Recent

Author Topic: fpHTTPServer and SSL  (Read 4588 times)

fjabouley

  • Full Member
  • ***
  • Posts: 128
fpHTTPServer and SSL
« on: March 29, 2020, 05:29:17 pm »

Hello all !
I'd like to make push notifications, using firebase (and send notifications via the fcm API)... but it only works on localhost and with secured connections (and a reverse proxy).
Is there a way to make secured connections with fpHTTPServer ?
Many thanks !
Best regards
« Last Edit: March 29, 2020, 06:29:34 pm by fjabouley »

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: fpHTTPServer and SSL
« Reply #1 on: March 30, 2020, 05:11:56 am »
See this thread for an example using fpHTTPServer and SSL which is multi-platform (Windows, FreeBSD, Linux, macOS tested). Note that you will need FPC 3.3.1 (trunk) for this to work.

fjabouley

  • Full Member
  • ***
  • Posts: 128
Re: fpHTTPServer and SSL
« Reply #2 on: March 30, 2020, 09:51:02 am »
Thanks for the answer, but isn't the thread talking about fphttpclient ?
does FPC 3.2+ support SSL with fpHTTPServer ? Do I only have to create a certificate ? (via let's encrypt ?)
Thanks again !

Leledumbo

  • Hero Member
  • *****
  • Posts: 8746
  • Programming + Glam Metal + Tae Kwon Do = Me
Re: fpHTTPServer and SSL
« Reply #3 on: March 30, 2020, 07:21:09 pm »
According to svn log on fphttpserver.pp: nope. No SSL support has been implemented whatsoever there, so you better end up using a reverse proxy.

fjabouley

  • Full Member
  • ***
  • Posts: 128
Re: fpHTTPServer and SSL
« Reply #4 on: March 30, 2020, 11:13:57 pm »
Ok thanks. Did someone already try to use fphttpserver with ssl, is it even possible?
What else can be used then ? I wouldn't like to use reverse proxy if possible.
Does Indy or synapse manage http server with ssl?


trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: fpHTTPServer and SSL
« Reply #5 on: March 31, 2020, 12:26:36 am »
Thanks for the answer, but isn't the thread talking about fphttpclient ?

Oops, sorry, I misread server vs client.

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: fpHTTPServer and SSL
« Reply #6 on: March 31, 2020, 12:53:09 am »
See this this mailing list post which states that it is now possible to create a FPC HTTP Server that supports SSL.

As for fpHTTPclient, you'll need to use trunk for  fpHTTPserver.

fjabouley

  • Full Member
  • ***
  • Posts: 128
Re: fpHTTPServer and SSL
« Reply #7 on: April 02, 2020, 02:58:49 pm »
Thanks very much for your answers.
Does anybody has an example that includes ssl with fpc HTTP server ?
I'll try to check the trunk and see how it works.
Thanks again

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: fpHTTPServer and SSL
« Reply #8 on: April 03, 2020, 08:04:37 am »
See the example simpleserver in trunk's fpcsrc/fpc-3.3.1/packages/fcl-web/examples/simpleserver

Renat.Su

  • Full Member
  • ***
  • Posts: 230
    • Renat.Su
Re: fpHTTPServer and SSL
« Reply #9 on: April 05, 2020, 12:59:56 pm »
I offer very simple solutions for those who need a secure server with TFPHTTServer and others:
https://www.cloudflare.com/ Free and very simple.

Warfley

  • Hero Member
  • *****
  • Posts: 1499
Re: fpHTTPServer and SSL
« Reply #10 on: April 05, 2020, 08:52:46 pm »
What else can be used then ? I wouldn't like to use reverse proxy if possible.

May I ask you why you don't like using a reverse proxy? It has serveral advantages:
1. you can register multiple services on one domain for different paths. Most notably you need to provide a challange for Let's encrypt certificates. With an nginx reverse proxy this needs 3 lines in your nginx config, otherwise you need to implement this in you HTTPserver as a special module. This also then means that you just have to maintain code in your project simply for let's encrypt, which is more effort
1.1. you can also split your project up into multiple smaller projects rather than having one large server. This also means that one part of your server can not crash the whole service
1.2. you can integrate multiple programs, maybe even written in different languages, without having to do some weird switching in your pascal program

2. HTTP/2 support. fpHTTPServer supports (to my knowledge) not HTTP/2. HTTP/2 has a lot of Improvments (most notably it's faster), and with using a reverse proxy like nginx you can have all the advantages when connecting to the user, while internally using HTTP/1.1 for your server (which doesn't matter as much, because this is much faster than any network connection)

3. Security. While the FCL web stuff is great, no doubt, I think nginx or apache are arguably much more tested and hardened. FCL web such a server as your "frontline" makes it much harder to abuse security vulnerabilities that might be in the FCL web components. While this of course does not fix any bugs in your code, for example malformed HTTP requests that might trigger a bug in an FCL web component, can be filtered by the reverse proxy. Also everything that does not require any logic (like requesting images) can be fully handled by your proxy, meaning less work for you, as well as smaller attack vectors against your software.

4. Load balancing. The reverse proxy can perform load balancing, e.g. via a Kubernetes cluster. If you run your own fpHTTPServer, it's all one process, which basically means you have to implement all that stuff for yourself, and possibly (or probably) worse than it would be using existing technology.

5. Less work. I have multiple services running on my server, some of them written in Lazarus, some in Python, others are existing products (like gitlab). To run a new service on a new domain, I simply do the following: 1. Dockerize the app (which I'm currently working on to automate to  do this via CI/CD), 2. start docker container on server, 3. run my nginx config script that automatically configures the reverse proxy and let's encrypt for me. At most 10 minutes. It does automatic logging, restarting of the services (using docker) registering let's encrypt, etc. And the best thing, not a single line of code needs to be inserted in my project for this to work.

I honestly see no reason why to not use a reverse proxy, it has only advantages
« Last Edit: April 05, 2020, 09:06:25 pm by Warfley »

fjabouley

  • Full Member
  • ***
  • Posts: 128
Re: fpHTTPServer and SSL
« Reply #11 on: April 06, 2020, 09:36:20 am »

@Renat.Su : Thank you !

@Warfley :

Many thanks for your answer.
I currently use a reverse proxy in order to use notifications. I was wondering if I could use directly fpHTTPServer with SSL, but in fact I think you're right for the many reasons you gave me.


 

TinyPortal © 2005-2018