Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Http.sys questions
#1
Hi! I have started experimenting with converting some existing web applications to http.sys and have some questions. Before I state them I want to explain what I want to accomplish, in case I am looking in the wrong direction (maybe there is a totally different approach?) and/or asking the wrong questions.

We have 6 services accessible via https running on the same server. Three of them are IntraWeb standalone web applications, two are RemObjects servers (built with Delphi), and one is a .NET REST service. The five Delphi services share the same SSL certificate *.pem files and use Indy / OpenSSL 1.0.2. For the the .NET service we have imported the same certificate (in pfx format) into Windows and it has a binding for it to the port it listens on. IIS is NOT used. All the 6 services listen on different ports. Externally however, the services are all accessed on the standard SSL port (443). This is accomplished by DNS records for different URLs (such as www.mydomain.com, m.mydomain.com, api.mydomain.com...) pointing to different (external) IP addresses on our site, and then a firewall redirecting the https traffic (on port 443) for these IPs to the different ports used internally on our server. While this works fine technically, we are wasting IP addresses with this approach, and when we now expand the server site with more servers and services we are running out of them. 

So my idea was to try to use http.sys for at least the three IW applications so that they use the same port, but using e.g. mydomain.com/m/ rather than m.mydomain.com for our mobile friendly web application as an example. Another reason for looking at http.sys is that we are living on borrowed time with OpenSSL 1.0.2, and Indy support for newer OpenSSL versions still does not seem completed(?). So before answering my specific questions below, first please comment on if you think my idea with http.sys is good or if you know of some completely different approach that would accomplish the same thing.
  
1. When searching I found https://doc.atozed.com/en/iw15/develop/c...-intraweb/ and https://blog.boxofbolts.com/ssl/windows/...d-windows/ (not IntraWeb-specific). Are there some other good resources to look at (e.g. specific info on using multiple IntraWeb http.sys services with SSL)?
2. Is it possible that the main web application can be used with an empty UrlBase (but where the other two web applications have different, non-empty BaseUrl values)? If so, how do you set that up?
3. When doing some initial tests (locally, without https) I successfully got two of the web applications running (with two different BaseUrl values) on the same port. When I shutdown the applications I got loads of exceptions (access violations, invalid pointer operations) in the ServerController.OnDestroy handler (where we finalize various globally used resources), that I don't get when running it with Indy. It worked slightly better when run as a service, but there was still an access violation when freeing a data module (and it was not possible to get a call stack). Can you say anything general on these shutdown issues when running with http.sys?
4. When using a non-empty BaseUrl, I noticed various issues with (static) logout and session timeout pages (both having an <a href="/">Click here to login again.</a> element). Before diving in to details, is there anything in general I should know about when using non-empty BaseUrl (with relation to static pages)?
5. Do you think it is possible to use http.sys (and the same port) for the three other (non-IntraWeb) services as well?

Note: We are currently using IW 15.1.5 in production. Unless there are major restructures to how you use http.sys in 15.2.X, I would like to keep migration to the latest IW versions as a separate project.

Best regards

Magnus Oskarsson
Reply
#2
Hi Magnus, i have used http.sys a lot. I you try to respond your questions:
1. ok.
2. Yes, it is. I have this: https://pixpdv.com.br/ is the main app without urlbase, serving static html files. I have another 4 apps (using same certificate on windows) in this address:
   - https://pixpdv.com.br/api/ (static)
   - https://pixpdv.com.br/auxiliar/ (iw)
   - https://pixpdv.com.br/admin/index.html (iw)
   - https://pixpdv.com.br/cobranca/boleto/02FB249D.... (iw)
3. Alexandre do a lot of improvement in http.sys version. Latest (15.2.47) especific for delphi 11 ondestroy. I have a full debug mode ON in http.sys and i send anything i found to them. This latest is a week to found.
4. No problem at all. Running like a charm. Alexandre change send redirect to please web crawlers on serving static files.
5. If the 3 others have http.sys tecnique, yes.
Reply
#3
Hi Magnus,

Everything that you intend to do is possible and, as mentioned by Jose Nilton above, already used by many customers.

Regarding the errors while shutting down, I'd like to see the call stack of those before saying anything. There is no reason for that except that you are relying on some specific destruction sequence in Indy (and this is not guaranteed to be exactly the same in Http.sys). Feel free to send me via email and I can have a look.

Cheers,
Reply
#4
Thanks for your replies Jose and Alexandre! I have made some further tests and been able to share a SSL-connection between two web applications, one with empty BaseUrl and one with a non-empty BaseUrl, and the basicis seem to work (haven't really tested much functionality in the applications yet). Regarding shutdown issues I was unable to get a call stack (got exceptions also in the exception handling code), but I haven't looked into that further. Alexandre, is it correct that there have been changes that might affect this between 15.1.15 and the latest IW version? If so, it makes sense to migrate the web applications before going deeper into it. But as I said, I'd rather not do two things at once that potentially could introduce functionality issues, preferable migration and http.sys conversion could be two separate projects.

Another question regarding using SSL with Windows built-in support (have not as much experience with that as I have with OpenSSL): From what I understand, the TLS version support and ciphers supported depend on the Windows Server version (e.g. is it correct that TLS1.3 is only supported in the newest Win 2022 Server?), at least out of the box? Or can you download and install enhanced SSL functionality in older Windows versions? I ask since we currently have servers out there with our web software running on different versions of Windows, ranging from 2008R2 to 2019.

