Angus Robertson

CloudFlare is the obvious solution for most commercial web sites, although I find my link site checker app being blocked from some sites CF 'protects'. But this is an ICS web server, and developers have vastly more control over checking and blocking connections than sites using Apache, etc, that need extras to protect them. Although I get the usual general hackers, they are normally easy to block, anyone accessing the SSL site using an IP address immediately goes on the blocked list, or trying to access CGI script, etc. Anagus

Thanks for the thoughts. The user agent strings are partly randomised, lots of different Chrome/xx versions, the Safari version seems to be the same, but is probably legitimate. The SSL HELO packet has some unknown EC groups, but Chrome often has test groups. The ALPN is always blank, and the requests use a URL without www, but blocking either of those would also hit legitimate API users. The server does not currently log any request headers, not sure if VPNs would add anything to identify themselves, as proxies normally do. One possible solution would be counting IP accesses within a /24 or larger block, although that might include some corporates with outgoing blocks, I'd need to update my white lists as well. Don't want to spend too much time on a rare problem... Angus

My Chinese hackers have changed strategy to get around my IP address blocks and access my web site database, that restricts free access to 50 requests a day, paying for unlimited access seems beyond them. So now they are using VPNs, making two requests at a time from thousands of different IP addresses around the world, 3,500 over the last 48 hours, with requests now repeating after 24 hours, |previously I cleared the block list after six hours of no repeat access. I've not yet managed to define an automated strategy to block relatively random IPs, a CAPTCHA would work, but don't want to annoy my users, likewise giving them a free login. Has anyone got a better strategy for blocking unwanted access by IP? Meanwhile, I'll add /24 level IP blocks manually for a few dozen VPN ranges, to means the server will immediately close any connections from those ranges. Last time I did this to block TOR nodes, I accidentally blocked some large corporates resulting in some interesting telephone calls. Angus

That sort of error usually happens if you don't open the form in the IDE, and the new properties are not saved to the DFM, so fail to be read when executed. That property was added six months ago, and no-one else has reported a problem in that time. Angus

Sorry, not sure what point you are making here. The SslCipherList13 property was added in V9.3 and defaults to sslCipherSuitesTLS13, they both exist in V9.4. Angus

Is the server dead once the problem arises, or does it start accepting connections again at some point? The backlog of 15 suggests the default is not being changed, but it is set immediately before Listen so can not be skipped. There is a fix in V9.4 relating to the wrong connection state when connections open very quickly, usually localhost, that could stall WSocket, not sure if it applies to your situation. Angus

Bug now fixed, it was a late change in V9.,4 flushing the log file to disk in case the request failed, but not actually checking the log was opened. You can fix it by removing the lines marked with V9.4. Angus

How do you propose I reproduce that problem? It is most likely something specific to your installation. That URL works fine here: Built With Delphi 11.3 Win64 12:36:51 Opened log file: D:\weblogs\ics\https-rest\ics-httprest-2025-02-25.log 12:36:51 25/02/2025 12:36:51 Starting REST request for URL: https://jsonplaceholder.typicode.com/users 12:36:51 GET https://jsonplaceholder.typicode.com/users 12:36:51 https://jsonplaceholder.typicode.com/users, Getting headers 12:36:51 Async REST request started 12:36:52 Connected OK to: jsonplaceholder.typicode.com (104.21.48.1) Edit; thinking back, it might be first time issue saving INI settings or something, Is it repeatable? Angus

Strangely, that function was on my screen, I've just added some more parameter encoding and decoding functions to that unit. I've removed the / after text, it's a pretty basic function to avoid trying to convert images and files into unicode. Not sure why V9.3 changed anything, that text/ check was previously in the TriggerRequestDone2 function. Angus

Treat API keys and tokens as if they are passwords, and encrypt them, as we have forever, at least in properly written applications. The type of encryption and how you protect the key really depends on your security threat level. Angus

Refreshing the access token (expires within a day) using the refresh token (may not expire for a year or more) is a standard part of any proper OAUTH2 implementation. But getting that refresh token usually requires a browser login, either embedded Edge or separate browser. The ICS library has several examples for OAUTH2 with refresh tokens. Angus

Correct, provided you use the RestRequest method. The data received during the request is handled internally, and made available from various properties, ResponseRaw, ResponseStream, ResponseOctet and ResponseJson, depending on what you want to do with it, or might have been written to a file. Because TSslHttpRest descends from TSslHttpCli, it publishes all it's properties and events, so you can use it without RestRequest is required. Angus

I understand some commercial certificate suppliers are now using the ACME system designed by Let's Encrypt to automatically issue certificates. Presumably adding an authentication step for payment, this might be something ICS should be supporting. Angus

The issue here is how much time I can spend attempting to support long obsolete versions of Delphi, instead of concentrating on new features and stuff. My time is free and not unlimited. I have not yet removed support for these old Delphi versions from ICS, but those using them need to help investigate problems, not just report them. Angus

The large change with V9.3 was consolidating many type definitions into the Types unit, with their original versions commented out with (* *). I then remove old code a release or two later. Comparing the prior unit with the latest, I see there are a couple of embedded (* *) pairs I did not disable, near lines 1428 and 1467, maybe D2010 has trouble there. Try removing all that code. Or indeed any code that is commented out, which I'll do for the next release anyway. As I said earlier, I can not test this since my D2010 license no longer works. Angus