How can you determine the current request URL if using off box SSL termination?
E.g.
Browser has url httpS://yourserver/
SSL Termination decrypts and sends onto http://yourserver
IIS/ASP.NET receives request at http://yourserver
At (3) if you use Context.Request.Url, Page.Request.Url or Page.Request.RawUrl it show a url with a http protocol and not httpS
How do get the public httpS URL that was origionally used at (1) in this case?
The convention used for Microsoft Products is to add a header at the reverse proxy.
Front-End-Https : On
So you know the http url is really https.
You could also add in your own header containing the original URL if you did something like URL translation (e.g. something like "Original-Uri").
This page shows how to do this using IIS AAR as the reverse proxy, though in my testing I could only get headers to pass through if they are prefixed with HTTP_ (which is later stripped out).
Related
Background
I was making a browser extension that sends a POST request to http://ip.v4.ad.dr/somephp.php which does some data handling based on the POSTed data. This extension is supposed to function on the site https://meet.google.com/.
Problem
My problem arises because I am sending from https to http, so my request is blocked and this error appears:
Mixed Content: The page at 'https://meet.google.com/mym-eets-url?authuser=x' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://ip.v4.ad.dr/somephp.php'. This request has been blocked; the content must be served over HTTPS.
Please note that those are fake URLs. They are just there to signify that this is what the URL looks like, not what it is. mym-eets-url is My Meet's URL, and ip.v4.ad.dr is IPv4 Address
Attempts to solve
I have thought of:
Making/using some site that reflects the request to the target URL. I do not think this works since that mirror site may block the request, since it is https.
Making my localhost use https. I am pretty sure this will work, but I don't want to use https simply because the request won't send otherwise. I can try doing this if there isn't any other option.
Question
What is the best way to send a request from a https site to my own http://ip.v4.ad.dr/ server?
I have an application which is accessed via HTTPS, but is "reverse proxied" to the server using plain HTTP. It is set up on AWS as follows:
[BROWSER] --(https)--> [ELB] --(http)--> [SERVER]
Everything works fine except when a page is being accessed by an unauthenticated user, the server responds with a HTTP 302 redirect using the whole protocol://server/path string. Like so:
Location: http://my.server.com/Account/Login?ReturnUrl=%2F
The problem is, it specifies HTTP as the protocol (presumably because it is being connected to by the ELB using HTTP. So the browser redirects the request using HTTP and now an error occurs. Is there a way to customize the redirect such that it redirects using just the path, so irregardless of protocol or hostname, it is redirected properly? Like so:
Location: /Account/Login?ReturnUrl=%2F
If this is not advisable, what can be done?
(note: I've checked other solutions posted on SO. All I've seen so far involve customizing the Path, not removing the protocol://hostname)
I'm using Nginx + flask-socketio + aws elb and when the URL is loaded on https I'm getting the following error message which is something related to the Nginx and socket, please help on this,
socket.io.min.js:2 Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost/socket.io/1/?t=1477375737508'. This request has been blocked; the content must be served over HTTPS.d.handshake # socket.io.min.js:2
socket.io.min.js:2 XMLHttpRequest cannot load http://localhost/socket.io/1/?t=1477375737508. Failed to start loading.
Take a look into your .js file, make sure that you are using the right ajax URL (//your_site.com/handler, instead of http://your_site.com/handler), for instance:
$.ajax({
url:'//your_site.com/handler',dataType:'json',type:'get',
success: function(data){...},
complete:function(xhr, textStatus){...}
});
Mixed Content is a security policy employed by current browsers, and its goal is to prevent leaking information fetched over "secure" HTTPS to non-secure contexts. Therefore, a site served with HTTPS must use HTTPS or other TLS-enabled protocols to fetch content.
The URI prefix for Websockets over TLS is wss, and for plain Websockets ws. At least Chromium and Firefox consider https+ws mixed content, and deny such setting - therefore wss should be used as the URI prefix in secure/HTTPS contexts instead of ws.
I am using Request.UrlReferrer to get the previous link, but it is not working for my HTTPS site. I can't use the query string; Is there any work around for this?
You can't get the referrerUrl if comming from encrypted site (with SSL fx). The referrer header is pretty insecure, one can simply hit your URL and pass up any referer they want.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
As of current, are there still any methods to spoof HTTP referer?
Yes.
The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed/forged. This includes HTTP_USER_AGENT.
If you wrote the web browser, you're setting and sending the HTTP Referrer and User-Agent headers on the GET, POST, etc.
You can also use middleware such as a web proxy to alter these. Fiddler lets you control these values.
If you want to redirect a visitor to another website and set their browser's referrer to any value you desire, you'll need to develop a web browser-plugin or some other type of application that runs on their computer. Otherwise, you cannot set the referrer on the visitor's browser. It will show the page from your site that linked to it.
What might be a valid solution in your case would be for you to load the third party page on the visitor's behalf, using whatever referrer is necessary, then display the page to the user from your server.
Yes, the HTTP referer header can be spoofed.
A common way to play with HTTP headers is to use a tool like cURL:
Sending headers using cURL:
How to send a header using a HTTP request through a curl call?
or
The cURL docs:
http://curl.haxx.se/docs/
Yes of course. Browser can avoid to send it, and it can be also "spoofed". There's an addon for firefox (I haven't tried it myself) and likely you can use also something like privoxy (but it is harder to make it dynamically changing). Using other tools like wget, is as easy as setting the proper option.