MARSWebServer Service config for HTTPS

[KostasR 1]

Hello All,

 

I am currently trying to link MARS with an IO handler in order to be able to use HTTPS.
Inspired by this post, stackoverflow indy-ssl-delphi-server

This is what my code looks like. HTTPS is ignored. HTTP requests go through.
Does anyone have MARS running with HTTPS?

 

 

procedure TWEBService.ServiceCreate(Sender: TObject);
var
  LScheduler: TIdSchedulerOfThreadPool;
begin
  Name := TServerEngine.Default.Parameters.ByNameText('ServiceName', Name).AsString;
  DisplayName := TServerEngine.Default.Parameters.ByNameText('ServiceDisplayName', DisplayName).AsString;

  if WebRequestHandler <> nil then
    WebRequestHandler.WebModuleClass := WebModuleClass;

  FServer := TIdHTTPWebBrokerBridge.Create(nil);

  FIOHandler.SSLOptions.CertFile := 'certificate.crt';
  FIOHandler.SSLOptions.KeyFile := 'private.key';
  FIOHandler.SSLOptions.RootCertFile := 'SSLroot.crt';
  FIOHandler.SSLOptions.Method := sslvSSLv23;
  FIOHandler.OnVerifyPeer := IOHandlerVerifyPeer;
  FServer.IOHandler := FIOHandler;
  FServer.OnQuerySSLPort := OnQuerySSLPort;


  try
    FServer.DefaultPort := TServerEngine.Default.Port;

    LScheduler := TIdSchedulerOfThreadPool.Create(FServer);
    try
      LScheduler.PoolSize := TServerEngine.Default.ThreadPoolSize;
      FServer.Scheduler := LScheduler;
      FServer.MaxConnections := LScheduler.PoolSize;
      FServer.OnParseAuthentication := ParseAuthenticationHandler;
    except
      FServer.Scheduler.Free;
      FServer.Scheduler := nil;
      raise;
    end;
  except
    FIOHandler.Free;
    FServer.Free;
    raise;
  end;
end;

 

Regards,

  Kostas

[Andrea Magni 75]

Hi, sorry for the late, I've just pushed some new feature about this in MARS.

 

Here's also a blog post about it: https://blog.andreamagni.eu/2021/01/mars-1000th-commit-added-support-to-indy-standalone-ssl/

 

Beware: I've also refactored many deployment options available to use TMARSHttpServerIndy and less WebBroker stuff. Let me know if you encounter any issue.

 

Sincerely,

Andrea

[marcovaldo 1]

Hi Andrea,
Hi All,

I am struggling at the same theme -
In Reference to the 1000th commit: This works very well when using ServerVCLApplication, but I ran into problems getting SSL AND SERVICE running:
 

I have stated in Server.Service.ServiceCreate()   or  Server.Service.ServiceStart() :
FServer.Engine.Port := 0;
FServer.Engine.PortSSL := 8443;

 

Service terminates few seconds after started with:

"The xxxxxx service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other service or programs

The Windows Events say: Failed to load root certificate.

 

Therefore I copied the 3 files from bin folder (where they were as default and work  for the ServerApplication
to an absolute path like C:\CERT\
and setup this by (I thought, maybee the Service is started in a different context):

(also in Server.Service.ServiceCreate() , just before setting FServer.Engine.PortSSL)

 FServer.SSLIOHandler.SSLOptions.RootCertFile := 'C:\CERT\localhost.pem';
 FServer.SSLIOHandler.SSLOptions.CertFile     := 'C:\CERT\localhost.crt';
 FServer.SSLIOHandler.SSLOptions.KeyFile      := 'C:\CERT\localhost.key';

still not working...

(I am a complete newbee with services unfortunately; Any suggestions very wellcome)


Kind Regards,

     ckranich

 

 

[marcovaldo 1]

Additional Info:

First thought it might have todo with the Certificates (However when run Server as App they work OK)
Recreated some fresh ones using XCA. no change.

This has definitively to do with enabling SSL.
As soon as a SSL Port is assigned by
FServer.Engine.PortSSL :=

the Startup stalls in MARShttpServerIndy.Startup  (never finished)
SetupSSLIOHandler() exit OK
SetupThreadPooling() exit OK with 100 Threads

Any Ideas?

I know that Andrea suggests a Reverse Proxy etc for SSL (and doing only Http on the Rest server), but in this project a standalone Service App has been requested by customer ...

Kind Greetings,

     ckranich


 

[marcovaldo 1]

At first supposed it might have todo with certificates somehow
(or with user context versus local system context to access certificates)
But
- same certificates work if used from MARS Sercer compiled as VCL Application
- no change if service is started using local user instead of local system
- Datasnap REST server works OK running as Service using same (selfsigned) certificates and same OpenSSL dlls.

=> Indy seems to be able to use SSL from Service Application (DataSnap uses Indy too)
=> will have to dig deeper (traced until inherited call)

 

[marcovaldo 1]

Hi All,

Sysinternals ProcMon is your friend 🙂

Problem solved.

CERTIFICATE LOCATIONS FOR WINDOWS SERVICE DIFFERENT TO WINDOWS APPLICATION!
(at least on Win10/Pro as I have) :

the cert files (supposed to be in bin/executable folder) MUST BE IN C:\Windows\SysWOW64\ folder
also a cert.pem is queried from C:\usr\local\ssl\cert     (i copied the root cert to this name, however not sure if necessary)

so if sticking with Indy default names, the files are:
C:\Windows\SysWOW64\localhost.pem        root cert
C:\Windows\SysWOW64\localhost.crt           cert
C:\Windows\SysWOW64\localhost.key          key
Selfsigned cert OK (created using XCA)

For copying to this folder, of course Admin rights are necessary.
If you are using a VMWare VM for Delphi 10.4.X, as I do, and the project files are in the shared VM drive outside the VM,
you need 2-step copy: 1) project/bin to local desktop  2) local desktop to SysWOW64

All the above is for WIN32 Service target, as I did not tryout X64 yet.
I am happy to be out of the swamp and back on the road (after fighting Windows and not Project)

I will duplicate this to new Topic for better visibility. Might it be helpful for others!

Kind Regards,

     ckranich