I have website hosted on azure, and I need to make the payment pages use https, but the rest of the pages as http. for local testing I created a self signed certificate and in web role properties > certificates , selected the certificate . then on the endpoints have made it https and associated the certificate. Now when I run the site it runs it as https. Can I run only a few pages in https and the rest on http?
swaraj
Chandermani is right. For details on how to set this all up, http://blog.smarx.com/posts/redirecting-to-https-in-windows-azure-two-methods will probably help.
Yes you can runs some pages on http and https. For this you need to
Create 2 endpoints one for each http and https
Associate the certificate with https endpoint
Now you can browse the site in both http and https. Now all links to these payment pages should refer to https urls.
Also you need to add a IIS url rewrite module to redirect user to https payment pages in case he directly types the http url of the payment pages.
Related
I have a domain (let's call it Domain1 or https://img.{domain_name_1}.com) where I stored images for serving a wordpress staging website, which is currently hosted on a different server. For the latter I have only an IP public address (so not a real FQDN at the moment), let's call it Domain2 or https://99.999.999.999. On this server I installed a self-signed SSL certificate, just to encrypt the credential I use for phpMyAdmin and wordpress admin area. Meanwhile, Domain1 is SSL secured by Let's encrypt. I can access Domain1 by http or https indifferently, because I have a redirection from http to https.
Now, I pointed all my database records about images of the wordpress staging website to the Domain1. When I visit the Domain2 at the page https://99.999.999.999/postcat-postname/, all contents are visible except for images.
The Google Chrome Console tool displays:
Mixed Content: The page at '...' was loaded over HTTPS, but requested
an insecure image 'http://...'. This request has been blocked; the
content must be served over HTTPS.
It is strange and I cannot understand that error because:
the Domain1 which serves images for the staging area has been secured;
the wp_post of wordpress database for any image shows the link to the pictures with htpps.
This is a picture of the state:
Domain1: it serves pictures for Domain2, SSL secured via Let's encrypt
Domain2: the wordpress staging website. Self-signed SSL. Media file records in the MySql DB linked to https address of Domain1.
The redirect you are using on the image domain is only resolved when the request is sent to the server. If you are linking to an HTTP protocol in the main site the browser will block the request before sending it and therefore your HTTP to HTTPS redirect will not happen. Make sure the src has HTTPS in the protocol and that should fix the issue. You can either update the links directly in the DB or you can use a plugin that will allow you to track your assets.
Here are a couple:
SSL Insecure Content Fixer
WordPress HTTP
You may also want to check out this post that talks about shared certificates in your situation.
I have an ASP.net MVC app running on Azure App Service ... I've searched for the answer, but have not found it ... my app seems to always force HTTPS redirect, no matter what. All the docs say it should serve content via HTTP by default, but it does not. Most everyone has the opposite problem of needing to redirect HTTP to HTTPS.
I need Azure App Service to do the following:
1) Serve static Default.htm page via HTTP, without redirecting to HTTPS
My app has a custom domain and no SSL for the custom domain. I want the URL http://example.com/Default.htm to serve the static page, not redirect to HTTPS to serve the static page. I will use azurewebsites domain when I want users to be in HTTPS. I want to use my custom domain name to serve a static home page for users arriving at my site.
As far as I can determine, I do not have any app extensions installed (such s https redirect extension), or anything in web.config to force https, or any RequireHTTPS attributes ... can anyone explain why plain old regular boring HTTP doesn't work here?
Thanks
I have a web api application that I am considering moving to HTTPS. The reason is really just for the initial login where I would like to hide the username and password.
Once logged in do all other calls from the pages also need to be HTTPS? For example do my calls to CSS and scripts need to travel over HTTPS? How about WebAPI calls?
When referencing HTTP content from HTTPS pages, some user agents will issue warnings about "mixed content" or "insecure content" to the user, others may block the content (older versions of IE do that). GitHub solved this issue using ngnix as reverse proxy, so it serves the static content as HTTPS.
If you are only worried about the authentication, and it is cookie based, you can do the authentication in HTTPS and then get back to HTTP. The cookie will be shared as long it is not marked as Secure. Remember that both the GET request acquiring the login FORM and the POST call sending the login form should be HTTPS to be secure.
You can use the page in HTTP and do the AJAX calls in HTTPS: Ajax using https on an http page. Again, this may be useless if the auth form is not secure as well.
If your static content is hosted in a CDN, probably the CDN is able of proxying the requests to your site and return HTTPS content if required.
Static content served as HTTP won't be cached for when you request the same content through HTTPS, neither viceversa, so it will basically downloaded twice.
Also relevant, please check these 7 myths about HTTPS, specially myth #1. If you are worried about security, maybe switch completely to HTTPS is the best decision.
We are setting up a website with secure and non secure pages. These have been added for mapping in uriworker.properties. The domain name in the urls are different . Example nonsecure url is x-y-z.a.b.org and our secure url is x-y-secure-z.a.b.org.Both of these domains are part of our DNS entry. We do not have any redirect rules configured within the webserver. But when we try to access the secure url https://x-y-secure-z.a.b.org, webserver is sending the request as http://x-y-secure-z.a.b.org:443. Due to the scheme not being https , the application does not identify this as secure request and is returning a 302 to the https url. This redirection happens infinitely and then an error appears which says that page is not redirecting properly.
After a lot of analysis , we figured out that the application had a hardcoded check on the scheme of the domain name to be in a certain format as secure.xyz.
I have a site that has a mix of http and https pages. Under the root of the site, one folder has all the http pages and another has all the https pages. Login is over https and sends the user to the other pages. When a session expires the forms authentication redirects to the Login page but the browser uses http and the user gets a 403 error.
Is there any way to override the session timeout to send it to https?
one way is to configure IIS to redirect http traffic to https
http://support.microsoft.com/kb/839357
one thing to consider with mixed mode like that:
there is a common attack on SSL pages, which is, making a http request (to https resource) in order to obtain the un-encrypted session cookie. This is why you want to configure your session cookie to encrypted only (would not be sent over http). I am guessing that your http and https pages share session, which means you can't set this setting, making your site vulnerable to this attack. but it's good to be aware of this.
http://anubhavg.wordpress.com/2008/02/05/how-to-mark-session-cookie-secure/
another article you may find helpful
http://www.west-wind.com/Weblog/posts/4057.aspx