{"id":2919,"date":"2017-04-18T16:35:15","date_gmt":"2017-04-18T16:35:15","guid":{"rendered":"https:\/\/www.microsoft.com\/reallifecode\/?p=2919"},"modified":"2020-03-23T16:27:11","modified_gmt":"2020-03-23T23:27:11","slug":"using-a-layer-7-proxy-for-ethereum-blockchain","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/ise\/using-a-layer-7-proxy-for-ethereum-blockchain\/","title":{"rendered":"Using a Layer 7 Proxy for Ethereum Blockchain Client’s JSON-RPC Endpoint"},"content":{"rendered":"

Webjet<\/a> is a leading online international travel provider based in Melbourne, Australia. Over the past year, Webjet embarked on exploring and proving how to make their wholesale hotel booking processes more efficient using Blockchain with Ethereum and Smart Contracts. You can read more about the Webjet story here: Webjet and Microsoft build first-of-a-kind travel industry blockchain solution – Microsoft News Centre Australia<\/a><\/em>.<\/p>\n

This walk-through shows how, we validated API Management as a Layer 7 proxy<\/a> in front of an Ethereum client using the Ethereum JSON-RPC JavaScript library web3.js<\/a>\u00a0for this project. In this scenario, utilizing Microsoft Azure API Management<\/a> is necessary to ensure that only internal traffic from an Azure tenant via Virtual Networks (VNET) can access the Ethereum client’s JSON-RPC listening endpoint. In this example, the Ethereum client is Go Ethereum<\/a>. Utilizing API Management provides additional risk mitigation features; however, this extra security also creates a blocker for the Geth JSON-RPC client libraries making calls that require custom HTTP Headers, such as the Ethereum JavaScript API<\/a>. For addressing this blocker, a JavaScript library<\/a> and NPM package<\/a> was created. This library overrides the behavior of the web3.js HttpProvider<\/a>, and permits injection of HTTP Headers that API Management can use for authorization and authentication of callers.<\/p>\n

Typically, an Ethereum client’s JSON-RPC endpoint is unprotected and uses only HTTP with no option to validate callers of the endpoint\u00a0or to use HTTPS (TLS). This approach represents a possible attack vector for abuse such as a denial-of-service (DoS), snooping, or worse. Some guidance exists from other Blockchain platforms, such as Bitcoin, to never use their version of JSON-RPC on the internet<\/a>. The guidance from Ethereum is to ensure that the port is blocked from any internet usage<\/a>. If there is a desire to present this endpoint either internally or externally, Azure API Management can assist in managing the service for security purposes, while adding other features such as analytics and tracking. Whether internal or external, this open port is an attack vector that needs to be part of a secure infrastructure design.<\/p>\n

Azure API Management provides HTTPS for a secure channel; request authorization can leverage API Keys or OAuth tokens issued by Azure Active Directory. Azure API Management provides request throttling, traffic analysis, tracking, and other features that provide better insight into how the Ethereum JSON-RPC endpoint is being used and by whom. For runtime and developer diagnostics, Azure API Management has a trace option that helps identify transport issues between Azure API Management and the JSON-RPC endpoint. The goal of this solution is to ensure that only known callers are permitted to pass.<\/p>\n

As part of this solution for diagnosing requests when calling the JSON-RPC endpoint, the NPM library discussed below adds additional logging capabilities to view the JSON-formatted Requests and Responses that are part of the Ethereum JSON-RPC API specification.<\/p>\n

Blockchain in the Enterprise and Consortiums<\/h2>\n

Many organizations are testing and piloting Distributed Apps (DAPP<\/a>) backed by Smart Contracts<\/a> and Blockchain. Ethereum is one of the leading Smart Contract and Blockchain implementations available for Public, Consortium, and Private usage. While the Ethereum Organization<\/a> provides several open source implementations, there are third-party options as well, such as Parity<\/a> and BlockApps<\/a>. Ethereum is utilized in Public usage as a permissionless blockchain, as well as within Consortiums as both a permissionless and permission-based one.<\/p>\n

