The SWI-Prolog infrastructure provides two main ways to launch an HTTPS server:
library(http/thread_httpd), the server is started in HTTPS mode by adding an option
ssl/1to http_server/2. The argument of
ssl/1is an option list that is passed as the third argument to ssl_context/3.
library(http/http_unix_daemon), an HTTPS server is started by using the command line argument
Two items are typically specified as, respectively, options or additional command line arguments:
- server certificate. This identifies the server and acts as a public key for the encryption.
- private key of the server, which must be kept secret. The key may
be protected by a password. If this is the case, the server must provide
the password by means of the
pem_password_hookcallback or, in case of the Unix daemon, via the
--passwordcommand line options.
Here is an example that uses the self-signed demo certificates distributed with the SSL package. As is typical for publicly accessible HTTPS servers, this version does not require a certificate from the client:
:- use_module(library(http/thread_httpd)). :- use_module(library(http/http_ssl_plugin)). https_server(Port, Options) :- http_server(reply, [ port(Port), ssl([ certificate_file('etc/server/server-cert.pem'), key_file('etc/server/server-key.pem'), password("apenoot1") ]) | Options ]).
There are two hooks that let you extend HTTPS servers with custom definitions:
http:ssl_server_create_hook(+SSL0, -SSL, +Options): This extensible predicate is called exactly once, after creating an HTTPS server with Options. If this predicate succeeds,
SSLis the context that is used for negotiating all new connections. Otherwise,
SSL0is used, which is the context that was created with the given options.
http:ssl_server_open_client_hook(+SSL0, -SSL, +Options): This predicate is called before each connection that the server negotiates with a client. If this predicate succeeds,
SSLis the context that is used for the new connection. Otherwise,
SSL0is used, which is the context that was created when launching the server.
Important use cases of these hooks are running dual-stack RSA/ECDSA servers, updating certificates while the server keeps running, and tweaking SSL parameters for connections. Use ssl_set_options/3 to create and configure copies of existing contexts in these hooks.
The example file
https.pl also provides a server that
does require the client to show its certificate. This provides an
additional level of security, often used to allow a selected set of
clients to perform sensitive tasks.
Note that a single Prolog program can call http_server/2
with different parameters to provide services at several security levels
as described below. These servers can either use their own dispatching
or commonly use http_dispatch/1
and check the
port property of the request to verify they
are called with the desired security level. If a service is approached
at a too low level of security, the handler can deny access or use HTTP
redirect to send the client to to appropriate interface.
- A plain HTTP server at port 80. This can either be used for non-sensitive information or for redirecting to a more secure service.
- An HTTPS server at port 443 for sensitive services to the general public.
- An HTTPS server that demands for a client key on a selected port for administrative tasks or sensitive machine-to-machine communication.