Last post Sep 27, 2013 10:53 AM by SanjaySutar
Jan 09, 2009 04:25 AM|masjj|LINK
I work on a relatively large website that constists of a number of web servers all linked by a load balancing device that can also perform SSL temination i.e. load balancer offloads SSL encryption/decryption rather than the server. So far we've had no need
to use the SSL termination capability however this is no longer the case.
The problem occurs when I need the web application to detect whether it's running under HTTPS or HTTP. This isn't a problem when SSL is perfoprmed on the server as I can simply use:
When we start to offload the SSL, all HTTPS traffic will arrive at the server under HTTP, even though it is secure so the above statement will return false. The real complexity lies within the fact that various parts of the site require HTTPS but it's not just going to be FormsAuthentication traffic. If this was the case then there are work arrounds for example see:
This doesn't quite cover my scenario as I will have some non-authenticated traffic that must also run under HTTPS which uses the above statement to check for HTTPS, and if it's HTTP performs a redirect.
We've configured the load balancer to send through a custom header to the applicaiton when the original URL was HTTPS, the idea being that we could then access this informaiton to determine whether the original request was in HTTPS or in HTTP. This is fine however it requires a considerable amount of code change to read the header rather than what is currently does:
I had hoped I might be able to manually set the above to TRUE with an HttpModule or HttpHandler but it's read only.
I've read a number of posts/articles from people at Microsoft where SSL Termination was discussed, particularly with regards to AJAX, and that is was something being looked at but this was a while ago and there doesn't see to have been any update. Can anyone
suggest where to go from here?
Jan 29, 2009 01:58 AM|bharding|LINK
I am having the same issue. My site is load balanced at mosso.
this.lblMesage.Text="Request.IsSecureConnection =" + Request.IsSecureConnection;
returns false even when on https:
The worst part is that if you move from one application to another within the sire the url actually switches back to http:!!!
The link's href is https but when it arrives its http.
Aug 26, 2009 08:15 AM|Commander|LINK
I am also having the same problem. The Request.IsSecureConnection is set to false even On HTTPS.
Also, if we are using load balancer and the SSL certificate is only on the Load balancer and not on the web server, how do we check the request is HTTPS or not?
Aug 26, 2009 12:19 PM|bharding|LINK
Not sure if this will help but in my case I figured it out.
The fix was to include the FULL path when linking to an https resource
I was leaving off the the last slash. Not sure if it was the client or the server messing it up. But that fixed it.
It was wierd for sure.
Aug 26, 2009 01:55 PM|Commander|LINK
but in my application I need to have HTTPS only for one page and I am already provinding the full path like this:
so, I can't add the slash to above url.
thanks and regards,
Sep 26, 2012 02:22 AM|claessonm|LINK
Did you solve this?
Sep 27, 2013 10:53 AM|SanjaySutar|LINK
It's too late to reply, but might help someone who comes to this page from google search.
Request.IsSecureConnection returns true\false based on communication from load-balancer to web server and not the actual request sent to the load-balancer.
If you use below statement, then you will get correct scheme:
bool isSecureConnection = String.Equals(request.Headers["X-Forwarded-Proto"], "https", StringComparison.OrdinalIgnoreCase);
Hope this helps.