Servicestack, Self Hosting and SSL

Standard

I’ve been exploring http://servicestack.net recently and redesigning our systems architecture around REST principles.  It’s looking good, but a lot to learn!

Additionally the service that’s being developed will be self-hosted .NET (no IIS!) to help making  testing and automated deployment easier.

So gotchas I found already:

When setting up the apphost don’t forget the trailing slash – http://localhost:2013 won’t work http://localhost:2013/ will work!

If you want the service to listen on any host name then set the service up as http://*/ or you could add a port in http://*:2013/

If you want to do SSL then you need to read this article  http://blogs.msdn.com/b/jpsanders/archive/2009/09/29/walkthrough-using-httplistener-as-an-ssl-simple-server.aspx – I’m still working on it!

Advertisements

4 thoughts on “Servicestack, Self Hosting and SSL

    • Yes. The SSL tunnel is setup outside of the self-hosted app. A cert gets installed in the cert store, I then had a deployment script that set the tunnel up like this:

      netsh http add urlacl url=https://*:443/ user=XXX\XXXXXXX
      netsh http add urlacl url=http://*:80/ user=XXX\XXXXXXXX
      netsh http add sslcert ipport=0.0.0.0:443 certhash=XXXXXXXXXXXXXXXXXXXX appid={XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX}

      However, this only last so long. It worked well, but I have a pair of servers running and have a crud load balancer in front running HAProxy. The problem came when I want to look at the IP address of the requester, in particular deciding if it was internal or external. The only IP address that was coming through was that of the proxy server. We looked at adding headers and things, but because the contents were encrypted HAProxy couldn’t modify them.

      Therefore we took the step of putting a nginx based server at the front, it handles the SSL tunnel. When a request is received it decrypts it, adding a x-forwardedfor header containing the original IP address and passes the request back to the HAProxy for it to be given to one of the app servers. Sounds complicated by works a dream.

      • CrudMonkey

        Interresting 🙂 In no need of loadbalancing in my current scenario, and access will be restricted to clients configured in the firewall, so hopefully it will work with just the certificate setup.

        Thanks for the info!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s