Images from cdn, and problems with SSL - asp.net

We have some images that are served up through a cdn (non ssl). During checkout process our site switches to ssl, and now we're getting warnings because the page contains unsecure elements.
Besides getting SSL on the CDN or moving all images to the secure domain, are there any work arounds for this?
Is it possible to do some thing like 'mirror' the images or something like download them and then serve them as they're requested?
Using ASP.net mvc

Best practice is to only load secure content in SSL.
Here are your options:
Get SSL on your CDN
Host your checkout-associated images somewhere with SSL (localhost or somewhere else)
Subvert your own SSL certificate
Option 3 is done by laundering the content from your CDN to the client using your webserver as an intermediary, using AJAX and a server-side script. Unfortunately there's no way to do that without adding a lot of HTTP requests and probably a forced delay on top of that (to make sure the images are stored before the client tries to load them).
That'll hurt your page load time pretty bad, and at that point you might as well just host the images on your webserver(s) since that's where they're being stored and loaded from at the end of your chain anyway.

Basically, there's no workaround. If any, it could be a severe security breach.
The best solution is to Enable SSL on the CDN, ideally with a URL that is compatible with the site's certificate.
the other alternatives, (copying files back, setting up a proxy-script) would obviously void all the benefits of the CDN.

Related

Hosting WebAPI on a HTTPS Azure Web Role and HTML Javascript on HTTPS Azure CDNs?

I have an AngularJS WebAPI application that has a Javascript front-end. The front end makes calls to the back-end WebAPI for data. In the future there may well be more than one front-end making calls to the back-end.
I would like to change this application to use HTTPs and am looking into how to best architect this. The way I see it there are two ways (maybe more).
(1) Host the WebAPI C# application, index.html, Javascript, Javascript libraries and other HTML on the one (or more) web roles.
(2) Host the index.html, Javascript, Javascript libraries and other HTML on a CDN and put the WebAPI C# application on one (or more) web roles at one location.
From a performance point of view are there likely to be any issues with the split solution (2) when I am using SSL. Is there anything that I should consider that might help improve the start-up time (my goal is for this to be as fast as possible).
One more question I have. If I were to use the Azure CDN then would I still be able to address the index of my web site as www.mywebsite.com and if using HTTPS would I need a SSL certificate?
Option 2 is more preferible.
You have to think, that your application is what sits in the backend. The front end is just a suggested set of UI controls and interactions to consume that application you have. Then, if you can host them separately you have some benefits, starting by not creating UI dependency.
The approach would be like creating a thin client.
Since the application is AngularJS based, probably all the UI are static files with HTML, CSS, and Javascript. You can host them in BLOB storage, and scale it through the CDN. You can have a custom domain name pointing to Azure Blob Storage, like `www.yourdomain.com. It has many benefits, including better price and scaling than web roles. Put aside, that you pay for web roles no matter if you are getting hits or not. The only downside is that as far as I know, it would not be possible to use HTTPS, but that should not be a problem, since you are just hosting static content and templates that contains placeholders, no actual data.
On Blob storage, you can attach your own cache control headers, allowing the browser to cache those files locally. Then a user would download those files once, and be recovered from the browser cache next times. Also, you can store the content already compressed in GZIP, and then set the content encoding property to let the browser know it is compressed, therefore enabling a faster content download. Not forget you should bundle your resources. For example, you should bundle all your JS code in one JS file, all your CSS code in one CSS file, and all your AngularJS views should be bundled in the template.js file (also bundled into the unique JS file).
You need to host your backend application in worker/web role instances though. Here you can use HTTPS, and it would be no problem to use AJAX over HTTPS, although the page loaded on HTTP as long the SSL/TLS certificate is signed by a CA recognized by the browser (ie: a valid certificate). If you use a self-signed certificate, there will be no way for the browser to prompt the user to accept it. Keep this in mind if you plan to start with a self-signed one.
So then you would have all the things that are not user/state dependant in blob storage, that is cheap, fast and highly scalable; and all your user data interaction would happen through your worker/web roles through compact data request/response probably in JSON. Therefore you need less web/worker roles for providing the same level of service.
Now, if you have a very asymmetrical amount of massive queries and data changes request, you should consider an approach like CQRS.

How to switch off Akamai caching for dynamic html files?

