#1 2022-07-09 10:28:41

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Native TLS Support for mORMot 2 REST or WebSockets Servers

TlsServer.png

Since the beginning, we delegated the TLS encryption support to a reverse proxy server, mainly Nginx. Under Windows, you could setup the http.sys HTTPS layer as usual, as a native - even a bit complicated - solution.

Nginx has several advantages, the first being a proven and efficient technology, with plenty of documentation and configuration tips. It interfaces nicely with Let's Encrypt, and is very good for any regular website, using static content and PHP. This very blog and the Synopse web site is hosted via Ngnix on a small Linux server.

But in mORMot 2, we introduced a new set of asynchronous web server classes. So stability and performance are not a problem any more. Some benchmarks even consider this server to be faster than nginx (the stability issue mentioned in this post has been fixed in-between).

We just introduced TLS support of our socket-based servers, both the blocking and asynchronous classes. It would use OpenSSL if available, or the SChannel API layer of Windows. Serving HTTPS or WSS with a self-signed certificate is just a matter of a single parameter now, and performance seems pretty good, especially with OpenSSL.


This is the discussion forum thread for the following blog article:
https://blog.synopse.info/?post/2022/07 … WebSockets

Offline

#2 2022-07-10 03:55:34

edwinsn
Member
Registered: 2010-07-02
Posts: 1,218

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

Great job and congratulations!


Delphi XE4 Pro on Windows 7 64bit.
Lazarus trunk built with fpcupdelux on Windows with cross-compile for Linux 64bit.

Offline

#3 2022-07-10 05:32:51

Leslie7
Member
Registered: 2015-06-25
Posts: 248

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

Another excellent step ahead! smile smile

Is the server side ready for Android, IOS?
(I know, who runs a server on mobile? But in some of my use cases it does make sense. smile  )

Last edited by Leslie7 (2022-07-10 07:49:45)

Offline

#4 2022-07-10 18:58:36

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 357

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

After updating mORMot2 (last version was from April or May) I get errors (10053) when using remote-logger under Win32/Delphi 10.4.
The remote-logger runs on the same Win2019 machine as the mORMot2 service.
Under linux/fpc I can't see this error.
Perhaps the remote-logger is closing the socket because of a wrong header. Let me know if I can test something. The remote-logger is compiled from the samples of mORMot1.

Offline

#5 2022-07-10 20:12:00

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

@Leslie7
It should work with Android with FPC, because at least it compiles with it - but I didn't test the result.

@daniel
Weird, can you debug a little more and see what may be wrong?
What is the exact header issue?
Are you sure the sent header supplied is in the write format? (try with trim and with trim + #13#10)

Offline

#6 2022-07-11 07:35:53

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 357

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

The header is always empty (='').

In mormot.net.sock line 3442 F.BufPtr has following value:

'HTTP/1.1 200 OK'#$D#$A'X-Powered-By: mORMot 1.18 synopse.info'#$D#$A'Server: mORMot (Windows)'#$D#$A'Content-Length: 0'#$D#$A'Content-Type: application/json; charset=UTF-8'#$D#$A'Accept-Encoding: synlz,gzip'#$D#$A'Connection: Keep-Alive'#$D#$A#$D#$A'0627055'

and size is 1024 (always).

In error case sock has following value:

($3A8, '127.0.0.1', '8091', '', '', $36EE460, nil, 30000, 91406, 134278, nil, 0, False, nlTcp, 'PUT /LogService/RemoteLog HTTP/1.1'#$D#$A'Host: 127.0.0.1:8091'#$D#$A'Accept: */*'#$D#$A'User-Agent: Mozilla/5.0 (Win; mORMot 2.0.3606 HCS)'#$D#$A'Keep-Alive: 20000'#$D#$A'Connection: Keep-Alive'#$D#$A'Content-Length: 24'#$D#$A'Content-Type: application/json; charset=UTF-8'#$D#$A#$D#$A'20220711 07315309  +    '#9'02.498.812'#$D#$A'20220711 07303732  -    02.498.840Answer Interface=200 out=15 B in 2.49s'#$D#$A'20220711 07303732 ret   '#9#9'mormot.rest.server.TRestServerRoutingRest(0a167520) {"result":[[]]}swer in=75 B'#$D#$A'20220711 07303501 call  '#9#9'uRestServerDB.TSOneRestServerDB(03028dd0) IIntranet.PollWebRTCAnswer{"Params":{"user":"daniel","accesskey":"fc4eb1e37cf603a315a40e13e533c3a6"}} ENetSock {Message:"THttpClientSocket.SockRecvLn error 10053 after 0 chars"} [TRemoteLog LogService] at 6ac915  '#$D#$A'20220711 07241519 srvr  '#9#9' 192.168.1.214 POST root/Intranet.PollWebRTCAnswer Interface=200 out=15 B in 23.03s'#$D#$A'20220711 07241519 ret   '#9#9'mormot.rest.server.TRestServerRoutingRest(0a167520) {"result":[[]]}'#$D#$A'20220711 07241519  -    '#9'23.037.594'#$D#$A'20220711 07241519  -    23.037.624cf603a315a40e13e533c3a6"}}'#$D#$A'20220711 06555037 srvr  '#9#9' 192.168.1.214 POST root/Intranet.PollWebRTCAnswer Interface=200 out=15 B in 4.81ms'#$D#$A'20220711 06555037 ret   '#9#9'mormot.rest.server.TRestServerRoutingRest(0a1670a0) {"result":[[]]}'#$D#$A'20220711 06555037  -    '#9'00.004.826'#$D#$A'20220711 06555037  -    00.004.851'#$D#$A'20220711 06562747 EXC   ENetSock {Message:"THttpClientSocket.SockRecvLn error 10053 after 0 chars"} [TRemoteLog LogService] at 6ac915  [TRemoteLog LogService] at 6ac915  0220711 06512160  -    '#9'00.654.069'#$D#$A'20220711 06512160  -    00.654.089'#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0#0

In such cases len = -1 (line 1858 mormot.net.sock)

Perhaps it has nothing to do with updates of mORMot2, but with the body of my request. But I don't know how to get it.

