Akamai protocol rewrite issue

Security, WWW 2 Minutes

I have been working on a API gateway project (Akamai + Nginx + Lua) for quite a few weeks. There are lots of things that I would like to write and share. This post is one of them.

The high level architecture looks like this:

akamai-nginx-upstream

Phases:

  1. Users send http(s) GET or POST requests to Akamai.
  2. Akamai forwards the requests to origin server which is Nginx server.
  3. Nginx sends the requests to upstream which is a Apache server.

For security reasons, we would like to encrypt all the 3 phases.

  • phase #1, #2: The plan is to let Akamai rewrite http to https if users send http requests, as for certain path (e.g /security) it contains sensitive information.
  • phase #3: the upstream only do https, so Nginx just need to forward the requests sent from Akamai as it is https already.

Sounds all right to you so far? or that’s too early to say that 🙂

According to the http code wiki page, 301/302 redirect does not support POST, so I have to use 307. Otherwise, Akamai will rewrite POST to GET and send it to Nginx. And my test proves it is correct.

307 Temporary Redirect (since HTTP/1.1)
The request should be repeated with another URI; however, future requests should still use the original URI. In contrast to how 302 was historically implemented, the request method is not allowed to be changed when reissuing the original request. For example, a POST request should be repeated using another POST request

307.png

While testing it, we found GET method works fine everywhere. But POST method works in postman but does not work in Jmeter nor java codes. Finally, we found the answer in RFC2616

If the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

Now what are the solutions?

  • phase #1: We force users to use https for certain paths. If it is http, it won’t work as it will be redirected to a custom page, e.g 404.html.

Selection_318.png

  • phase #2: We ask Akamai to change the metadata to force the forward protocol to be https. Currently, this feature is for Akamai internal only, that’s why it is greyed out as I don’t have permission to change it.

Selection_319.png

To be continued …

I will discuss the issue that is found in phase #3 in the next post.

Advertisement

Published by Jackie Chen

Published

One thought on “Akamai protocol rewrite issue

  1. Pingback: Nginx Upstream Key Exchange Issue – Jackie Chen's IT Workshop

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s