Blockchain is Growing and Disruptive<\/h2>\n

Blockchain has had a growth rate of 60+%<\/a> and Bitcoin is the most well-known blockchain public platform. As the technology backing Bitcoin, blockchain is also the heart of the technology that is projected to disrupt areas including\u00a0government records, banking, capital markets, renewable energy, and even digital identity and reputation.<\/p>\n

Solution<\/h2>\n

The solution presented here is broken into two different parts. First is the Azure API Management configuration steps, and key configuration choices. Second is how to extend the web3.js JavaScript library in a manner that easily permits consumers to inject HTTP Headers that Azure API Management can use to identify callers.<\/p>\n

Typical Deployment<\/h2>\n

Blockchain is a distributed ledger backed by technology that ensures integrity and non-repudiation through cryptographically ensured immutability of history. For blockchain to be viable, the nodes (in Ethereum they are called Ethereum Clients), are distributed among numerous entities throughout the world. The more independent entities running nodes, the greater the assurance that no single entity or group can control the blockchain and potentially rewrite history. Each node achieves consensus by interacting with peers in this mesh network. The process of validation involves ensuring that new transactions within blocks are correct both from a cryptographic perspective and from a state perspective, which can be affected by the execution of the logic contained within a Smart Contract that is part of a transaction.<\/p>\n

Project Bletchley<\/h3>\n

Microsoft\u2019s Project Bletchley provides templates that can deploy a multi-node, multiparty Ethereum cluster using the Ethereum Geth client into Azure. A view of what that might look like is below:<\/p>\n

\"Image<\/p>\n

For a brief explanation of the annotations on the drawing, the \u201cTN Subnet\u201d (Transaction Subnet) are Geth client nodes that are NOT<\/strong> mining and have the JSON-RPC endpoint enabled to allow applications to make API calls. The diagram also shows SA<\/code> which is an Azure Storage Account that backs the Virtual Machine. The other Subnet shown represents other \u201cconsortium\u201d members whose Geth client nodes are mining. Mining is what processes transactions submitted to the network. Miners compete to package transactions into blocks that are then appended to the blockchain, and verified by other members of the network so that they earn Ether (the currency in Ethereum). On Private and Consortium networks, Ether may or may not be used as the unit of value, but Ether is still required to have transactions processed by the network with the current Ethereum Proof of Work model<\/a>.<\/p>\n

Ethereum Templates<\/h3>\n

A team within Microsoft is working with partners to build upon and extend the Project Bletchley templates as needed and provide feedback to the product team. Two examples are a multi-region consortium template and another that provides a choice and a mix of Ethereum Clients<\/a> (for example, Geth and Parity).<\/p>\n

Part 1 – API Management<\/h2>\n

For Azure API Management, one goal is providing a smart Layer 7 proxy that validates callers through HTTP headers, in addition to providing protection from anonymous callers, throttling, limits, analysis, and other features. Roughly, it looks like the following diagram:<\/p>\n

\"Image<\/p>\n

API Management Authorization Features<\/h3>\n

Azure API Management can employ a simple token<\/strong> or API Key approach in addition to OAuth bearer tokens that can be granted by Azure Active Directory. These tokens are added to HTTP requests as the:\u00a0Authorization : Bearer <token> <\/code><\/strong>header.<\/strong><\/p>\n

Azure API Management can also throttle based on various policies, as well as authorize only certain calls to specific clients, all through a configuration-oriented approach.<\/p>\n

API Management Configuration<\/h3>\n

For this partner, Azure API Management is set to permit access to internal resources only. This control is done through the Virtual Network settings on the configuration blade. In the diagram below, if the Virtual Network is set to \u201cInternal,\u201d only clients from the same identified VNET and subnet, as shown in the drop-down, are permitted. From that VNET, any other traffic via gateways and VNET Peering is supported as well, given the proper configuration is in place.<\/p>\n

\"Image<\/p>\n

From a logical perspective, the diagram below illustrates how API Management is configured and placed in the appservices\/default<\/code> virtual network and subnet. Once configured, the endpoint for Azure API management receives an IP address that is part of the subnet range; in this example, it is assigned 10.9.0.5<\/code>. Note also that this IP address has no DNS name automatically created, so name resolution must be provided either through custom DNS or hosts files.<\/p>\n

