/ISAPIGate

ISAPI routes HTTPS requests to http-only webserver(s)

Primary LanguagePascalMIT LicenseMIT

ISAPIGate - Http/Https gateway ISAPI

Description

tl;dr Delphi ISAPI http/https gateway to remote http server(s).

ISAPI is one of the first Microsoft specifications for IIS webserver applications. The script executable is a native DLL that implements standard functions, called by IIS. Since it is pre-compiled, ISAPI applications are efficient and safe.

ISAPIGate receives http requests ( uri + headers + post content), connects to the specified remote server using a plaintext socket and passes on the request. Contents returned by remote server are sent to the client (response headers + content). The remote server can be either on a different host or same host on a different port.

ISAPIGate is from 2002, an old style but time proven ISAPI application.
Originally it was ported from a C sample, hence the C style. It is from before VCL's ISAPI support, so it uses a custom ISAPI implementation.

Another attribute of ISAPI applications: the API doesn't change, so it is rarely broken :)

ISAPIGate uses

  • Route secure https requests to http-only web servers.
  • Run web applications on separate web servers while using the same IIS server as portal ( and sharing the SSL certificate )

Secure https protocol is preferred over plaintext http for downloads. Mobile operating systems recommend or require using https in apps. Connections with a server with certified name are more reliable and safer. But if you - like me - has a custom webserver that runs as a separate executable, chances are it does not support https transfers :(

Routing files

With ISAPIGate, the remote server is selected using a numeric ID inside the URI.

 usage example: 
 URL = https://www.myserver.com/scripts/ISAPIGate.dll/1/path?querystr
 In this example, server id='/1' translates to '127.0.0.1:8080'  ( localhost )
 So file http://127.0.0.1:8080/path?querystr is returned.

ISAPIGate can route requests to multiple remote servers.

For security, only registered remote servers can be connected. The remote server table is hard-coded inside ISAPIGate.dpr. To change the table, edit source and recompile ISAPIGate.dll. This makes if more difficult for someone to hack the routing table, I suppose. Note that changing ISAPIGate.dll requires stopping the server, so it is not for frequent changes.

Any kind of content can be routed: text, images, binary files.

In order to fetch a file, the 1st segment of the path is removed and the path?querystr is passed on to the remote host, along with http request headers. That includes cookies, authorization and other headers.

Connection to the remote server uses old style sockets (WinSock). Response is progressive, with bytes delivered as received.

Project is small: only 2 source files ISAPIGate.dpr and HttpGateUtils.pas

Current version was tested with Delphi 10.4.1, Windows Server 2016 and IIS 10.0 Compiled as a Win32 DLL ( must enable IIS Win32 ISAPIs )

ISAPIGate security

Note that ISAPIGate connects to the remote server(s) using an unencrypted socket. Security of the channel stops at this point.

  <Internet> <-------http/https------> | <ISAPIGate> <------http-------> <remote server>    
                                       ^ firewall

Security tips:

  • The remote server is supposed to be inside your network.
  • Don't gateway to servers over the internet.
  • Don't gateway to servers you don't control.

Configure the firewall to protect the channel from the jungle outside.

IIS Configuration

There are some steps to configure Windows IIS to run ISAPI scripts. Those depend on IIS version, so I will not go into details here. There are many tutorials on the internet, depending on IIS and Windows version.

Basically you have to:

1- If running the remote server(s) on the same host as IIS, but on a different port, remember to close that server port for outside access on the firewall. This way all outside access goes thru ISAPIGate.

2- Install IIS ISAPI support if not installed by default.

3- Create /scripts folder

  deploy c:\scripts_path\ISAPIGate.dll
  Open Internet Information Services Manager application:
  Select webserver main node, right-click >Add Application
  Set application properties:
    Virtual Path= /scripts
    Application pool= www.yourdomain.com
    Physical Path= c:\scripts_path\
    Preload Enabled= false
    Enabled protocols= http     (for http and https. If you want https only, set to https)

4- Enable 32-Bit ISAPI:

  On Internet Information Services Manager application:
  Select Applications Pools
  Select www.yourdomain.com
  right-click and select Advanced Settings
  set Enable 32-bit Application to True  

5- Create ISAPIGate restriction:

  On Internet Information Services Manager application:
  Select server >ISAPI and CGI Restrictions>  click Open Feature
  Add ISAPI extension
    Description= ISAPIGate
    Restriction= Allowed
    Path= c:\scripts_path\ISAPIGate.dll  

6- Set IIS application pool to be reset periodically (p.e. daily) to avoid application failure by heap fragmentation.