mORMot Open Source

wenli0202

Member

Registered: 2015-08-20

Posts: 3

Linux ssl

I like to use SSL Rest server in linux.
If use SecureBlackbox 3rd is possible ?
How to add ssl for  TCrtSocket  ?

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,205

Website

Re: Linux ssl

I guess the easiest, especially on production, is to use a web proxy (e.g. nginx) which would serve the content using HTTS.

BTW, NGINX would use IOCP, so would scale better than the thread-based server of mORMot for high number of concurrent clients.

willo

Member

From: Cape Town, South Africa

Registered: 2014-11-15

Posts: 67

Website

Re: Linux ssl

Ab,

Is the FastCGI interface stable?

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,205

Website

Re: Linux ssl

Not yet. Any feedback is welcome.

I guess you would just use NGINX  as a proxy, using the default mORMot socket server.
Performance may be a bit less than with FastCGI, but sockets are very fast locally under Linux.

danielkuettner

Member

From: Germany

Registered: 2014-08-06

Posts: 330

Re: Linux ssl

I use Apache for ssl/proxy over a year. It's fast and stable.

wenli0202

Member

Registered: 2015-08-20

Posts: 3

Re: Linux ssl

ab,
thanks your suggestion,I will try it.

edwinsn

Member

Registered: 2010-07-02

Posts: 1,215

Re: Linux ssl

@danielkuettner,

Can you provide some configuration snippets to show the big picture on using Apache/Nginx as a reverse proxy, to redirect http(s) requests to a mORMot-powered http server?

Thanks.

---

Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

edwinsn

Member

Registered: 2010-07-02

Posts: 1,215

Re: Linux ssl

OK, I found something useful: https://www.nginx.com/resources/admin-g … rse-proxy/

Just not sure if https requests can be redirected transparently to a mORMot-server that handles "http" only...

Last edited by edwinsn (2016-11-15 15:18:25)

---

Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

mpv

Member

From: Ukraine

Registered: 2012-03-24

Posts: 1,539

Website

Re: Linux ssl

Proxy pass nginx pass everything transparently. You can even controls this process ifyou you need

Leslie7

Member

Registered: 2015-06-25

Posts: 248

Re: Linux ssl

OK, I found something useful: https://www.nginx.com/resources/admin-g … rse-proxy/

Just not sure if https requests can be redirected transparently to a mORMot-server that handles "http" only...

Incoming https can be forwarded to a mORMot server. But the connection has to be upgraded to http 1.1 to avoid  performance issues.

This is an example with the required changes, which are the same for setting up both the http and https section.

Edit  /etc/nginx/sitesenabled as root.

## Add upstream for keepalive
upstream http_backend {
    # ip:port for the backend servers
    server  127.0.0.1:8888;
    server  127.0.0.1:8889;
   # The number of inactive connections kept open. The oldest one is closed when the limit is reached.
    keepalive 100;
}

server {
    location /someurl {
             proxy_pass http://127.0.0.1:8888;
        # ....
     
## Add for keepalive START
       proxy_read_timeout     300;
       proxy_connect_timeout  300;
   
       # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
       proxy_http_version 1.1;
   
      # Remove the Connection header if the client sends it,
      # it could be "close" to close a keepalive connection
      proxy_set_header Connection "";
## Add for keepalive END
    }

Last edited by Leslie7 (2016-11-16 22:00:08)

edwinsn

Member

Registered: 2010-07-02

Posts: 1,215

Re: Linux ssl

@Leslie7,

Very helpful! Clipped into evernote, thanks!

---

Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

mpv

Member

From: Ukraine

Registered: 2012-03-24

Posts: 1,539

Website

Re: Linux ssl

nginx configuration with load balancing (including sticky sessions required for mORMot authentication)

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    upstream mormotpool {
	 ip_hash;  # sticky sessions!!! important for authentication to redirect user to the same server
	 server 10.8.24.202:888; #mORMot server number 1
	 server 10.8.24.203:888; #mORMot server number 1
    }

    server {
        listen       someIP:80;
        server_name  host.name;

        location / {
			proxy_pass http://mormotpool;
			proxy_set_header Host $http_host;
			proxy_set_header X-Real-IP $remote_addr;  # pass a real IP client address to the mORMot server. See here http://synopse.info/forum/viewtopic.php?id=3644 how to got it on the server -side
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
                        proxy_http_version 1.1
        }
        location = /50x.html {
            root   html;
        }
}

Last edited by mpv (2016-11-17 09:52:59)