Best regards

Magnus Oskarsson
Reply
#5
Hi again Alexandre! Just wanted to check again if you have any answer to the two questions above (http.sys changes in newer IW versions + TLS support in different windows versions)?

Also, I have another question now after doing some more successful tests. I have been able to share certificate/port for all 6 applications now in a test setup. If I can successfully make this production ready, I would need to support both old and new urls during a transition period. For example, I would like https://m.mydomain.com/ to be redirected to https://mydomain.com/m/ (or more generally stated: the old url should work in the same way as if I had entered the new url). I cannot easily do this with DNS http redirect records as it will cause certificate warnings when passing DNS servers. Instead, could I point the DNS record for m.mydomain.com to the same (shared) IP all my applications now are using, and redirect it from my main IntraWeb application to one of the other five applications based on the url used to access it? If so, what is the preferred way to do this? Any code examples? Can you make this work also when there are url parameters involved?

Furthermore, besides the two IW application that now would use a non-empty BaseUrl, could I make this redirect work also for the non-IW applications (e.g. redirecting https://api.mydomain.com/ to https://mydomain.com/api/) in the same way? Or are some adjustments needed in those cases?

And finally of course, if you suggest a totally different approach for solving this issue, please say so!

Best regards

 Magnus Oskarsson
Reply
#6
https://m.mydomain.com/ to be redirected to https://mydomain.com/m/

These are separate subdomains. You will need a domain level certificate for mydomain.com if you want HTTPs on both, but most certificates are for the domain so it would cover both.

You can use IW to redirect but its a bit overkill and you want external redirects too.

The simplest way is to use a static website with one page to to the redirect, or use the redirect feature as a header in IIS etc. I'm not sure if http.sys can do this on its own, or if you would need IIS or a dummy ASP.NET HTTP.SYS which is used just to enable HTTP.SYS to serve the static file to redirect (can still be html, you dont need to write any ASP.NET code).
Reply
#7
Thanks Kudzu for your feedback! Yes, we do have wildcard SSL certificates for the cases I am looking at. I did some experiments on my own earlier and could successfully redirect from my main web application to a couple of other web applications, so for those I do not need any other solution as it looks like. This is my test code (hard-coded values will be replaced by values read from configuration if I complete this code):

Code:
procedure TBaseClientServerController.IWServerControllerBaseExecuteRequest(const Url: string;
  Request: THttpRequest; aReply: THttpReply; var Handled: Boolean);

  procedure CheckForOldHostToRedirect(const OldHost, RedirectBaseUrl: string);
  var
    RedirectUrl: string;
  begin
    if ContainsText(Request.Host, OldHost) then
    begin
      RedirectUrl := RedirectBaseUrl + Request.PathInfo;
      if Request.Query <> EmptyStr then
        RedirectUrl := RedirectUrl + '?' + Request.Query;
      ReportInformation(SafeFormat('Host contains %s, redirecting to %s...', [OldHost, RedirectUrl]));
      aReply.SendRedirect(RedirectUrl, 301);
      Handled := True;
    end;
  end;

const
  HostCount = 2;
  OldHosts: array[1..HostCount] of string = ('m.mydomain.com', 'recipient.mydomain.com');
  RedirectBaseUrls: array[1..HostCount] of string = ('https://mydomain.com/m', 'https://mydomain.com/recipient');
var
  i: Integer;
begin
  for i := 1 to HostCount do
  begin
    CheckForOldHostToRedirect(OldHosts[i], RedirectBaseUrls[i]);
    if Handled then
      Break;
  end;
end;

Please let me know if I should do this differently from within my IntraWeb application. We are investigating some other external solution for our non-intraweb applications, as it turns out that some existing clients for these services do not handle redirects properly.

Best regards

Magnus Oskarsson

PS. My other questions above remain.
Reply
#8
Quick look the code looks decent but I'll let Alexandre respond definitively.

What other questions remain specifically please?
Reply
#9
Questions from above:
1. Are there important changes for http.sys made between IW 15.1.15 and latest version (that e.g. could affect the shutdown issues I have seen)?
2. When using http.sys and Windows SSL functionality: is TLS version, available ciphers etc. strictly dependent on Windows OS version, or can you download specific update packages for older Windows versions? In particular, is the only way to get TLS 1.3 to use Windows Server 2022?
Reply
#10
Hi Magnus,

1- Yes, there are lots of changes. I suggest you can install latest IW in a VM using the same license. If you don't have a separate VM with Delphi installed, you can also install it in another folder (switching IW packages in Delphi IDE is tricky though, but you can backup/restore the IDE packages if you don't feel like installing the old version again). Between IW 15.1.x and the latest 15.2.49 there is a sea of enhancements....

2- Regarding TLS 1.3: it can be enabled via registry settings in newer Windows Servers - the ones that didn't reach the End of support period - e.g. I'm positive that you can use TLS 1.3 in Windows Server 2016. However, it is not possible to use TLS 1.3 in Windows Server 2008R2.

But why do you need specifically TLS 1.3? TLS 1.2 is still considered safe and hasn't been deprecated for all that matters... It's perfectly acceptable to run anything on TLS 1.2.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)