Jump to content
KostasR

MARSWebServer Service config for HTTPS

Recommended Posts

Hello All,

 

I am currently trying to link MARS with an IO handler in order to be able to use HTTPS.
Inspired by this post, stackoverflow indy-ssl-delphi-server

This is what my code looks like. HTTPS is ignored. HTTP requests go through.
Does anyone have MARS running with HTTPS?

 

 

procedure TWEBService.ServiceCreate(Sender: TObject);
var
  LScheduler: TIdSchedulerOfThreadPool;
begin
  Name := TServerEngine.Default.Parameters.ByNameText('ServiceName', Name).AsString;
  DisplayName := TServerEngine.Default.Parameters.ByNameText('ServiceDisplayName', DisplayName).AsString;

  if WebRequestHandler <> nil then
    WebRequestHandler.WebModuleClass := WebModuleClass;

  FServer := TIdHTTPWebBrokerBridge.Create(nil);

  FIOHandler.SSLOptions.CertFile := 'certificate.crt';
  FIOHandler.SSLOptions.KeyFile := 'private.key';
  FIOHandler.SSLOptions.RootCertFile := 'SSLroot.crt';
  FIOHandler.SSLOptions.Method := sslvSSLv23;
  FIOHandler.OnVerifyPeer := IOHandlerVerifyPeer;
  FServer.IOHandler := FIOHandler;
  FServer.OnQuerySSLPort := OnQuerySSLPort;


  try
    FServer.DefaultPort := TServerEngine.Default.Port;

    LScheduler := TIdSchedulerOfThreadPool.Create(FServer);
    try
      LScheduler.PoolSize := TServerEngine.Default.ThreadPoolSize;
      FServer.Scheduler := LScheduler;
      FServer.MaxConnections := LScheduler.PoolSize;
      FServer.OnParseAuthentication := ParseAuthenticationHandler;
    except
      FServer.Scheduler.Free;
      FServer.Scheduler := nil;
      raise;
    end;
  except
    FIOHandler.Free;
    FServer.Free;
    raise;
  end;
end;

 

Regards,

  Kostas

Share this post


Link to post

Hi, sorry for the late, I've just pushed some new feature about this in MARS.

 

Here's also a blog post about it: https://blog.andreamagni.eu/2021/01/mars-1000th-commit-added-support-to-indy-standalone-ssl/

 

Beware: I've also refactored many deployment options available to use TMARSHttpServerIndy and less WebBroker stuff. Let me know if you encounter any issue.

 

Sincerely,

Andrea

Share this post


Link to post

Hi Andrea,
Hi All,

I am struggling at the same theme -
In Reference to the 1000th commit: This works very well when using ServerVCLApplication, but I ran into problems getting SSL AND SERVICE running:
 

I have stated in Server.Service.ServiceCreate()   or  Server.Service.ServiceStart() :
FServer.Engine.Port := 0;
FServer.Engine.PortSSL := 8443;

 

Service terminates few seconds after started with:

"The xxxxxx service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other service or programs


The Windows Events say: Failed to load root certificate.

 

Therefore I copied the 3 files from bin folder (where they were as default and work  for the ServerApplication
to an absolute path like C:\CERT\
and setup this by (I thought, maybee the Service is started in a different context):

(also in Server.Service.ServiceCreate() , just before setting FServer.Engine.PortSSL)

 FServer.SSLIOHandler.SSLOptions.RootCertFile := 'C:\CERT\localhost.pem';
 FServer.SSLIOHandler.SSLOptions.CertFile     := 'C:\CERT\localhost.crt';
 FServer.SSLIOHandler.SSLOptions.KeyFile      := 'C:\CERT\localhost.key';

still not working...

(I am a complete newbee with services unfortunately; Any suggestions very wellcome)


Kind Regards,

     ckranich

 

 

Share this post


Link to post

Additional Info:

First thought it might have todo with the Certificates (However when run Server as App they work OK)
Recreated some fresh ones using XCA. no change.

This has definitively to do with enabling SSL.
As soon as a SSL Port is assigned by
FServer.Engine.PortSSL :=

the Startup stalls in MARShttpServerIndy.Startup  (never finished)
SetupSSLIOHandler() exit OK
SetupThreadPooling() exit OK with 100 Threads

Any Ideas?

I know that Andrea suggests a Reverse Proxy etc for SSL (and doing only Http on the Rest server), but in this project a standalone Service App has been requested by customer ...

Kind Greetings,

     ckranich


 

Share this post


Link to post

At first supposed it might have todo with certificates somehow
(or with user context versus local system context to access certificates)
But
- same certificates work if used from MARS Sercer compiled as VCL Application
- no change if service is started using local user instead of local system
- Datasnap REST server works OK running as Service using same (selfsigned) certificates and same OpenSSL dlls.

=> Indy seems to be able to use SSL from Service Application (DataSnap uses Indy too)
=> will have to dig deeper (traced until inherited call)

 

Share this post


Link to post

Hi All,

Sysinternals ProcMon is your friend 🙂

Problem solved.

CERTIFICATE LOCATIONS FOR WINDOWS SERVICE DIFFERENT TO WINDOWS APPLICATION!
(at least on Win10/Pro as I have) :

the cert files (supposed to be in bin/executable folder) MUST BE IN C:\Windows\SysWOW64\ folder
also a cert.pem is queried from C:\usr\local\ssl\cert     (i copied the root cert to this name, however not sure if necessary)

so if sticking with Indy default names, the files are:
C:\Windows\SysWOW64\localhost.pem        root cert
C:\Windows\SysWOW64\localhost.crt           cert
C:\Windows\SysWOW64\localhost.key          key
Selfsigned cert OK (created using XCA)

For copying to this folder, of course Admin rights are necessary.
If you are using a VMWare VM for Delphi 10.4.X, as I do, and the project files are in the shared VM drive outside the VM,
you need 2-step copy: 1) project/bin to local desktop  2) local desktop to SysWOW64

All the above is for WIN32 Service target, as I did not tryout X64 yet.
I am happy to be out of the swamp and back on the road (after fighting Windows and not Project)

I will duplicate this to new Topic for better visibility. Might it be helpful for others!

Kind Regards,

     ckranich

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×