Securing Xojo Standalone Web Apps

This guild will focus on implementing SSL for your Xojo standalone Web Edition applications on CentOS 7. Some of the commands may operate on other Operating Systems, but those will not be covered here. This will, regardless of Linux flavor, give you a general idea of what you need to do in order to secure communications with your Xojo-built web application via HTTPS.

  • A Xojo Web Edition project to secure
  • Domain Name for your application
  • CentOS 7
  • A working Xojo standalone Web Edition application

Webmin is a very nice package for server management that will make many of the operations detailed below a lot simpler, such as setting up a startup service for your app and setting up the renewal cron job. Be advised, though, that it does have a decent sized memory footprint and won't do well on Virtual Private Servers will very little resources.

The key to making all of this work for your standalone application while debugging is in the build settings. We have to provide a few additional command-line parameters for Xojo. These parameters will tell the binary to listen on the SSL port, and use the certificate file we'll be generating later.

  • In the Xojo Project Navigator, select “Shared” under “Build Settings”
  • In the Inspector on the right, you will now see “Command Line Arguments” in the “Debug” section
  • In the “Command Line Arguments” field, enter –secureport=<HTTPSPORT> –maxsecuresockets=<#SOCKETS>, replacing <HTTPSPORT> and <#SOCKETS> with values appropriate for your server. Also note that, in the above, is actually two dashes.

Before continuing, make sure your application runs on the server and setup a startup service for your application.

Installing Certbot

First, we must add the EPEL-Release repository to YUM by executing the following command:

yum -y install epel-release

Next, we'll execute the command to install certbot:

yum -y install certbot

Getting a Certificate

To register and retrieve the certificate for our purposes, we use the standalone method:

certbot certonly --standalone -d <YOURDOMAIN> --email <YOUREMAIL> --agree-tos

Assuming this has completed successfully, the necessary certificate files will be placed in /etc/letsencrypt/live/<YOURDOMAIN>/

Building the CRT File

Xojo Web Edition applications require a specific setup for your certificate. Assuming, in your Xojo Build Settings for Linux, that you've set your Linux App Name to “myApp”, you'll be combining the fullchain.pem and privkey.pem files from your /etc/letsencrypt/live/<YOURDOMAIN>/ directory in to a single file named “myApp.crt”. You can do this manually and transfer the file via SSH or FTP, or you can use the Linux cat command. In this example, we'll assume you want to use the Linux cat command.

The following command will properly concatenate the two files, and place the result in your web application's directory as specified by <PATHTOAPP>:

cat /etc/letsencrypt/live/<YOURDOMAIN>/fullchain.pem /etc/letsencrypt/live/<YOURDOMAIN>/privkey.pem > /<PATHTOAPP>/<APPNAME>.crt

Now you can start your Xojo Web Edition application, and it should be running in HTTPS mode on the port previously specified with a valid LetsEncrypt certificate.

Renewals

Your spiffy new LetsEncrypt certificate will expire every three months, meaning every three months (at least) you need to renew it. This can be done manually by using the following SSH commands:

certbot renew
cat /etc/letsencrypt/live/<APPDOMAIN>/fullchain.pem /etc/letsencrypt/live/<APPDOMAIN>/privkey.pem > /<PATHTOAPP>/<APPNAME>.crt

Or you can automate it with a cron job, which is the recommended method. It's simple enough to find instructions for cron automation, so we'll just cover the commands that your job needs to execute:

systemctl stop <APPSERVICENAME>
certbot renew
cat /etc/letsencrypt/live/<APPDOMAIN>/fullchain.pem /etc/letsencrypt/live/<APPDOMAIN>/privkey.pem > /<PATHTOAPP>/<APPNAME>.crt
systemctl start <APPSERVICENAME>
  • Last modified: 7 months ago
  • by agcyphers