This article is to hold the design for enhancing the HTTP management interface configuration, this is in relation to the following issues: -
[WFLY-2635] HTTP Management Interface Configuration
[WFLY-3222] Add access logging to managment web server
[WFLY-3223] Configuration of individual contexts for http management interface.
[WFLY-3383] Enable user agent and address filters.
Contexts
/ - root
Redirects from / to /console
/error
Holds some images and error pages.
/console
Serves up the GWT based admin console
/management
Handles the management requests.
Configuration Items
access-log
Could be top level or could be context specific, logging of the HTTP requests.
CORS
We currently ban entirely, HTTP authentication mechanisms make this a bigger issue as would HTTP sessions. Option to relax config.
host filter
Filter which hosts are allowed / rejected.
http-upgrade-enabled
Applies on the root context to enable support for HTTP Upgrade.
redirect-to
On the '/console' context adds an option to redirect all requests elsewhere - this may be due to the console being delivered using an alternative mechanism.
request dumping
Most applicable for management request tracing and related authentication. Encouraging the use of SSL also makes it harder to use alternative approaches to trace requests.
security-constraints
Additional security constraints e.g. hash algorithms.
security-realm
The realm used to secure the '/management' context.
threads
Configure the thread pools as used by Undertow
transport-guarantee
Confidentiality or integrity requirements.
Note: By default we can use the 'Host' header from the request for the redirect but may need a configured address as could be listening on a different address.
user agent filter
Filter which user agents are allowed - or could be allowed/rejected
Existing Configuration
XML
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true"> <socket-binding http="management-http"/> </http-interface>
Management Model
"core-service" => {
"management" => {
"management-interface" => {
"http-interface" => {
"console-enabled" => true,
"http-upgrade-enabled" => true,
"interface" => undefined,
"port" => undefined,
"secure-port" => undefined,
"secure-socket-binding" => undefined,
"security-realm" => "ManagementRealm",
"socket-binding" => "management-http"
}
}
}
}
Proposed Configuration #1
XML
<http-interface > <socket interface="" port="" secure-port="" /> <socket-binding http="" https="" /> <access-log /> <xnio /> <contexts> <root http-upgrade-enabled="true" transport-guarantee="" /> <console redirect-to="" transport-guarantee="" /> <additional-console /> <error /> <management security-realm="" transport-guarantee="" user-agent-filter="" host-filter=""> <request-dumper /> </management> <management-new security-realm="" transport-guarantee="" user-agent-filter="" host-filter=""> <cors /> <request-dumper /> </management-new> </contexts> </http-interface>
Management
"core-service" => {
"management" => {
"management-interface" => {
"http-interface" => {
"interface" => undefined,
"port" => undefined,
"secure-port" => undefined,
"secure-socket-binding" => undefined,
"socket-binding" => "management-http"
"access-log" => {
}
"xnio" => { // Just a place holder for now.
}
"context" => {
"root" => {
"http-upgrade-enabled" => true
"transport-guarantee" => "NONE/CONFIDENTIAL/INTEGRITY"
}
"console" => {
"redirect-to" => "http://otherserver/console",
"transport-guarantee" => "NONE/CONFIDENTIAL/INTEGRITY" // Add an inherit option?
}
"additional-console" => {
// ???
}
"error" => { // If not defined nothing can redirect to it.
}
"management" => {
/*
* Legacy context, only secured using standard HTTP mechanisms,
* CORS permenantly disabled.
*/
"security-realm" => "ManagementRealm",
"transport-guarantee" => "NONE/CONFIDENTIAL/INTEGRITY"
"request-dumper" => {}
"user-agent-filter" => {}
"host-filter" => {}
}
"management-new" => {
"security-realm" => "ManagementRealm",
/*
* This may take additional security settings such as SSO config, also finer control of
* authentication supported.
*/
"transport-guarantee" => "NONE/CONFIDENTIAL/INTEGRITY"
"cors" => {
}
"request-dumper" => {}
"user-agent-filter" => {}
"host-filter" => {}
}
}
}
}
}
}
The following attributes are moved or removed: -
"console-enabled" => true, "http-upgrade-enabled" => true, "security-realm" => "ManagementRealm",
- console-enabled - Controlled by the presence of "context" => "console"
- http-upgrade-enabled - Moved to "context" => "root", also allows a transport guarantee at this level.
- security-realm - Applies to specific contexts instead of top level.
Security settings could need to be defined to multiple contexts, if applicable may have some form of higher level security-policy that is referenced instead of the realm. i.e. then we take into account realm capabilities plus policy. For ongoing security efforts the realm may be replaced with a domain containing a set of realms.
Comments