\"Image<\/p>\n

API Management Internal vs. External Accessibility<\/h4>\n

API Management can be created so it becomes a peer to the local private Virtual Network, as shown in the following screen shot:<\/p>\n

\"Image<\/p>\n

<\/p>\n

API Management Endpoint Publication<\/h3>\n

The Ethereum JSON-RPC protocol uses only an HTTP POST verb, and the body contains JSON for requests and responses. The Geth client must be running internally with the --rpc --rpcaddr 0.0.0.0<\/code> command line switches, which enables the JSON-RPC endpoint. To create the configuration in Azure API Management, establish the API Settings as shown in the following section.<\/p>\n

API Settings for Geth RPC<\/h4>\n

\"Image<\/p>\n

POST Operation for Geth<\/h4>\n

The following is the ONLY<\/strong> operation required for a proxy of the Geth client JSON-RPC endpoint. It must be a POST<\/code> and the template is empty.<\/p>\n

\"Image<\/p>\n

API Management Analytics<\/h3>\n

\"Image<\/p>\n

Part 2 – Alternative web3.js HttpProvider<\/h2>\n

In order to complete this solution, it is necessary to inject HTTP headers into requests from applications. For this requirement, when using the web3.js<\/a> JavaScript library from Ethereum, an npm module<\/a> was created to extend that library. This module provides a type that is used in place of HttpProvider<\/code> from web3.js. Once in place, the constructor offers a headers<\/code> parameter that is a key\/value<\/code> object that should have any headers required for Azure API Management to authorize requests.<\/p>\n

Normally, the JSON-RPC<\/a> endpoint on an Ethereum client<\/a> provides no authentication or authorization boundary. All validation happens after the client receives the request and initially processes it. The only validation is if the transaction request is signed for sending requests. For local state calls, no verification is done whatsoever. These read-only requests are never blocked. With no protection at Layer 7<\/a>, this method represents a potential DoS risk vector.<\/p>\n

With this approach, by placing a Layer 7 proxy in front of an Ethereum client’s JSON-RPC endpoint, the ability to authorize and validate applications is possible. In addition, the proxy helps secure the channel with HTTPS.<\/p>\n

Using the module<\/h2>\n

First, you need to install the npm<\/code> package and then reference it from your project.<\/p>\n

