I have an ASP.net MVC app running on Azure App Service ... I've searched for the answer, but have not found it ... my app seems to always force HTTPS redirect, no matter what. All the docs say it should serve content via HTTP by default, but it does not. Most everyone has the opposite problem of needing to redirect HTTP to HTTPS.
I need Azure App Service to do the following:
1) Serve static Default.htm page via HTTP, without redirecting to HTTPS
My app has a custom domain and no SSL for the custom domain. I want the URL http://example.com/Default.htm to serve the static page, not redirect to HTTPS to serve the static page. I will use azurewebsites domain when I want users to be in HTTPS. I want to use my custom domain name to serve a static home page for users arriving at my site.
As far as I can determine, I do not have any app extensions installed (such s https redirect extension), or anything in web.config to force https, or any RequireHTTPS attributes ... can anyone explain why plain old regular boring HTTP doesn't work here?
Thanks
Related
I am using two application parts that deployed on: AWS Beanstalk and Netlify.
Java-based part is deployed on AWS and available on http protocol.
Angular based is deployed on Netlify and available on https protocol.
The error occurs when sending a request to AWS:
Mixed Content: The page at 'https://some-url.netlify.com/' was loaded over
HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://some-url.elasticbeanstalk.com/api/getAppSettings'. This request has
been blocked; the content must be served over HTTPS.
I need to do it working for learning purposes only, so try to make Netlify working under Http.
Is it possible to change the protocol to simple http on Netlify?
The adding SSL certificate to Elastic Beanstalk is complicated, unclear and takes too much time
AFAIK, netlify doesn't allow you to access website over HTTP, as they force redirect to HTTPS by default, as mentioned here. But its really easy to have HTTPS on AWS - your elastic beanstalk instances are served with HTTPS by default using an AWS owner certificate, and you can link your custom domain certificate if you have a custom domain, very easily from AWS Certificate Manager.
You can create a netlify.toml file and do some redirect tweaking, as mentioned here.
Creating and configuring a _redirects file in the root of your build folder(or in your public folder if using an SPA like React) might help with this. For your example, the _redirects file would look something like this:
/api/* http://some-url.elasticbeanstalk.com/api/:splat 200
Then rather than call endpoints like this:
fetch(`http://some-url.elasticbeanstalk.com/api/getAppSettings`)
You would need to make your API calls in this format:
fetch(`/api/getAppSettings`) // 'it reads /api/ because of how we configured our _redirects file'
You can read more on how to make netlify proxying here
I have a web api application that I am considering moving to HTTPS. The reason is really just for the initial login where I would like to hide the username and password.
Once logged in do all other calls from the pages also need to be HTTPS? For example do my calls to CSS and scripts need to travel over HTTPS? How about WebAPI calls?
When referencing HTTP content from HTTPS pages, some user agents will issue warnings about "mixed content" or "insecure content" to the user, others may block the content (older versions of IE do that). GitHub solved this issue using ngnix as reverse proxy, so it serves the static content as HTTPS.
If you are only worried about the authentication, and it is cookie based, you can do the authentication in HTTPS and then get back to HTTP. The cookie will be shared as long it is not marked as Secure. Remember that both the GET request acquiring the login FORM and the POST call sending the login form should be HTTPS to be secure.
You can use the page in HTTP and do the AJAX calls in HTTPS: Ajax using https on an http page. Again, this may be useless if the auth form is not secure as well.
If your static content is hosted in a CDN, probably the CDN is able of proxying the requests to your site and return HTTPS content if required.
Static content served as HTTP won't be cached for when you request the same content through HTTPS, neither viceversa, so it will basically downloaded twice.
Also relevant, please check these 7 myths about HTTPS, specially myth #1. If you are worried about security, maybe switch completely to HTTPS is the best decision.
I am a new to web deployment and I am deployed a website for testing on IIS, the website is non secure (http) site but one page should be secure (https).
Can anyone suggest me how I can achieve it and it should not warn the user while switching between 'http' and 'https'.
SSL or Secure Socket Layer would be bound to a website through bindings. That is, you can tell IIS to redirect the incoming request traffics to a website, when for example the requested URL would be like http://domain.com/ or https://doamin.com, or http://200.202.150.200:8080/ or stuff like that.
Therefore, it's not a matter of IIS to set HTTPS only for one page. It's rather how to manage your URLs while redirecting user. In other words, it's a navigational matter.
I havent used IIS but I did this recently with Apache.
I did the following:
Set up a redirect for the page that you wish to secure so it redirects to HTTPS.
Set up a redirect for every other page to redirect from HTTPS to HTTP
Ensured static files such as images css and js are not affected by the above rules (These files need to work on both HTTP and HTTPS
If you need this commercially, I would recommend to use Helicon tool to redirect that particular page to HTTPS.
Using Helicon tool you can redirect the HTTP request to HTTPS for any specific page or whole site by writing the Rules.
In IIS 7 there is way to define new rules in "URL Rewrite" section for a particular web site. By this you can define a regular expiration and based on that you can redirect any pages which matches the expression to the page which you want. Lets say you are going to redirect http:\x.com\sample.aspx to https:\x.com\sample.aspx. For this do the following steps:
select your website on IIS
click URL Rewrite
Add Rule(s)
Select Blank rule
Then define your pattern in this case : lets say ^sample(any page start with sample). you can define any expression as you like.
in Action section select Redirect in Action type dropdown
in Redirect URL put https:\x.com\sample.aspx
save it and restart your website
you can then add any other rules as you want o match your request
And also in some other complex scenarios you can write your own scripts here
I have a https site say with url www.example.com. On this server, I've an application which is decoupled in front-end and back-end. The front-end is a gwt application and the back-end is a REST interface.
To call the rest interface, the front-end uses https, say with a url like https://www.example.com/api
however, when I'm trying to call the front-end using http://www.example.com, it is not making the call to rest interface when i'm using https://www.example.com, it is ok. Can someone explain the reason of this problem??
https://www.example.com and http://www.example.com are different URIs and nothing requires that a web server serve up the same content for both. Presumably your server isn't configured to do so.
I have website hosted on azure, and I need to make the payment pages use https, but the rest of the pages as http. for local testing I created a self signed certificate and in web role properties > certificates , selected the certificate . then on the endpoints have made it https and associated the certificate. Now when I run the site it runs it as https. Can I run only a few pages in https and the rest on http?
swaraj
Chandermani is right. For details on how to set this all up, http://blog.smarx.com/posts/redirecting-to-https-in-windows-azure-two-methods will probably help.
Yes you can runs some pages on http and https. For this you need to
Create 2 endpoints one for each http and https
Associate the certificate with https endpoint
Now you can browse the site in both http and https. Now all links to these payment pages should refer to https urls.
Also you need to add a IIS url rewrite module to redirect user to https payment pages in case he directly types the http url of the payment pages.