Hello, I am a total newbie to SSL.
I would like to know if following scenario is possible with TIcsProxy. I have a PostgreSQL 9.6.3 database server with SSL enabled. There are certificate files available. I would like to connect to PostgreSQL server using TIcsProxy SSL enabled. I would like my regular database connection components to use that connection as normal. However, communication will be encrypted. Thanks & regards, Ertan Küçükoğlu -----Original Message----- From: TWSocket [mailto:twsocket-boun...@lists.elists.org] On Behalf Of Angus Robertson - Magenta Systems Ltd Sent: Friday, July 7, 2017 5:52 PM To: twsocket@lists.elists.org Subject: [twsocket] New ICS Proxy Components TIcsProxy is protocol agnostic and may be used to proxy any TCP protocol, the sample includes SMTP, POPO3, NNTP and telnet. It may be used to allow non-SSL applications to access servers that require SSL such as forums.embarcadero.com. TIcsHttpProxy is a full forward and reverse HTTP/HTTPS proxy with header and body parsing and processing host names and URLs to match the source and destination. Could potentially be used as a caching proxy but needs more events. Can be used to monitor HTTP connections. Reverse proxy targets may be selected according to partial paths, or using an event for more complex selection such as load sharing to multiple targets. Or it can be used to add SSL support to non-SSL servers. The HTTP proxy will uncompress received pages and/or compress pages returned by the proxy. These components require USE_SSL to be set, there is no non-SSL version, but SSL is optional for source and targets. The components support multiple sources and targets, with multiple ports and IP addresses. To n extent, data may be intercepted and changed by the proxy, provided the protocols are not broken. SSL server name identification is supported so multiple hosts can share the same server address and port. A forward proxy generally runs on a client or gateway server, and browsers are configured to redirect all traffic to the proxy, which forwards it to the remote target in the URL, typically logging or examining that target and perhaps rejecting it. The browser may specify authentication login and password, which the proxy sends to the onHttpPxyAuth event. For non-SSL traffic, the proxy processes requests and responses which may be checked and manipulated if necessary. But the browser will send SSL traffic using the CONNECT method which opens a direct connection to the remote server and the proxy behaves as a transparent tunnel passing encrypted data back and forward, so requests and responses can not be seen. A reverse proxy generally runs in front of the remote web server, perhaps to provide SSL access to a non-SSL server, for load sharing between multiple servers, or to direct different URLs to different servers. Potentially, the proxy can cache static pages, but this is not implemented yet. Proxy configuration is based on a concept of multiple sources and targets: Source - TSslWSocketServer listening for incoming source connections, part of TIcsProxy, defined as a collection of IcsHosts. Each source can listen on two different IP addresses BindIpAddr and BindIpAddr2 (perhaps IPv4 and IPv6) each with non-SSL BindNonPort and/or SSL BindSslPort. Multiple source clients can connect to each listening socket. Each source needs a unique HostTag alphabetic name, and one or more HostNames that match DNS and SSL certificate names. Each source should define Proto as HTTP or other, and ForwardProxy is true if that behaviour is required otherwise reverse proxy is assumed. If SSL is used, an SSL certificate must also be specified that matches the HostNames, see below. Note IcsHosts is part of TSslWSocketServer and is used for other server components such as the web server. Target - TSslWSocket that connects to a remote target destination, Part of TProxyClient, at least one for each source client (unless ForwardProxy is defined), defined as a collection of ProxyTargets, each with a HostTag alphabetic name that must match a source in the IcsHosts collection, but for HTTP the request path may be examined and there may be multiple ProxyTargets. Each target specifies TarHost, TarPort and TarSsl as the remote target. If the target is SSL, the remote SSL certificate chain may be validated and reported according to the TCertVerMethod setting. The OnSetTarget event is called immediately before each remote target connection is started and may be used for logging or TarHost, TarPort and TarSsl may be changed to alter the target for this connection only. If TarPort is zero, the source port and SSL method are copied for the target. Once source and target are connected, traffic from source is sent to target, and vice versa. The proxy receives data in a temporary TBytes buffer of size RxBuffSize (default 64K). For HTTP, entire request and response headers are saved into a String for ease of processing and each line parsed into THttpProxyClient RequestXX and ResponseXX properties. The event handlers onHttpReqHdr and onHttpRespHdr allow the complete headers to be logged or changed, with care because changes may break the proxy or protocol. If the target specifies UpdateHttp, the proxy may modify the Location, Host and Referrer headers from and to the source and target host names, ports and http/https, so the HTTP protocol works correctly. If UpdateHtml is specified, textual body content also has absolute URLs modified similarly, with the header page length modified if the content length changes. To modify bodies, the proxy needs to read the entire body first which requires local memory and also delays response to the source that might cause a timeout, so body size is restricted by the HttpMaxBody setting, defaulting to 10MB, the assumption being larger textual bodies will not contain absolute server links. If the onHttpRespBody event is set, it will be called with the body, but note only for textual bodies smaller than HttpMaxBody. To support SSL sources, the SslCert property should ideally be set the SSL certificate bundle file name in PEM, PFX or P12 format that also includes the private key and any intermediate certificates required. But SslCert also accepts a bundle as Base64 encoded ASCII. SslPassword should be set to the private key password, if required. If SslCert only specifies a PEM, DER or PK7 certificate, SslKey and SslInter may be used to specify the private key and intermediate bundle file names (or ASCII versions). SslSrvSecurity sets TSslSrvSecurity which may stop low security protocols or certificates being used. There is an ICS sample application OverbyteIcsProxySslServer that illustrates the use of TIcsHttpProxy. It reads all it's settings from an INI file, using three functions in the main ICS components, IcsLoadIcsHostsFromIni in OverbyteIcsWSocketS.pas, and IcsLoadProxyTargetsFromIni and IcsLoadTIcsHttpProxyFromIni in this proxy unit. The sample INI file is OverbyteIcsProxySslServer.ini with several source and target sections. So the application just needs to open an INI file and these three functions will read all necessary settings. This is all optional, the application could keep settings in XML or the registry and set-up the proxy collection properties directly. But using the same INI settings will ease adding future functionality to the proxy with minimal application changes. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
