I am a total newbie to SSL.

I would like to know if following scenario is possible with TIcsProxy.

I have a PostgreSQL 9.6.3 database server with SSL enabled.
There are certificate files available.
I would like to connect to PostgreSQL server using TIcsProxy SSL enabled.
I would like my regular database connection components to use that
connection as normal. However, communication will be encrypted.

Thanks & regards,
Ertan Küçükoğlu

-----Original Message-----
From: TWSocket [mailto:twsocket-boun...@lists.elists.org] On Behalf Of Angus
Robertson - Magenta Systems Ltd
Sent: Friday, July 7, 2017 5:52 PM
To: twsocket@lists.elists.org
Subject: [twsocket] New ICS Proxy Components

TIcsProxy is protocol agnostic and may be used to proxy any TCP protocol,
the sample includes SMTP, POPO3, NNTP and telnet. It may be used to allow
non-SSL applications to access servers that require SSL such as

TIcsHttpProxy is a full forward and reverse HTTP/HTTPS proxy with header and
body parsing and processing host names and URLs to match the source and
destination. Could potentially be used as a caching proxy but needs more
events.  Can be used to monitor HTTP connections.
Reverse proxy targets may be selected according to partial paths, or using
an event for more complex selection such as load sharing to multiple
targets.  Or it can be used to add SSL support to non-SSL servers.  The HTTP
proxy will uncompress received pages and/or compress pages returned by the

These components require USE_SSL to be set, there is no non-SSL version, but
SSL is optional for source and targets.  The components support multiple
sources and targets, with multiple ports and IP addresses.  To n extent,
data may be intercepted and changed by the proxy, provided the protocols are
not broken.  SSL server name identification is supported so multiple hosts
can share the same server address and port.

A forward proxy generally runs on a client or gateway server, and browsers
are configured to redirect all traffic to the proxy, which forwards it to
the remote target in the URL, typically logging or examining that target and
perhaps rejecting it.  The browser may specify authentication login and
password, which the proxy sends to the onHttpPxyAuth event.  For non-SSL
traffic, the proxy processes requests and responses which may be checked and
manipulated if necessary.  But the browser will send SSL traffic using the
CONNECT method which opens a direct connection to the remote server and the
proxy behaves as a transparent tunnel passing encrypted data back and
forward, so requests and responses can not be seen.

A reverse proxy generally runs in front of the remote web server, perhaps to
provide SSL access to a non-SSL server, for load sharing between multiple
servers, or to direct different URLs to different servers.  Potentially, the
proxy can cache static pages, but this is not implemented yet.

Proxy configuration is based on a concept of multiple sources and

Source - TSslWSocketServer listening for incoming source  connections, part
of TIcsProxy, defined as a collection of IcsHosts.  Each source can listen
on two different IP addresses BindIpAddr and BindIpAddr2 (perhaps IPv4 and
IPv6) each with non-SSL BindNonPort and/or SSL BindSslPort.  Multiple source
clients can connect to each listening socket.  Each source needs a unique
HostTag alphabetic name, and one or more HostNames that match DNS and SSL
certificate names.  
Each source should define Proto as HTTP or other, and ForwardProxy is true
if that behaviour is required otherwise reverse proxy is assumed.  If SSL is
used, an SSL certificate must also be specified that matches the HostNames,
see below.  Note IcsHosts is part of TSslWSocketServer and is used for other
server components such as the web server.

Target - TSslWSocket that connects to a remote target destination, Part of
TProxyClient, at least one for each source client (unless ForwardProxy is
defined), defined as a collection of ProxyTargets, each with a HostTag
alphabetic name that must match a source in the IcsHosts collection, but for
HTTP the request path may be examined and there may be multiple
ProxyTargets.  Each target specifies TarHost, TarPort and TarSsl as the
remote target.  If the target is SSL, the remote SSL certificate chain may
be validated and reported according to the TCertVerMethod setting.  The
OnSetTarget event is called immediately before each remote target connection
is started and may be used for logging or TarHost, TarPort and TarSsl may be
changed to alter the target for this connection only.  If TarPort is zero,
the source port and SSL method are copied for the target.

Once source and target are connected, traffic from source is sent to target,
and vice versa.  The proxy receives data in a temporary TBytes buffer of
size RxBuffSize (default 64K).  For HTTP, entire request and response
headers are saved into a String for ease of processing and each line parsed
into THttpProxyClient RequestXX and ResponseXX
properties.   The event handlers onHttpReqHdr and onHttpRespHdr allow
the complete headers to be logged or changed, with care because changes may
break the proxy or protocol.

If the target specifies UpdateHttp, the proxy may modify the Location, Host
and Referrer headers from and to the source and target host names, ports and
http/https, so the HTTP protocol works correctly.

If UpdateHtml is specified, textual body content also has absolute URLs
modified similarly, with the header page length modified if the content
length changes.  To modify bodies, the proxy needs to read the entire body
first which requires local memory and also delays response to the source
that might cause a timeout, so body size is restricted by the HttpMaxBody
setting, defaulting to 10MB, the assumption being larger textual bodies will
not contain absolute server links.  If the onHttpRespBody event is set, it
will be called with the body, but note only for textual bodies smaller than

To support SSL sources, the SslCert property should ideally be set the SSL
certificate bundle file name in PEM, PFX or P12 format that also includes
the private key and any intermediate certificates required.
But SslCert also accepts a bundle as Base64 encoded ASCII. SslPassword
should be set to the private key password, if required.   If SslCert
only specifies a PEM, DER or PK7 certificate, SslKey and SslInter may be
used to specify the private key and intermediate bundle file names (or ASCII
versions).  SslSrvSecurity sets TSslSrvSecurity which may stop low security
protocols or certificates being used.

There is an ICS sample application OverbyteIcsProxySslServer that
illustrates the use of TIcsHttpProxy.  It reads all it's settings from an
INI file, using three functions in the main ICS components,
IcsLoadIcsHostsFromIni in OverbyteIcsWSocketS.pas, and
IcsLoadProxyTargetsFromIni and IcsLoadTIcsHttpProxyFromIni in this proxy
unit.  The sample INI file is OverbyteIcsProxySslServer.ini with several
source and target sections. So the application just needs to open an INI
file and these three functions will read all necessary settings.  This is
all optional, the application could keep settings in XML or the registry and
set-up the proxy collection properties directly. But using the same INI
settings will ease adding future functionality to the proxy with minimal
application changes.

To unsubscribe or change your settings for TWSocket mailing list please goto
Visit our website at http://www.overbyte.be

To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to