HTTP Tunnel

HTTP tunnel configurations.

Based on the protocol selected, the dependent fields in the Tunnel screen vary. The following image illustrates the settings that are specific to the HTTP protocol.

HTTP Tunnel settings

The options for the Inbound Transport Settings field in the Tunnel Details screen specific to the HTTP Protocol type are described in the following table.

Network Settings

1 Listening Interface: IP address through which sensitive data enters the DSG. The following Listening Interface options are available:

  • ethMNG: The management interface on which the DSG Web UI is accessible.
  • ethSRV0: The service interface for communicating with an untrusted service.
  • 127.0.0.1: The local loopback adapter.
  • 0.0.0.0: The broadcast address for listening to all the available network interfaces.
  • Other: Manually add a listening address based on your requirements.

2 Port:Port linked to the listening address.

TLS/SSL Security Settings

3 TLS Enabled: Select to enable TLS features.

4 Certificate: Certificate applicable for a tunnel.

5 Cipher Suites: Colon separated list of Ciphers.

6 TLS Mutual Authentication: CERT_NONE is selected as default. Use CERT_OPTIONAL to validate if a client certificate is provided or CERT_REQUIRED to process a request only if a client certificate is provided. If TLS mutual authentication is set to CERT_OPTIONAL or CERT_REQUIRED, then the CA certificate must be provided.

7 CA Certificates: A CA certificate chain. This option is applicable only if the value client certificate is set to 1 (optional) or 2 (required). Client certificates can be requested at the tunnel and the RuleSet level for authentication. On the Tunnels screen, you can configure the ca_reqs parameter in the Inbound Transport Settings field to request the client certificate. Similarly, on the Ruleset screen, you can toggle the Required Client Certificate checkbox to enable or disable client certificates. Based on the combination of the options in the tunnel and the RuleSet, the server executes the transaction. If the certificate is incorrect or not provided, then server returns a 401 error response.

The following table explains the combinations for the client certificate at the tunnel and the RuleSet level.

TLS Mutual Authentication (Tunnel Screen)Required Client Certificate (Enable/Disabled) (Ruleset Screen)Result
CERT_NONEDisabledThe transaction is executed
EnabledThe server returns a 401 error response.
CERT_OPTIONALDisabledThe transaction is executed
EnabledIf the client certificate is provided, then transaction is executed. If the client certificate is not provided, then the server returns a 401 error response.
CERT_REQUIREDDisabledThe transaction is executed
EnabledThe transaction is executed

8 DH Parameters: The .pem filename that includes the DH parameters. Upload the .pem file from the Certificate/Key Material screen. The Diffie-Hellman (DH) parameters define the way OpenSSL performs the DH Key exchange.

9 ECDH Curve Name: Supported curve names for the ECDH key exchange.The Elliptic curve Diffie–Hellman (ECDH) protocol allows key agreement and leverages elliptic-curve cryptography (ECC) properties for enhanced security.

10 Certificate Revoke List: Path of the Certificate Revocation List (CRL) file. For more information about CRL error message that appears when a revoked certificate is sent, refer to the CRL error. The ca.crl.pem file includes a list of certificates that are revoked. Based on the flags that you provide in the verify_flags setting, SSL identifies certificate verification operations that need to performed. The CRL verification operations can be VERIFY_CRL_CHECK_LEAF or VERIFY_CRL_CHECK_CHAIN.

When you try to access the DSG through HTTPS using such a revoked certificate, the DSG returns the following error message.

Certificate Revoked error

11 Verify Flags Set to one of the following operations to verify the CRL:

  • VERIFY_DEFAULT
  • VERIFY_X509_TRUSTED_FIRST
  • VERIFY_CRL_CHECK_LEAF
  • VERIFY_CRL_CHECK_CHAIN
. The certificates are checked against the CRL file only for the inbound connections to the DSG node.

12 SSL Options|Set the required flags that reflect the TLS behavior at runtime. A single flag or multiple flags can be used.It is used to define the supported SSL options in the JSON format. The DSG supports TLS v1.2.|For example, in the following JSON, TLSv1 and TLSv1.1 are disabled.
{
“options”: [“OP_NO_SSLv2”,
“OP_NO_SSLv3”,
“OP_NO_TLSv1”,
“OP_NO_TLSv1_1”]
}
|

13 Advanced Settings Set additional advanced options for tunnel configuration, if required, in the form of JSON.|In a scenario where an ESA and two DSG nodes are in a cluster, by using the Selective Tunnel Loading functionality, you can load specific tunnel configurations on specific DSG nodes.

