HTTP Server

TNSR includes an HTTP server, currently powered by nginx. This HTTP server provides clients with access to the RESTCONF API, and there are plans to extend it to provide other services in the future.

HTTP Server Configuration

The server is configured using the http server command to enter http mode:

tnsr# configure
tnsr(config)# http server
tnsr(config-http)#

The server can be disabled with the following command:

tnsr(config)# no http server

Managing the HTTP Server Process

The HTTP server process can be managed using the service command:

tnsr# configure
tnsr(config)# service http <command>

Where <command> can be any of:

start:Start the HTTP server
stop:Stop the HTTP server
restart:Restart (stop and then start) the HTTP server
status:Print the status of the HTTP server process

HTTPS Encryption

The HTTP server can optionally utilize TLS (HTTPS) to secure communications between the client and server.

Warning

Though HTTPS is optional, we strongly recommend its use for optimal security.

HTTPS requires a server certificate present on the TNSR device, and this server certificate must be configured in the HTTP server:

tnsr(config)# http server
tnsr(config-http)# server certificate <cert-name>

See also

For more information on managing certificates on TNSR, see Public Key Infrastructure.

Authentication

The HTTP server supports three types of client authentication to protect access to its resources: Client certificate authentication, password authentication, and none (no authentication):

tnsr(config-http)# authentication type (client-certificate|password|none)

Client Certificate

The most secure means of protecting access to the HTTP server is via client certificates:

tnsr(config-http)# authentication type client-certificate
tnsr(config-http)# authentication client-certificate-ca <cert-name>

To verify client certificates, a Certificate Authority (CA) is configured in TNSR and all client certificates must be signed by this CA. The client certificate must be used by the client when attempting to connect to the HTTP server. Clients without a certificate are rejected.

See also

For more information on managing certificates on TNSR, see Public Key Infrastructure.

When using client certificates the Common Name (cn= parameter) of the client certificate is taken as the username. That username is then processed through NACM to determine group access privileges for the RESTCONF API.

Password

Password authentication for the HTTP server is handled via Pluggable Authentication Modules (PAM) support:

tnsr(config-http)# authentication type password

Users can be authenticated against any source supported by PAM modules in the operating system.

Once authenticated, the username is processed through NACM to determine group access privileges for the RESTCONF API.

None

The least secure option is to disable authentication entirely:

tnsr(config-http)# authentication type none

Warning

This option must only be used for testing and never in a production environment.

This removes all security protecting the RESTCONF API. Without authentication, any client can send requests or make changes using the API, which is extremely dangerous.

RESTCONF Server

The primary service provided by the HTTP server is the RESTCONF API which uses RESTCONF. This RESTCONF service can be enabled and disabled as needed within the HTTP server configuration.

To enable access to the RESTCONF API:

tnsr(config-http)# enable restconf

To disable access to the RESTCONF API:

tnsr(config-http)# disable restconf