This section covers features in a pre-release product. Please consult your Advenica representative for production details.
HTTP
The HTTP service is made up of two components, an HTTP server running on the Upstream side of the Data Diode and an HTTP client running on the Downstream side. The service forwards HTTP POST requests from clients in the source network to a pre-configured server in the destination network.
The Upstream service waits for an incoming connection from any remote host in the source network. When a connection has been established, incoming requests are received and then directly forwarded to the Downstream service. The Upstream service can handle incoming requests from multiple sources concurrently.
When the Upstream service has successfully forwarded a request, it will return a success response to the client. If for some reason the Upstream service fails to receive or forward a request, a suitable error response will be returned to the client.
When the Downstream service receives a request from the Upstream service it will establish a connection to the pre-configured host in the destination network, and forward the request to it.
HTTP support
Version
The service supports HTTP protocol versions 1.0 and 1.1.
Method
The service only forwards POST requests, i.e. requests containing the method POST.
If a request is sent to the Upstream service containing a request method other than POST, a "405 Method Not Allowed" response will be returned.
URL
The path and query parameter components of the URL is forwarded as is. The scheme and host components of the URL are modified in accordance with the service configuration to correctly identify the destination server.
For example, if a request is sent to the Upstream service using the following URL:
http://upstream.service:8080/path/to/resource?key1=value1&key2=value2
the URL might look like this when forwarding the request to the destination server, given that the Downstream service has been configured to forward incoming requests to address downstream.service at port 9090.
http://downstream.service:9090/path/to/resource?key1=value1&key2=value2
Headers
Headers are forwarded without being modified, with a few exceptions:
- The
Hostheader is updated to contain the address of the destination server before the request is being forwarded. - 'Hop-by-hop' headers are meaningful only for a single transport-level connection, and must not be retransmitted by proxies or cached. These headers are therefore dropped by the Upstream service and later the Downstream service will add headers that are relevant for the connection to the destination server.
Body
The service forwards all request bodies as is, regardless of content type.
Configuration
In this section, the configuration parameters of the service is described in greater detail.
Upstream parameters
Connection
| Parameter | Description | Format |
|---|---|---|
| Port | The TCP port at which the service will listen for incoming connection requests. | Integer within range 1-65535 |
TLS
| Parameter | Description | Format |
|---|---|---|
| Mode | A selection of TLS modes is available. | Available options: Off and TLS With CA |
| Server certificate | The x.509 server certificate (in PEM format) which will be used by clients to authenticate the server. | File |
| Private key | The private key of the provided server certificate (in PEM format). | File |
Downstream parameters
Connection
| Parameter | Description | Format |
|---|---|---|
| Address | Address of the destination server to which requests will be forwarded, either an IP address or a hostname. | Internet host name, see RFC 1123, section 2.1 |
| Port | TCP port that the service will use to connect to the remote host. | Integer within range 1-65535 |
| Request timeout | The number of seconds the service will wait for a response from the destination server before raising a timeout error. | Integer within range 1-300 |
TLS
| Parameter | Description | Format |
|---|---|---|
| Mode | A selection of TLS modes is available. | Available options: Off and TLS With CA |
| CA bundle | A x.509 certificate authority (CA) bundle which contains one or more certificates which will be used to authenticate the remote server. | File |
TLS
The service can be configured to use HTTPS (HTTP over TLS). TLS versions 1.2 and 1.3 are supported.
The use of TLS can be configured independently in the Upstream and Downstream components of the service. This means that you can have TLS enabled on one side but not the other (both sides can of course be configured to use TLS simultaneously).
For more information regarding PKI and certificate generation, visit the Certificates page. Note that for the HTTP service, you only need a CA certificate/bundle and a server certificate.