OptionsDescriptionDefault (if any)Notes
idle_connection_timeoutTimeout set for an idle connection. The datatype for this option is seconds.3600
max_buffer_sizeMaximum value of incoming data to a buffer. The datatype for this option is bytes.10240000
max_write_buffer_sizeMaximum value of outgoing data to a buffer. The datatype for this option is bytes.10240000This parameter is applicable only with REST streaming.
no_keep_aliveIf set to TRUE, then the connection closes after one request.false
decompress_requestDecompress the gzip request bodyfalse
chunk_sizeBytes to read at one time from the underlying transport. The datatype for this option is bytes.16384
max_header_sizeMaximum bytes for HTTP headers. The datatype for this option is bytes.65536
body_timeoutTimeout set for wait time when reading request body. The datatype for this option is seconds. 
max_body_sizeMaximum bytes for the HTTP request body. The datatype for this option is bytes.4194304Though the DSG allows to configure the maximum body size, the response body size will differ and cannot be configured on the DSG.
The response body size that the gateway will send to the HTTP client is dependent on multiple factors, such as, the complexity of the rule, transform rule configured in case you use regex replace, size of response received from destination, and so on.
If a request is sent to the client with the response body size greater than the value configured in the DSG, then the following response is returned and the DSG closes the connection:
400 Bad Request
In earlier versions of the DSG, the DSG closed the connection and sent 200 as the response code.
max_streaming_body_sizeMaximum bytes for the HTTP request body when HTTP streaming with REST is enabled. The datatype for this option is bytes.52428800
maximumBytesThis field is not supported for the DSG 3.0.0.0 release and will be supported in a later DSG release.
maximumRequestsThis field is not supported for the DSG 3.0.0.0 release and will be supported in a later DSG release.
thresholdDeltaThis field is not supported for the DSG 3.0.0.0 release and will be supported in a later DSG release.
write_cache_memory_sizeFor an HTTP blocking client sending a REST streaming request, the DSG processes the request and tries to send the response back. If the client type is blocking, then DSG will store the response to the memory till the write_cache_memory_size limit is reached. The DSG then starts writing to the disk.The file size is managed using the write_cache_disk_size parameter.The value for this setting is defined in bytes.
  • Min - 10485760
  • Default - 52428800
  • Max - 104857600
write_cache_disk_sizeSet the file size that holds the response after the write_cache_memory_size limit is reached while processing the REST streaming request sent by an HTTP blocking client.After the write_cache_disk_size limit is reached, the DSG starts writing to the disk.The data on the disk always exists in an encrypted format and the disk cache file is discarded after the response is sent. The value for this setting is defined in bytes.
  • Min - 52428800
  • Default - 104857600
  • Max - 314572800
additional_http_methodsInclude additional HTTP methods, such as, PURGE LINK, LINE, UNLINK, and so on. 
cookie_attributesAdd a new HTTP cookie to the list of cookies that the DSG accepts.[“expires”, “path”, “domain”, “secure”, “httponly”, “max-age”, “version”, “comment”, “priority”, “samesite”]
compress_responseCompresses the response sent to the client if the client supports gzip encoding, i.e. sends Accept-Encoding:gzip.false

Generating ECDSA certificate and key

The dh_params parameter points to a .pem file. The .pem file includes the DH parameters that are required to enable DH key exchange for improved protection without compromising computational resources required at each end. The value accepted by this field is the file name with the extension (.pem). The DSG supports both RSA certificates and Elliptic Curve Digital Signature Algorithm (ECDSA) certificates for the ECDHE protocol. The RSA certificates are available as default when the DSG is installed, while to use ECDSA certificates in the DSG, you must generate an ECDSA certificate and the related key. The following procedure explains how to generate the ECDSA certificate and key.

To generate dhparam.pem file:

  1. Set the SSL options in the Inbound Transport settings as given in the following example.

    • DH Parameters: /opt/protegrity/alliance/config/dhparam/dhparam.pem
    • ECDH Curve Name: prime256v1
    • SSL Options: OP_NO_COMPRESSION
  2. From the ESA CLI Manager, navigate to Administration > OS Console.

  3. Execute the following command to generate the dhparam.pem file.

    openssl dhparam -out /opt/protegrity/alliance/config/dhparam/dhparam.pem 2048
    

Note: Ensure that you create the dhparam directory in the given path. The path /opt/protegrity/alliance/config/dhparam is the location where you want to save the .pem file. The value 2048 is the key size.

  1. Execute the following command to generate the key.

openssl genpkey -paramfile dhparam.pem -out dhkey.pem

The ecdh_curve_name parameter is the curve type that is required for the key exchange. The OpenSSL curves that are supported by DSG are listed in Supported OpenSSL Curve Names.

You can configure additional inbound settings that apply to HTTP from the Global Settings page on the DSG Web UI.