\n
npm install --save httpheaderprovider<\/pre>\n<\/div>\n
Adding to your web3.js project<\/h3>\n
In your JavaScript project, instead of creating an instance of the web3.providers.HttpProvider<\/code>, create an instance of HttpHeaderProvider<\/code> with the same parameters. However, add another parameter that contains key\/value property object with the HTTP header name and value.<\/p>\n
\n
var Web3 = require(\u2018web3\u2019);\r\nvar web3 = new Web3();\r\nvar HttpHeaderProvider = require(\u2018httpheaderprovider\u2019);\r\nvar headers = {\r\n  \u201cOcp-Apim-Subscription-Key\u201d: \u201cmykeyfromtheapiportal\u201d\r\n}\r\nvar provider = new HttpHeaderProvider(\u2018https:\/\/scicoria.azure-api.net\u2019, headers);\r\nweb3.setProvider(provider);\r\nvar coinbase = web3.eth.coinbase;\r\nconsole.log(coinbase);\r\nvar balance = web3.eth.getBalance(coinbase);\r\nconsole.log(balance.toString(10));<\/pre>\n<\/div>\n
Debug Mode<\/h3>\n
The module supports emitting debug information by adding an environment variable before running:<\/p>\n
\n
# linux\/macOS\r\nexport DEBUG=ethereumex:httpheaderprovider\r\n# windows cmd\r\nSET DEBUG=ethereumex:httpheaderprovider\r\n# posh\r\n$env:DEBUG=\"ethereumex:httpheaderprovider\"\r\n<\/pre>\n<\/div>\n
Debug messages<\/h4>\n
Once debug is enabled, the console shows messages similar to the following that include the request\/response and the JSON-RPC message text.<\/p>\n
\n
talking to remote Geth on https:\/\/.azure-api.net\/geth\/\r\n  ethereumex:httpheaderprovider constructor:begin +0ms\r\n  ethereumex:httpheaderprovider constructor:end +2ms\r\n  ethereumex:httpheaderprovider Request: {\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"web3_clientVersion\",\"params\":[]} +1ms\r\n  ethereumex:httpheaderprovider prepareRequest:begin +1ms\r\n  ethereumex:httpheaderprovider setting headers +13ms\r\n  ethereumex:httpheaderprovider prepareRequest:end +0ms\r\n  ethereumex:httpheaderprovider Result:  {\"jsonrpc\":\"2.0\",\"id\":1,\"result\":\"Geth\/v1.5.4-stable-b70acf3c\/linux\/go1.7.3\"} +371ms\r\nethereum client info: Geth\/v1.5.4-stable-b70acf3c\/linux\/go1.7.3\r\n  ethereumex:httpheaderprovider Request: {\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"net_peerCount\",\"params\":[]} +1ms\r\n  ethereumex:httpheaderprovider prepareRequest:begin +0ms\r\n  ethereumex:httpheaderprovider setting headers +1ms\r\n  ethereumex:httpheaderprovider prepareRequest:end +0ms\r\n  ethereumex:httpheaderprovider Result:  {\"jsonrpc\":\"2.0\",\"id\":2,\"result\":\"0x19\"} +249ms\r\nPeer Count: 25\r\n  ethereumex:httpheaderprovider Request: {\"jsonrpc\":\"2.0\",\"id\":3,\"method\":\"eth_coinbase\",\"params\":[]} +3ms\r\n  ethereumex:httpheaderprovider prepareRequest:begin +0ms\r\n  ethereumex:httpheaderprovider setting headers +0ms\r\n  ethereumex:httpheaderprovider prepareRequest:end +0ms\r\n  ethereumex:httpheaderprovider Result:  {\"jsonrpc\":\"2.0\",\"id\":3,\"result\":\"0x13015840b5b4641f3ad441e36ec428d7a1c9934c\"} +431ms\r\nweb3.eth.coinbase: 0x13015840b5b4641f3ad441e36ec428d7a1c9934c\r\n  ethereumex:httpheaderprovider Request: {\"jsonrpc\":\"2.0\",\"id\":4,\"method\":\"eth_getBalance\",\"params\":[\"0x13015840b5b4641f3ad441e36ec428d7a1c9934c\",\"latest\"]} +2ms\r\n  ethereumex:httpheaderprovider prepareRequest:begin +0ms\r\n  ethereumex:httpheaderprovider setting headers +0ms\r\n  ethereumex:httpheaderprovider prepareRequest:end +1ms\r\n  ethereumex:httpheaderprovider Result:  {\"jsonrpc\":\"2.0\",\"id\":4,\"result\":\"0x8cf23f909c0fa000\"} +277ms\r\nweb3.eth.getBalance(coinbase) 10156250000000000000<\/pre>\n<\/div>\n
Approach<\/h2>\n
The module presented utilizes prototypical inheritance and creates a virtual function for HttpProvider.prepareRequest<\/code>. The approach in the library uses pre-es2015 JavaScript. However, to make it clear what is being done, here is how it might look using a JavaScript es2015 compatible module:<\/p>\n
\n
class HttpHeaderProvider extends Web3.providers.HttpProvider {\r\n  constructor(host, headers) {\r\n    debug('in prv constructor');\r\n    super(host);\r\n  }\r\n...\r\n  prepareRequest(async) {\r\n    debug('in prepare');\r\n    var request = super.prepareRequest(async);\r\n    if (this.headers){\r\n      debug('setting headers')\r\n      for (var header in this.headers){\r\n        request.setRequestHeader( header, this.headers[header]);\r\n      }\r\n    }\r\n    return request;\r\n  }\r\n}<\/pre>\n<\/div>\n
More Information<\/h2>\n