Feature Wiki

Information about planned and released features

Tabs

SOAP: Improve HTTP Communication and Performance in Reverse Proxy Scenarios

Page Overview

[Hide]

1 Initial Problem

The implicit use of SOAP in ILIAS for many processes (especially in scenarios where huge repository structures are copied/cloned regularly) leads to performance losses and configuration hurdles depending on the ILIAS infrastructure.

Specifically, the problems exist in all use cases where a reverse proxy is used in front of an ILIAS system or an entire ILIAS cluster, or an NginX as a "load balancer" uses multiple PHP workers on other VMs.

The SOAP URL is in reality always implicitly derived from the ILIAS URL or the "server_name" of the web server (NUSOAP library), which is also always operated with TLS over HTTPS nowadays.

However, this means that communication problems have to be overcome in "multi-tier" environments (PHP to web server or reverse proxy) and/or problems with correct SSL certificates (Common-Name) or web servers behind reverse proxy, which do not have to work with HTTPS. For this, the local DNS resolution often has to be "overwritten" and valid SSL certificates have to be kept synchronized on several VMs. In this case, communication inefficiently always takes place via the reverse proxy, even though the much closer or even local web server could process it faster. Depending on the infrastructure, firewall adjustments may also have to be made so that the PHP executing instances can also communicate with the reverse proxy.

2 Conceptual Summary

To address this, we suggest adding the following configuration options for these use cases:

  1. Free configuration of the SOAP URL and SOAP Port when executing the ILIAS setup (already possible, but the SOAP library requires some patches to apply the correct SOAP URL when calling the WSDL via the ILIAS URL)
  2. Configurable options (when executing the ILIAS setup) to prevent the certificate check for expiration date and also matching Common-Name or Subject-Alt-Name in the SOAP connections executed via PHP-CURL, which is possible with corresponding connection options in PHP.

We propose the folliwing setting setup settings according to the PHP stream context options: https://www.php.net/manual/en/context.ssl.php

  • soap_internal_wsdl_path: The path for internal SOAP requests
  • soap_internal_wsdl_verify_peer: Require verification of SSL certificate used.
  • soap_internal_wsdl_verify_peer_name: Require verification of peer name.
  • soap_internal_wsdl_allow_self_signed: Allow self-signed certificates. Requires verify_peer.

1
2
3
4
5
6
7
8
9
10
{
    "..."
    "webservices":{
        "..."
        "soap_internal_wsdl_path":"https://foo",
        "soap_internal_wsdl_verify_peer":true,
        "soap_internal_wsdl_verify_peer_name":true,
        "soap_internal_wsdl_allow_self_signed":false
    }
}

With these settings, SOAP "loopback" connections could be used on shorter routes instead of via the reverse proxy with the local web server or even "localhost" without communication over network connections/routers or firewalls and do not necessarily require HTTPS connections and valid certificates in this locally handled communication.

2.1 Thoughts and Alternatives

When considering the entirety of the processes in which ILIAS, in a client function, contacts itself as a SOAP server, it becomes apparent that these are all long-running and resource-intensive processes.
Of course, we recognize that it might be more appropriate to handle these tasks using "Message Queues" or similar approaches.

Examples can be found here:

Therefore, the proposed solution outlined above is only a mid-term solution. In the long term, one would naturally prefer to have such mechanisms in ILIAS. But: At the time being, we have no such mechanisms in ILIAS and it would be a resource-intensive process to implement such (either by re-inventing the wheel, or by using/adapting one of the apps above, or others). 

3 User Interface Modifications

3.1 List of Affected Views

None

3.2 User Interface Details

Not applicable

3.3 New User Interface Concepts

None

3.4 Accessibility Implications

None

4 Technical Information

See: Security

You can find an implementation for ILIAS 9.x here: https://github.com/mjansenDatabay/ILIAS/commit/2a5c400442884af1f8f3fc1996e94a130ee4bf34

5 Privacy

Not applicable

6 Security

When using the PHP `SoapClient`, it's important to consider the security implications of the `verify_peer`, `verify_peer_name`, and `allow_self_signed` parameters. These parameters are part of the `stream_context` option and are used to control the verification of SSL certificates.

The `verify_peer` parameter, when set to `true`, enables the verification of the SSL certificate of the server. The `verify_peer_name` parameter, when set to `true`, ensures that the common name in the SSL certificate matches the hostname of the server. These two parameters are typically set to `true` to prevent Man-in-the-Middle attacks.

The `allow_self_signed` parameter, when set to `true`, allows connections to servers with self-signed certificates. While this can be useful in a development environment, it's generally not recommended in a production environment as it can make the client vulnerable to certain types of attacks.

In a production environment, it's usually recommended to always use valid, trusted certificates and to enable peer and peer name verification.

But there are scenarios where one could forego trusted certificates and peer verification. One such scenario could be a development environment where you have control over both endpoints of the connection and therefore the risk of a Man-in-the-Middle attack is minimal.

Another (more relevant) scenario could be a network where all machines are considered trustworthy. In such cases, it might be acceptable to disable peer verification and use self-signed certificates.

However, it's important to note that these are exceptions. In most cases, especially in production environments and whenever sensitive data is being transmitted, you should always use trusted certificates and enable peer verification to ensure the security of the connection.

7 Contact

8 Funding

If you are interest in funding this feature, please add your name and institution to this list.

  • Databay AG has provided a PR for this feature: https://github.com/ILIAS-eLearning/ILIAS/pull/8226

9 Discussion

Abijuru, Jephte [Jephte], 10 October 2024: While I have similar remarks regarding the security aspect, I can confirm that this feature is beneficial to webservices, therefore we commit to its implementation! 

JourFixe, ILIAS [jourfixe], 14 OCT 2024: We highly appreciate this suggestion and schedule the feature for ILIAS 10. Please some additional information why you go this way (and not reducing the amount of SOAP usages in ILIAS). And a list of all added options would be helpful, too.

10 Implementation

Implemented as desribed above. The setup now supports some new options in the JSON configuration to set the SOAP-based HTTP paraemters. This is part of the README file of the setup component.

Test Cases

Testcases: None.

Privacy

Information in privacy.md of component: Not applicable

Approval

Approved at 2024-10-24 by Abijuru, Jephte [Jephte] (implicitly by approving/merging PR 8226).

Last edited: 24. Oct 2024, 14:04, Jansen, Michael [mjansen]