Integration Points: Gateways, Tunnels, and Relays
Gateways
An application can ask (through HTTP or some other defined interface) a gateway to handle the request, and the gateway can provide a response. The gateway can speak the query language to the database or generate the dynamic content, acting like a portal: a request goes in, and a response comes out.Client-Side and Server-Side Gateways
- Server-side gateways speak HTTP with clients and a foreign protocol with servers (HTTP/*).
- Client-side gateways speak foreign protocols with clients and HTTP with servers (*/HTTP).
Protocol Gateways
HTTP/*: Server-Side Web Gateways
The gateway does the following:
• Sends the USER and PASS commands to log in to the server
• Issues the CWD command to change to the proper directory on the server
• Sets the download type to ASCII
• Fetches the document’s last modification time with MDTM
• Tells the server to expect a passive data retrieval request using PASV
• Requests the object retrieval using RETR
• Opens a data connection to the FTP server on a port returned on the control channel; as soon as the data channel is opened, the object content flows back to the gateway
HTTP/HTTPS: Server-Side Security Gateways
HTTPS/HTTP: Client-Side Security Accelerator Gateways
Recently, HTTPS/HTTP gateways have become popular as security accelerators.
These gateways often include special decryption hardware to decrypt secure traffic much more efficiently than the origin server, removing load from the origin server. Because these gateways send unencrypted traffic between the gateway and origin server, you need to use caution to make sure the network between the gateway and origin server is secure.
Resource Gateways
The first popular API for application gateways was the Common Gateway Interface (CGI). CGI is a standardized set of interfaces that web servers use to launch programs in response to HTTP requests for special URLs, collect the program output, and send it back in HTTP responses. Over the past several years, commercial web servers have provided more sophisticated interfaces for connecting web servers to applications.
Common Gateway Interface (CGI)
Fast CGI
Server Extension APIs
Application Interfaces and Web Services
Tunnels
Establishing HTTP Tunnels with CONNECT
- In Figure 8-10a, the client sends a CONNECT request to the tunnel gateway. The client’s CONNECT method asks the tunnel gateway to open a TCP connection (here, to the host named orders.joes-hardware.com on port 443, the normal SSL port).
- The TCP connection is created in Figure 8-10b and Figure 8-10c.
- Once the TCP connection is established, the gateway notifies the client (Figure 8-10d) by sending an HTTP 200 Connection Established response.
- At this point, the tunnel is set up. Any data sent by the client over the HTTP tunnel will be relayed directly to the outgoing TCP connection, and any data sent by the server will be relayed to the client over the HTTP tunnel.
CONNECT requests
CONNECT home.netscape.com:443 HTTP/1.0
User-agent: Mozilla/4.0
CONNECT responses
HTTP/1.0 200 Connection Established
Proxy-agent: Netscape-Proxy/1.1
Data Tunneling, Timing, and Connection Management
SSL Tunneling
Web tunnels were first developed to carry encrypted SSL traffic through firewalls.
SSL Tunneling Versus HTTP/HTTPS Gateways
Tunnel Authentication
In particular, the proxy authentication support can be used with tunnels to authenticate a client’s right to use a tunnel.
Tunnel Security Considerations
To minimize abuse of tunnels, the gateway should open tunnels only for particular well-known ports, such as 443 for HTTPS.
Relays
HTTP relays are simple HTTP proxies that do not fully adhere to the HTTP specifications. Relays process enough HTTP to establish connections, then blindly forward bytes.
No comments:
Post a Comment