Tip
This is the documentation for the 20.10 version. Looking for the documentation of the latest version? Have a look here.
HTTP Server¶
TNSR includes an HTTP server, powered by nginx. This HTTP server provides clients with access to the RESTCONF API, and there are plans to extend it to provide other services in the future.
The HTTP server runs in the host
namespace (Networking Namespaces) by
default. The service can also run in the dataplane
namespace, and may be
active in both namespaces at the same time.
Warning
Though the HTTP service is capable of running in the dataplane
namespace, the sensitive nature of its content means it should not be exposed
to insecure networks. The best practice is to only run the HTTP service in
the host
namespace.
HTTP Server Configuration¶
The server is configured using the http server
command to enter http
mode:
tnsr# configure
tnsr(config)# http server
tnsr(config-http)#
The server configuration can be removed with the following command:
tnsr(config)# no http server
Enable or Disable the HTTP Service¶
The HTTP server for the host
namespace (Networking Namespaces) is
enabled and disabled by the http (disable|enable)
command.
To enable the HTTP service for the host
namespace:
tnsr(config)# http enable
To disable the HTTP service for the host
namespace:
tnsr(config)# http disable
The HTTP service can also run in the dataplane
namespace, and may be active
in both namespaces at the same time. The dataplane
namespace instance of
HTTP is configured using the http dataplane (enable|disable)
command.
To enable the HTTP service for the dataplane
namespace:
tnsr(config)# http dataplane enable
To disable the HTTP service for the dataplane
namespace:
tnsr(config)# http dataplane disable
Managing the HTTP Server Process¶
The HTTP server process can be managed using the service
command:
tnsr# configure
tnsr(config)# service http (host|dataplane) <command>
Where <command>
can be any of:
- start:
Start the HTTP server
- stop:
Stop the HTTP server
- restart:
Restart (stop and then start) the HTTP server
- status:
Print the status of the HTTP server process
HTTPS Encryption¶
The HTTP server can optionally utilize TLS (HTTPS) to secure communications between the client and server.
Warning
Though HTTPS is optional, we strongly recommend its use for optimal security.
HTTPS requires a server certificate present on the TNSR device, and this server certificate must be configured in the HTTP server:
tnsr(config)# http server
tnsr(config-http)# server certificate <cert-name>
See also
For more information on managing certificates on TNSR, see Public Key Infrastructure.
Authentication¶
The HTTP server supports three types of client authentication to protect access to its resources: Client certificate authentication, password authentication, and none (no authentication):
tnsr(config-http)# authentication type (client-certificate|password|none)
Client Certificate¶
The most secure means of protecting access to the HTTP server is via client certificates:
tnsr(config-http)# authentication type client-certificate
tnsr(config-http)# authentication client-certificate-ca <cert-name>
To verify client certificates, a Certificate Authority (CA) is configured in TNSR and all client certificates must be signed by this CA. The client certificate must be used by the client when attempting to connect to the HTTP server. Clients without a certificate are rejected.
See also
For more information on managing certificates on TNSR, see Public Key Infrastructure.
When using client certificates the Common Name (cn=
parameter) of the client
certificate is taken as the username. That username is then processed through
NACM to determine group access privileges for the RESTCONF API.
Password¶
Password authentication for the HTTP server is handled via Pluggable Authentication Modules (PAM) support:
tnsr(config-http)# authentication type password
Users can be authenticated against any source supported by PAM modules in the operating system.
Once authenticated, the username is processed through NACM to determine group access privileges for the RESTCONF API.
None¶
The least secure option is to disable authentication entirely:
tnsr(config-http)# authentication type none
Warning
This option must only be used for testing and never in a production environment.
This removes all security protecting the RESTCONF API. Without authentication, any client can send requests or make changes using the API, which is extremely dangerous.
RESTCONF Server¶
The primary service provided by the HTTP server is the API which uses RESTCONF. This RESTCONF service can be enabled and disabled as needed within the HTTP server configuration.
To enable access to the RESTCONF API:
tnsr(config-http)# enable restconf
To disable access to the RESTCONF API:
tnsr(config-http)# disable restconf
See also
For a complete RESTCONF service configuration example, see RESTCONF Service Setup with Certificate-Based Authentication and NACM.