Configure how Liberator handles HTTP connections

Here’s how to configure Liberator’s HTTP connections.

Liberator’s built-in web pages are only intended for use in development environments. They aren’t secure enough to use in production systems.

Clients can connect to Liberator over HTTP as they would to any other web server, and Liberator’s supplied with a built-in HTTP Config blade that’s automatically activated when you install the Liberator (see Built-in blades). Liberator has a built-in web server that hosts pages that are useful when you’re developing your Caplin Platform installation; for example, a status page that displays the state of Liberator and its connections, and the Liberator Explorer diagnostic tool. These pages are accesed via HTTP. RTTP connections are also encapsulated in HTTP.

Configuring Liberator’s HTTP port and interface

When you install Liberator to run under the Caplin Platform Deployment Framework, it’s automatically configured to use HTTP through the built-in HTTP Config blade. The Liberator listens for HTTP connections on all available interfaces, on port 18080.

If you want to change the Liberator’s HTTP connection interface and/or HTTP port, set the following configuration items.

In a production installation, clients shouldn’t be allowed to connect to Liberator through HTTP, for security reasons. Use secure HTTP (HTTPS) connections instead - see Enabling HTTPS in Configure how Liberator handles HTTPS connections.

Configuring the HTTP port

To change the Liberator’s HTTP port, add the macro definition LIBERATOR${THIS_LEG}_HTTPPORT to the Deployment Framework file <Framework-root>/global_config/environment.conf. The macro sets the value of the configuration item http-port.

Do not set the value of http-port directly. Use the configuration macros provided by the Deployment Framework.

Insert the definition at the end of the section headed "Add updated configuration after this point".

#
# Add updated configuration after this point
#
...
#
# Set Liberator's HTTP port to the conventional default
#
define LIBERATOR${THIS_LEG}_HTTPPORT 80

Configuring the HTTP interface

To restrict Liberator to listen for HTTP connection requests on specific network interfaces, add the macro definition LIBERATOR${THIS_LEG}_HTTPINTERFACE to the Deployment Framework file <Framework-root>/global_config/environment.conf. The macro sets the value of the configuration item http-interface.

Do not set the value of http-interface directly. Use the configuration macros provided by the Deployment Framework.

The LIBERATOR${THIS_LEG}_HTTPINTERFACE macro supports IPv6 addresses from version 7 of Liberator. To listen for HTTP connections on both IP addresses on a dual-stack network interface, assign the interface’s IPv4 address and IPv6 address to the macro.

Insert the definition at the end of the section headed "Add updated configuration after this point".

#
# Add updated configuration after this point
#
...
#
# Restrict Liberator's HTTP interface to specific network interfaces
#
define LIBERATOR${THIS_LEG}_HTTPINTERFACE aaa.aaa.aaa.aaa bbb.bbb.bbb.bbb

Configuring HTTP keep-alive

HTTP keep-alive is enabled by default. To change the settings, specify new values for the following configuration items. Put the settings in the Deployment Framework file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf

  • http-keepalive-max The maximum number of requests the Liberator will allow per persistent HTTP connection.

  • http-keepalive-timeout The maximum time in seconds for which the Liberator will keep a persistent HTTP connection open.

Using cookies to aid HTTP connection

Liberator can use cookies to indicate which RTTP link type and MIME type were used to successfully connect, so that on subsequent attempts the client knows which connection type to try first. To enable this feature, set the configuration items http-connection-cookie-enable and http-connection-cookie-expires in the Deployment Framework file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf

http-connection-cookie-enable
http-connection-cookie-expires <number-of-days>

Setting up HTTP authenticated directories (authentication realms)

HTTP authentication realms allow you to control individual users' access to specific areas of the Liberator web site. Set this up by defining an add-authdir configuration item for each HTTP directory name that constitutes a realm. Add the items to the Deployment Framework file: <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf

Example:

Only allow the Liberator users admin, admin1 and admin2 to access the Liberator’s status page:

add-authdir
   name /status
   realm Liberator Admin
   username admin admin2 admin3
   password admin admin2 admin3
end-authdir

Customising Liberator’s response to HTTP errors

In development environments, you can write custom web pages that are returned to the client in response to certain HTTP errors, such as HTTP error 400 ("Bad Request") and HTTP error 404 ("Not Found").

Once you’ve customised an error page, specify its filename and location within Liberator’s web site, using the appropriate configuration item; one of:

Add the configuration item to the Deployment Framework file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf

Improving the security of HTTP connections

To resist attacks on your system, Liberator includes a number of configuration options that limit the allowed length of each part of an HTTP message. If Liberator receives a message longer than that configured, it’ll reject it rather than reading it continuously until memory runs out.

The following configuration items configure the various maximum lengths of messages and their elements.

The default settings for these items should be sufficient, but if you experience security problems, set them to lower values. Add the items to the Deployment Framework file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf


See also: