#1 2017-12-18 08:47:29

edwinsn
Member
Registered: 2010-07-02
Posts: 1,218

What would it take for mORMot to directly support HTTPS on Linux?

Today I came across this go snippets, which directly support HTTPS (via let's encrypt) on the server side. Quite interesting, so I thought I'd posting it here as food for thought wink

package main

import (
    "crypto/tls"
    "golang.org/x/crypto/acme/autocert"
    "net/http"
)


func main() {
    certManager := autocert.Manager{
        Prompt:     autocert.AcceptTOS,
        HostPolicy: autocert.HostWhitelist("example.com"), //your domain here
        Cache:      autocert.DirCache("certs"), //folder for storing certificates
    }

    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte("Hello world"))
    })

    server := &http.Server{
        Addr: ":443",
        TLSConfig: &tls.Config{
            GetCertificate: certManager.GetCertificate,
        },
    }

    server.ListenAndServeTLS("", "") //key and cert are comming from Let's Encrypt
}

https://stackoverflow.com/a/40494806/133516

update 1: Synapse can do HTTPS on the server side: http://synapse.ararat.cz/doku.php/publi … ttpsserver

Last edited by edwinsn (2017-12-18 08:51:45)


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

#2 2017-12-18 13:01:06

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,571
Website

Re: What would it take for mORMot to directly support HTTPS on Linux?

IMHO expose a mORMot on Linux directly to the Web is a bad idea. On Windows many of attacks prevent a HTTP.SYS driver (every time a look to http.sys logs on production a see thousands of attacks attempts). For Linux production environment I recommend use a reverse proxy before mORMot (nginx for example) and let's it do a HTTPS termination + Let's enctiypt certificate renew + handle statics +  header rewrite + trotting + etc.

Offline

#3 2017-12-18 13:33:50

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,669
Website

Re: What would it take for mORMot to directly support HTTPS on Linux?

Yes, we recommend (and use) a nginx front-end for HTTPS and certificates renew.
Let's Encrypt setup is very easy - see e.g. this tuto.

We used it even with a http.sys server, to be honest, since it is easier to have a single front-end proxy machine with its own Let's Encrypt domain name, in a DMZ, with URI redirection to actual mORMot servers, in a safe/closed internal network.
Of course, if you expect a lot of traffic, directly serving the https content from http.sys could be setup, but it will need its own certificate.

Another advantage of using a single front-end proxy server, with a single domain name, is that you don't need to enable CORS on JavaScript clients, since everything will come from a single nginx front-end.

Offline

#4 2017-12-18 14:44:58

edwinsn
Member
Registered: 2010-07-02
Posts: 1,218

Re: What would it take for mORMot to directly support HTTPS on Linux?

Thanks for your comments, very helpful!


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

Board footer

Powered by FluxBB