Tcl in the Middle

Michael Cleverly

Tcl has long been recognized as an excellent language to glue existing components together to create new applications. Tcl is just as useful when interjected into the middle of existing/functioning N-tier "enterprise" systems.

SockSpy is probably the best known example of a "main in the middle" Tcl application. What may not be as widely appreciated, however, is that Tcl's strong TCP sockets and event-driven I/O make construction of custom man in the middle solutions (that solve real business problems often at a fraction of the cost of other potential solutions) quite straightforward (even more so with the new [chan] command in Tcl 8.5).

Summary

"Tcl in the Middle" draws from the author's experience implementing TIP #287, from a half-dozen custom "man in the middle" applications created for Intermountain Healthcare, and from the author's own OSS projects. These applications include:

• icproxy
  • Restricts what traffic is allowed through to Avaya Meeting Exchange
  • Terminates the SSL connection, inspects the request, re-encrypts to the backend
  • Enforces HTTP protocol synchronization rules (to avoid HTTP Response Splitting attacks) and normalizes requests
  • ~750 lines of Tcl
• rebranded-org
  • AOLserver/NaviServer proxy that sits between Apache and ExpressRoom
  • Munges both requests and responses (including the response body of text/* requests) on-the-fly to correct corporate rebranding without having to touch legacy content
  • ~300 lines of Tcl
• portal-rproxy
  • AOLserver/NaviServer proxy that sits behind a webserver
  • Validates that the client's session cookies are current and valid against backend application server(s) before serving up static resources
  • Validation rules are highly configurable without code changes
  • ~600 lines of Tcl
• tcpsymlinks
  • Glues an incoming TCP request to an arbitrary destination (simillar to Source NAT'ing)
  • Destination can be changed without terminating existing connections
  • New client connections get sent to the new destination instead of the old
  • Can be used to redirect traffic between a web server and an application server on the fly without making any configuration changes to either of those systems
  • ~150 lines of Tcl
• wlpr-proxy
  • Developed as an alternative to BEA's (buggy) WebLogic plugin for Apache
  • Deterministically load balances incoming requests to a pool of backend application servers
  • Provides detailed logging of client request and server response headers to assist developers in troubleshooting application problems
  • ~300 lines of Tcl
• centricity-proxy
  • Provides front-end SSL termination to Centricity radiology image viewer
  • ~25 lines of Tcl
• OTM
  • A web server that has a "One Track Mind"--it responds to all requests the same
  • Useful for putting up downtime notices
  • ~350 lines of Tcl

Load balancing, SSL termination, source NAT'ing, content inspection are all features of hardware devices from major vendors whose costs and complexities far exceed the affordableness and nimbleness of smartly deployed Tcl solutions.