Last edited by danielkuettner (2022-07-11 08:59:08)

Offline

#7 2022-07-11 14:40:32

danielkuettner
Member
From: Germany
Registered: 2014-08-06
Posts: 357

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

Now I've debugged in LogViewer and first, procedure THttpServerResp.Execute was called periodically, but after I've added a log entry for it, it won't called for a while and the error 10053 is also away in that time window. After it will be called, error 10053 is coming up.

Last edited by danielkuettner (2022-07-11 16:06:12)

Offline

#8 2022-07-11 20:28:01

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

What is weird is clearly Content-Length: 0 with some content afterwards.

Offline

#9 2022-07-28 12:07:53

Geziel
Member
Registered: 2014-12-11
Posts: 7

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

This is wonderful, congratulations and thanks.

I have a server running over http.sys on windows, but I'm starting a move to linux and I intend to use mormot 2. It really looks like fantastic.

One problem I have with htttp.sys is not being able to use more than one certificate on the same IP/port. So I use lets encrypt to issue certs with multiple domains. This works, but my clients don't really like to share the certificate.

Is there any way to solve this with mormot 2?

Example:

     domain-A.com -> use cert 1 for [domain-A.com, blog.domain-A.com, api.domain-A.com]
api.domain-A.com -> use cert 1 for [domain-A.com, blog.domain-A.com, api.domain-A.com]

     domain-B.com -> use cert 2 for [domain-B.com]

Offline

#10 2022-07-28 12:36:22

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

Isn't it a http.sys routing and TLS issue?
I guess you should search the net about this, and I am sure you may find the solution.
Within mORMot, there is no such thing as a certificate for http.sys.

Or do you mean that you want a single mORMot 2 server on Linux publishing several domains?
In this case, I would use nginx as reverse proxy front-end, and communicate over Posix Sockets between nginx and mORMot.
Such a configuration is easy with nginx, including Let's Encrypt support.

Offline

#11 2022-07-28 12:54:14

Geziel
Member
Registered: 2014-12-11
Posts: 7

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

Yes, I want a single mormot server on linux. In that case I will use nginx as you suggested. I was just curious to know if it's possible, mainly due to mormot's excellent performance.

Offline

#12 2022-07-31 14:38:19

Geziel
Member
Registered: 2014-12-11
Posts: 7

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

ab wrote:

...
In this case, I would use nginx as reverse proxy front-end, and communicate over Posix Sockets between nginx and mORMot.
Such a configuration is easy with nginx, including Let's Encrypt support.

Ab, I'm following your advice and studying nginx...  Do you think FastCGI is a way to go?

Offline

#13 2022-07-31 15:10:46

tbo
Member
Registered: 2015-04-20
Posts: 353

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

Geziel wrote:

Ab, I'm following your advice and studying nginx...  Do you think FastCGI is a way to go?

Better use Caddy Server. Caddy is fast, secure and easy to configure. Write the following caddyfile:

yourdomain.com {
  reverse_proxy localhost:12345
}

Then run the mORMot server on this port. With these lines everything runs over https. Caddy automatically gets a certificate from Let's Encrypt and also manages (renews) it.

With best regards
Thomas

Offline

#14 2022-07-31 19:07:44

Geziel
Member
Registered: 2014-12-11
Posts: 7

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

tbo wrote:

...
Better use Caddy Server. Caddy is fast, secure and easy to configure. Write the following caddyfile:

yourdomain.com {
  reverse_proxy localhost:12345
}

Then run the mORMot server on this port. With these lines everything runs over https. Caddy automatically gets a certificate from Let's Encrypt and also manages (renews) it.

With best regards
Thomas


Thank you Thomas. I had never heard of it before but looks quite interesting! Is the performance comparable to nginx?

Offline

#15 2022-07-31 19:23:56

tbo
Member
Registered: 2015-04-20
Posts: 353

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

Geziel wrote:

Is the performance comparable to nginx?

I have not done my own tests on this and before Caddy I only had experience with Apache. I have read reports that Nginx was slightly ahead of Caddy. My own opinion is that Caddy is very fast and easy to administer. That is the most important thing for me.

With best regards
Thomas

Last edited by tbo (2022-07-31 19:24:24)

Offline

#16 2022-07-31 19:34:30

igors233
Member
Registered: 2012-09-10
Posts: 241

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

Interesting, especially for auto renewing from LetsEncrypt, does it work on Windows as well?

Offline

#17 2022-07-31 19:56:15

tbo
Member
Registered: 2015-04-20
Posts: 353

Re: Native TLS Support for mORMot 2 REST or WebSockets Servers

igors233 wrote:

Interesting, especially for auto renewing from LetsEncrypt, does it work on Windows as well?

I also have a server running Window Server 2019 and have not encountered any problems. Caddy manages certificates completely by itself. I have never had to worry about it. Before I had to do every single step myself. Caddy is brilliant.

With best regards
Thomas

Offline

Board footer

Powered by FluxBB