kevind
Posts: 251
|
| Posted: 11/23/2004, 2:17 PM |
|
Hi,
I am doing a project on a new Hosting Service. They have a configuration where the SSL is off-loaded to an SSL device and any web requests are then forwarded to a server in plain HTTP request format.
This means that the SSL feature of CCS does not work properly - when the page is served up it reports SSL was not used to access the page.
How do I modify my project so that when I check off SSL in the page properties the code that checks for SSL will simply verify the host requesting the page ? I know that if a certain host is calling the page (the SSL off-load device) that it is a secure page?
Thanks in advance.
Kevin
_________________
thanks
Kevin
======================
CCS 3.2.x / ASP / MS Access /mySQL / PHP / jQuery / jQuery UI / jQuery Mobile
|
 |
 |
peterr
Posts: 5971
|
| Posted: 11/23/2004, 11:20 PM |
|
I'm not sure if I understand you, however if a page isn't accessed via HTTPS then SSL is not used. Thus CCS reports this properly. There is nothing else that needs to be done.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
BlinkyBill
Posts: 86
|
| Posted: 11/24/2004, 3:08 AM |
|
The way I solve this problem is with the following script in the Global.asa file. Global.asa should be in the root of your application.
Sub Session_OnStart
'Session initialization script.
If Request.ServerVariables("HTTPS") = "off" then
Response.Redirect "https://" & Request.ServerVariables("SERVER_NAME") & Request.ServerVariables("SCRIPT_NAME") & "?" & Request.ServerVariables("QUERY_STRING")
End If
End sub
This mean when someone come into your site they are automatically redirected to the SSL URL, it DOESN'T cater for someone changing the https to http after the session has started.
|
|
|
|
kevind
Posts: 251
|
| Posted: 11/24/2004, 4:40 AM |
|
I'll try to clarify - The Hosting Service I'm using does not have the Web Server handle the SSL encryption process. When I access the site I'm developling via SSL my browser client is actually talking to an SSL device for the domain like this one:
http://www.sonicwall.com/applications/ssl.html
The site is a sub-domain of the secure domain - like
mydomain.hostingprovidersecuredomain.com
So, when I initiate an SSL connection my browser client connects to the SSL device that handles all sub-domains on this secure domain. The SSL device then passes through all the requests to a server that hosts the actual pages - this communication does not need to be secure since the SSL device is connected to the Server within the ISP's network.
My problem is that when I check off SSL in CCS it looks for HTTPS server variable to verify the page is being accessed securely. It is in terms of the path it is following from the client to the SSL device and then the server but, as far as ASP sees it - it is not between the SSL device and the Server that has the pages so, it flags it as non-SSL.
So, I need a way within this project (and another on the same HostProvider) to substitute the code that checks for the HTTPS server variable and instead look for the page request to be coming from a given location like mydomain.myHostingServicesecuredomain.com - since I know that if it comes from there it should be secure. It would be great to have it work by checking the SSL property in the page properties for each page but, I'll take some sort of includable page if that's the solution.
whew !
Thanks,
Kevin
_________________
thanks
Kevin
======================
CCS 3.2.x / ASP / MS Access /mySQL / PHP / jQuery / jQuery UI / jQuery Mobile
|
|
|
|
Benjamin Krajmalnik
|
| Posted: 11/24/2004, 5:35 PM |
|
You need to turn off "SSL Required", nut do place a secure URL.
What happens is as follows: The SSL request hits the SSL
OFfloader/accelerator and gets translated to clear text and sent on an
alternate port (say, 444). Since the request which your application is
getting is no longer an SSL request, it is complaining.
I have a SonicWall SSL-RX and a SSL-IA, and that is the setup which you
need.
Use a SecureURL, but disable SSL check.
|
|
|
|
peterr
Posts: 5971
|
| Posted: 11/24/2004, 6:21 PM |
|
Kevin,
I think that Benjamin's response explains the issue.
In terms of your last question about checking access from specific domain, you cannot do this via the SSL property (because SSL = HTTPS) but you could add custom code to each page that requires this.
I think that something like this would work:
If Request.ServerVariables("REMOTE_HOST")<>"mydomain.hostingprovidersecuredomain.com" Then response.redirect("http://www.yahoo.com")
See more info and code examples at http://www.google.com/search?hl=en&lr=&q=asp+Request.Se...MOTE_HOST%22%29
However, I heard that this method is not 100% hack-proof, so it may be possible that someone can still use some tricks to access your URL from elsewhere. Unfortunately I don't know the details, and don't know if there is any better method than this.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
kevind
Posts: 251
|
| Posted: 11/25/2004, 4:23 AM |
|
ok, thanks for all the help, that gives me enough answers to formulate a way around it within CCS.
With testing for the remote host, calling stuff from https:// and authenticating the user - that should be enough protection, yes?
just thinking aloud.......
...you'd think the Hosting Service could protect the folder where I put the pages so that only the SSL device would be allowed access to it - I know you can do this on web sites but, I guess to do this on a given folder might be too fine a setting.....
I'll put it to the provider and see what they say.
Regards
Kevin
_________________
thanks
Kevin
======================
CCS 3.2.x / ASP / MS Access /mySQL / PHP / jQuery / jQuery UI / jQuery Mobile
|
|
|
|
|