I run wordpress site and am using Akamai for caching. I have a link on every page so the user can switch between desktop and mobile site at any point. This link once clicked stores cookie which is passed to server with every request and so server knows if needs to return mobile site or desktop version.
Now when I access via "origin" it all works fine as it skips Akamai caching. However when accessing site as normal, so with Akamai caching, the link doesn't do anything. I'm assuming its because as far as Akamai is concerned its exactly the same url request and as Akamai has already its cached version it returns the same page ignoring the cookie all together.
Is there any way to tell akamai directly from my php files in wordpress not to cache html and do it only for images,css etc?
Or maybe is there a setting in Akamai itself where this can be specified?
If not then what other options would I have to get this working?
Yes there are a number of ways to do this. The easiest way would be to do a no cache on specific file extensions such as .html
You can tweak the files to be or not to be cached in AKAMAI through "Configuration Attributes and Digital Properties" screen.
On "Time To Live Rules", you can define path and their caching policy.
Apart from that if you want to validate if a particular web resource id rendered from AKAMAI or not, you can use Fiddler and a particular PRAGMA header.
Refer link Validate if web resource is served from AKAMAI (CDN)?? for more details.

Is it easy to apply SSL to an already built website?

I'm building a website in ASP.NET, and I want it to have users so I'm creating a login page, database, aspx pages, etc, etc.
But I also want to implement SSL for extra security later on, but I don't know have the slightest idea if that will be a difficult or annoying, I have never implemented SSL for a website. So I'm wondering, is it "easy" or "hard" to apply SSL to my website after it's already built?
Do I have to build my website with SSL in mind from the start, or can I learn about it afterwards and then apply it?
You can configure SSL after deploying you website. No need to take extra measure at the time of building your web site and of-course it is very easy to implement. SSL configuration is used to encrypt the connections with your web-site. You can buy or use self signed certificate to encrypt the connection. Try these link for more info:
http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis
http://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7
Yes, you can easily add it to an existing site. Just obtain the certificate, set it up in IIS and you are good to go:
How do I add HTTPS to my asp.net website for account login?
Setting up SSL with ASP.NET - Part 1 of 3

Moving a Drupal site from plain HTTP to HTTPS - Issues?

I'm planning to move a site from plain HTTP to HTTPS. Should I make any adjustments to the settings or my modules?
Good question. There are few thing you need to keep in mind
Make sure they are no absolute URLs in your node text etc. because in that case the path would remain http://yoursitename.com/some/path instead of https://yoursitename/some/path . with relative URLs the paths should get changed automatically to the correct URL with https
Make sure that your server does not concurrently continue to serve pages over http for your website if you don't want that to happen. You will have to disable that directory in your apache configuration
You might want to continue serving images for instance as http instead https (or maybe you want that to be https also). Also you might want to have some redirects happening to users accessing the site using the http protocol. If you're using secure pages module then you can configure some of these issues (and more!) http://drupal.org/project/securepages

How to cache images in memory on the web server for an ASP.NET MVC web app?

I am working on a web application with many images, using ASP.NET MVC. I want to be able to cache the images in memory to improve the performance, but I would like to hear what is the best way to do this.
1) The images are accessible from URL, like http://www.site.com/album/1.jpg. How are the images stored in memory? Are they going to be in a form of memory stream?
2) How to access the image from memory and send to the web pagee? Now the web pages will use the image URL to directly embed the image in a tag.
Thanks!
Wont the webserver and downstream caches be handling this for static resources anyway? Not sure there's many performance gains to be had, but knowing nothing of the app or setup I could be wrong.
To implement I'd setup a page that took an image filename and served it either from disk or from the asp.net in memory cache.
If the images are just static files on disk, then Beepcake is right that IIS will already be caching frequently used images and serving them from memory. Using separate caching servers shouldn't be any quicker than IIS serving an image from memory - it's got more to do with scalability. Once you have a large server farm, it means you have a group of servers just dealing with your code and a group of servers just dealing with static images. Also, if you have too much content for one server to cache it all then you you can route requests so that each of your ten servers caches a different 10% of your content. This should be much better than just having each server cache the same most-used 10% of the content.
Thanks for the response. I think I was thinking the wrong direction. I just found out Flickr is using Squid to cache images.
If you want really good performance, I'd suggest Amazon CloudFront. Edge caching will give you better performance than memory caching, and CloudFront runs nginx, which is significantly better than IIS at static files (among other things).
Setting up edge caching is very easy - you log in, and get an domain to use instead of your own for image URLs.

Resources