, mapped to 2 proxy requests.
27. MODIFYING FLOD
• modified server to pull our decorated
response timing information
• modified reporting/logging to include this
information
• hope to contribute back to mainline
29. SCENARIOS
• Closed network, direct
connection, Mac to Mac
• Client server on a redhat VM,
loopback. Redhat VM
• Redhat client to Windows Server
via network, Redhat to Windows
• via Mobile network/wifi could only
support 100 transactions/s
because of latency
Req/s
Response
(ms)
Mac to
Mac
1000 2000
Redhat
VM
1000 8500
RD to
Windows
1000 30, 000
External 100 17, 000
33. PLATO
Plato can also be used
to estimate how many
errors a project may
contain. We can also use
Plato to look more
closely for potential
problems in
individual pieces of
code.
34. • Plato is good for spotting area such as large
nests of code which could be hard to read
,maintain and may be error prone.
• It’s relying on heuristics that may not always
be right, and it wont spot every bug.
35. More Plato
Plato is good for spotting area such as large nests of code
which could be hard to read ,maintain and may be error
prone.
It’s relying on heuristics that may not always be right, and it
wont spot every bug.
Plato is very easy to install:
$ npm install -g plato
And almost as easy to run:
$ plato -r -d report src
36. JEST.JS
Jest allows us to call up Javascript functions from other files so we can quickly
pass them data and compare it to what should be returned.
Jest minimizes the amount of code we have to write for tests and is setup so we
can neatly bundle and keep our tests separate from our project code.
37. SCALABILITY PACKETS
• Pile of VMs to auto-scale
• Need elastic environment with a smart load
balancer and configuration management
Accessing internal web resources
Accessing internal web sites
Lots of hoops
connectivity, security
Connectivity Diagrams ….
A couple of slides on options
Direct Firewall opening
Via ext NOC
Node Component
Security
Who Identity (Authentication)
What Permissions ing (Authorisation)
Prevent Data Leakage
Controls (cut and paste)
Secure Sandbox
Activation/Deactivation
Connectivity + AuthN/Z
Connectivity
Gateway Appliance (~50ms overhead)
Systems
Dev SIT UAT Prod
Not Production, Pre Production, and Mine