Tip
This is the documentation for the 19.12 version. Looking for the documentation of the latest version? Have a look here.
HTTP Server¶
TNSR includes an HTTP server, currently powered by nginx. This HTTP server provides clients with access to the RESTCONF API, and there are plans to extend it to provide other services in the future.
HTTP Server Configuration¶
The server is configured using the http server command to enter http
mode:
tnsr# configure
tnsr(config)# http server
tnsr(config-http)#
The server can be disabled with the following command:
tnsr(config)# no http server
Managing the HTTP Server Process¶
The HTTP server process can be managed using the service command:
tnsr# configure
tnsr(config)# service http <command>
Where <command> can be any of:
- start:
Start the HTTP server
- stop:
Stop the HTTP server
- restart:
Restart (stop and then start) the HTTP server
- status:
Print the status of the HTTP server process
HTTPS Encryption¶
The HTTP server can optionally utilize TLS (HTTPS) to secure communications between the client and server.
Warning
Though HTTPS is optional, we strongly recommend its use for optimal security.
HTTPS requires a server certificate present on the TNSR device, and this server certificate must be configured in the HTTP server:
tnsr(config)# http server
tnsr(config-http)# server certificate <cert-name>
See also
For more information on managing certificates on TNSR, see Public Key Infrastructure.
Authentication¶
The HTTP server supports three types of client authentication to protect access to its resources: Client certificate authentication, password authentication, and none (no authentication):
tnsr(config-http)# authentication type (client-certificate|password|none)
Client Certificate¶
The most secure means of protecting access to the HTTP server is via client certificates:
tnsr(config-http)# authentication type client-certificate
tnsr(config-http)# authentication client-certificate-ca <cert-name>
To verify client certificates, a Certificate Authority (CA) is configured in TNSR and all client certificates must be signed by this CA. The client certificate must be used by the client when attempting to connect to the HTTP server. Clients without a certificate are rejected.
See also
For more information on managing certificates on TNSR, see Public Key Infrastructure.
When using client certificates the Common Name (cn= parameter) of the client
certificate is taken as the username. That username is then processed through
NACM to determine group access privileges for the RESTCONF API.
Password¶
Password authentication for the HTTP server is handled via Pluggable Authentication Modules (PAM) support:
tnsr(config-http)# authentication type password
Users can be authenticated against any source supported by PAM modules in the operating system.
Once authenticated, the username is processed through NACM to determine group access privileges for the RESTCONF API.
None¶
The least secure option is to disable authentication entirely:
tnsr(config-http)# authentication type none
Warning
This option must only be used for testing and never in a production environment.
This removes all security protecting the RESTCONF API. Without authentication, any client can send requests or make changes using the API, which is extremely dangerous.
RESTCONF Server¶
The primary service provided by the HTTP server is the API Endpoints which uses RESTCONF. This RESTCONF service can be enabled and disabled as needed within the HTTP server configuration.
To enable access to the RESTCONF API:
tnsr(config-http)# enable restconf
To disable access to the RESTCONF API:
tnsr(config-http)# disable restconf