HTTP Server

TNSR includes an HTTP server, powered by nginx. This HTTP server provides clients with access to the RESTCONF API, and there are plans to extend it to provide other services in the future.

The HTTP server runs in the host namespace (Networking Namespaces) by default. The service can also run in the dataplane namespace, and may be active in both namespaces at the same time.

Warning

Though the HTTP service is capable of running in the dataplane namespace, the sensitive nature of its content means it should not be exposed to insecure networks. The best practice is to only run the HTTP service in the host namespace.

HTTP Server Configuration

The server is configured using the http server command to enter http mode:

tnsr# configure
tnsr(config)# http server
tnsr(config-http)#

The server configuration can be removed with the following command:

tnsr(config)# no http server

Enable or Disable the HTTP Service

The HTTP server for the host namespace (Networking Namespaces) is enabled and disabled by the http (disable|enable) command.

To enable the HTTP service for the host namespace:

tnsr(config)# http enable

To disable the HTTP service for the host namespace:

tnsr(config)# http disable

The HTTP service can also run in the dataplane namespace, and may be active in both namespaces at the same time. The dataplane namespace instance of HTTP is configured using the http dataplane (enable|disable) command.

To enable the HTTP service for the dataplane namespace:

tnsr(config)# http dataplane enable

To disable the HTTP service for the dataplane namespace:

tnsr(config)# http dataplane disable

Managing the HTTP Server Process

The HTTP server process can be managed using the service command:

tnsr# configure
tnsr(config)# service http (host|dataplane) <command>

Where <command> can be any of:

start

Start the HTTP server

stop

Stop the HTTP server

restart

Restart (stop and then start) the HTTP server

status

Print the status of the HTTP server process

HTTPS Encryption

The HTTP server can optionally utilize TLS (HTTPS) to secure communications between the client and server.

Warning

Though HTTPS is optional, we strongly recommend its use for optimal security.

HTTPS requires a server certificate present on the TNSR device, and this server certificate must be configured in the HTTP server:

tnsr(config)# http server
tnsr(config-http)# server certificate <cert-name>

See also

For more information on managing certificates on TNSR, see Public Key Infrastructure.

Authentication

The HTTP server supports three types of client authentication to protect access to its resources: Client certificate authentication, password authentication, and none (no authentication):

tnsr(config-http)# authentication type (client-certificate|password|none)

Client Certificate

The most secure means of protecting access to the HTTP server is via client certificates:

tnsr(config-http)# authentication type client-certificate
tnsr(config-http)# authentication client-certificate-ca <cert-name>

To verify client certificates, a Certificate Authority (CA) is configured in TNSR and all client certificates must be signed by this CA. The client certificate must be used by the client when attempting to connect to the HTTP server. Clients without a certificate are rejected.

See also

For more information on managing certificates on TNSR, see Public Key Infrastructure.

When using client certificates the Common Name (cn= parameter) of the client certificate is taken as the username. That username is then processed through NACM to determine group access privileges for the RESTCONF API.

Password

Password authentication for the HTTP server is handled via Pluggable Authentication Modules (PAM) support:

tnsr(config-http)# authentication type password

Users can be authenticated against any source supported by PAM modules in the operating system.

Once authenticated, the username is processed through NACM to determine group access privileges for the RESTCONF API.

None

The least secure option is to disable authentication entirely:

tnsr(config-http)# authentication type none

Warning

This option must only be used for testing and never in a production environment.

This removes all security protecting the RESTCONF API. Without authentication, any client can send requests or make changes using the API, which is extremely dangerous.

RESTCONF Server

The primary service provided by the HTTP server is the API which uses RESTCONF. This RESTCONF service can be enabled and disabled as needed within the HTTP server configuration.

To enable access to the RESTCONF API:

tnsr(config-http)# enable restconf

To disable access to the RESTCONF API:

tnsr(config-http)# disable restconf

See also

For a complete RESTCONF service configuration example, see RESTCONF Service Setup with Certificate-Based Authentication and NACM.