We are setting up a website with secure and non secure pages. These have been added for mapping in uriworker.properties. The domain name in the urls are different . Example nonsecure url is x-y-z.a.b.org and our secure url is x-y-secure-z.a.b.org.Both of these domains are part of our DNS entry. We do not have any redirect rules configured within the webserver. But when we try to access the secure url https://x-y-secure-z.a.b.org, webserver is sending the request as http://x-y-secure-z.a.b.org:443. Due to the scheme not being https , the application does not identify this as secure request and is returning a 302 to the https url. This redirection happens infinitely and then an error appears which says that page is not redirecting properly.
After a lot of analysis , we figured out that the application had a hardcoded check on the scheme of the domain name to be in a certain format as secure.xyz.
Related
I have an ASP.net MVC app running on Azure App Service ... I've searched for the answer, but have not found it ... my app seems to always force HTTPS redirect, no matter what. All the docs say it should serve content via HTTP by default, but it does not. Most everyone has the opposite problem of needing to redirect HTTP to HTTPS.
I need Azure App Service to do the following:
1) Serve static Default.htm page via HTTP, without redirecting to HTTPS
My app has a custom domain and no SSL for the custom domain. I want the URL http://example.com/Default.htm to serve the static page, not redirect to HTTPS to serve the static page. I will use azurewebsites domain when I want users to be in HTTPS. I want to use my custom domain name to serve a static home page for users arriving at my site.
As far as I can determine, I do not have any app extensions installed (such s https redirect extension), or anything in web.config to force https, or any RequireHTTPS attributes ... can anyone explain why plain old regular boring HTTP doesn't work here?
Thanks
I have a web site developed in Asp.Net and it is hosted in cloud. Site is running on https protocol and certificate is issued to domain (E.g. example.com ) and subdomain (*.example.com). It works well if user types example.com or app.example.com. However some user types URL incorrectly. They type something like www.app.example.com. In this case browser displays warning about certificate. It states something like this “This server could not prove that it is www.app.example.com; its security certificate is from *.example.com. This may be caused by a misconfiguration or an attacker intercepting your connection”
This is perfectly fine since subject name (or issued to) is not matching since it involves two subdomains i.e. first subdomain is www and another subdomain is app. Many user scare to do that and they will leave the web site. By googling I found, problem can be fixed by regenerating the certificate with additional subject alt names such as *.example.com and ..example.com. But IT staff do not want to regenerate the certificate for some reason. Is there any alternative to fix this problem without regenerating certificate. Expectation is that any error message should not be displayed and any extra action should not to be required from the end user.
I have tried with redirect rules in IIS. But they are not working.
Platform details – Asp.Net MVC 5, IIS 7.5 and Windows Server 2008 R2 datacenter
Is there any alternative to fix this problem without regenerating certificate.
No. The certificate must match the name. If the certificate does not match user gets an error. There is no way around it and if there would be one this could be considered a security risk, because without a proper name check man-in-the-middle attacks would be possible.
I have tried with redirect rules in IIS. But they are not working.
Redirects are done at the HTTP level, which means with https it first needs to establish the SSL connections. If this fails because of the name mismatch then the redirect will not be reached.
I am a new to web deployment and I am deployed a website for testing on IIS, the website is non secure (http) site but one page should be secure (https).
Can anyone suggest me how I can achieve it and it should not warn the user while switching between 'http' and 'https'.
SSL or Secure Socket Layer would be bound to a website through bindings. That is, you can tell IIS to redirect the incoming request traffics to a website, when for example the requested URL would be like http://domain.com/ or https://doamin.com, or http://200.202.150.200:8080/ or stuff like that.
Therefore, it's not a matter of IIS to set HTTPS only for one page. It's rather how to manage your URLs while redirecting user. In other words, it's a navigational matter.
I havent used IIS but I did this recently with Apache.
I did the following:
Set up a redirect for the page that you wish to secure so it redirects to HTTPS.
Set up a redirect for every other page to redirect from HTTPS to HTTP
Ensured static files such as images css and js are not affected by the above rules (These files need to work on both HTTP and HTTPS
If you need this commercially, I would recommend to use Helicon tool to redirect that particular page to HTTPS.
Using Helicon tool you can redirect the HTTP request to HTTPS for any specific page or whole site by writing the Rules.
In IIS 7 there is way to define new rules in "URL Rewrite" section for a particular web site. By this you can define a regular expiration and based on that you can redirect any pages which matches the expression to the page which you want. Lets say you are going to redirect http:\x.com\sample.aspx to https:\x.com\sample.aspx. For this do the following steps:
select your website on IIS
click URL Rewrite
Add Rule(s)
Select Blank rule
Then define your pattern in this case : lets say ^sample(any page start with sample). you can define any expression as you like.
in Action section select Redirect in Action type dropdown
in Redirect URL put https:\x.com\sample.aspx
save it and restart your website
you can then add any other rules as you want o match your request
And also in some other complex scenarios you can write your own scripts here
I have website hosted on azure, and I need to make the payment pages use https, but the rest of the pages as http. for local testing I created a self signed certificate and in web role properties > certificates , selected the certificate . then on the endpoints have made it https and associated the certificate. Now when I run the site it runs it as https. Can I run only a few pages in https and the rest on http?
swaraj
Chandermani is right. For details on how to set this all up, http://blog.smarx.com/posts/redirecting-to-https-in-windows-azure-two-methods will probably help.
Yes you can runs some pages on http and https. For this you need to
Create 2 endpoints one for each http and https
Associate the certificate with https endpoint
Now you can browse the site in both http and https. Now all links to these payment pages should refer to https urls.
Also you need to add a IIS url rewrite module to redirect user to https payment pages in case he directly types the http url of the payment pages.
I have a site that has a mix of http and https pages. Under the root of the site, one folder has all the http pages and another has all the https pages. Login is over https and sends the user to the other pages. When a session expires the forms authentication redirects to the Login page but the browser uses http and the user gets a 403 error.
Is there any way to override the session timeout to send it to https?
one way is to configure IIS to redirect http traffic to https
http://support.microsoft.com/kb/839357
one thing to consider with mixed mode like that:
there is a common attack on SSL pages, which is, making a http request (to https resource) in order to obtain the un-encrypted session cookie. This is why you want to configure your session cookie to encrypted only (would not be sent over http). I am guessing that your http and https pages share session, which means you can't set this setting, making your site vulnerable to this attack. but it's good to be aware of this.
http://anubhavg.wordpress.com/2008/02/05/how-to-mark-session-cookie-secure/
another article you may find helpful
http://www.west-wind.com/Weblog/posts/4057.aspx