RE: Detecting Secure requesting when hardware based SSL offloading is

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Curt_C [MVP] <software_at_darkfalz.com>
Date: Thu, 1 Sep 2005 06:16:03 -0700

If I understood correctly.. nope. If they are removing the request from the
HTTPS context, and rerouting to an HTTP URL in the backend then you are
probably out of luck. The offloader will be your only point of reference. If
the call comes from there, or if they can pass an additional flag, you should
be able to get to that.

--
Curt Christianson
site: http://www.darkfalz.com
blog: http://blog.darkfalz.com

"Prabhu" wrote:

> Hi.
> We have an ASP.net Web application in which some of the pages are to be
> served over secure channel using HTTPS.
> We have built a framework that allows pages to be served over secure channel
> specified in a configuration file. When a request for specified pages comes
> over HTTP, framework detects and redirects the browser over HTTPS.
> Similarly for non secure pages if the request comes over HTTPS the
> framework redirects the browser onto HTTP.
>
> We use HttpRequest.IsSecureConnection property to determine HTTP/HTTPS was
> used to make the request. This all used to work fine until now.
>
> Now the infrastructure group has taken out SSL responsibilities from the Web
> Server and given it to an Hardware SSL offloader. What SSL offloader is doing
> is it decrypts the request from client and sends an un encrypted request to
> Web Server.
> As a consequence HttpRequest.IsSecureConnection is always returning false
> to the application?
>
> Is anyone aware of a solution to the above problem i.e. for us to detect SSL
> request in SSL Offloading scenario by other means than using
> HttpRequest.IsSecureConnection (for e.g. checking headers??)
>
> Thanks
.

References:
- Detecting Secure requesting when hardware based SSL offloading is
  - From: Prabhu

Prev by Date: Are Application_Error and Page_Error triggered by the same event?
Next by Date: Re: Are Application_Error and Page_Error triggered by the same event?
Previous by thread: Detecting Secure requesting when hardware based SSL offloading is
Next by thread: VS 2005 query
Index(es):
- Date
- Thread

Relevant Pages

How to grab the raw HTTPS stream in Tomcat?
... I need to "intercept" the HTTPS post request, store all the raw ... The customer will already have been given a unique x509 certificate to ...
(comp.security.unix)
Re: Server.transfer and ssl
... It is the "https" in the url that instructs the server to use SSL, ... browser request that initialtes the switch. ... give the browser the opportunity to specify a protocol. ...
(microsoft.public.dotnet.framework.aspnet)
Re: does IIS log record any attempt to contact?
... the request ... > try to connect to the site using https from another ... > my server logs would show requests for the site over port ...
(microsoft.public.inetserver.iis.security)
Detecting Secure requesting when hardware based SSL offloading is
... We have built a framework that allows pages to be served over secure channel ... framework detects and redirects the browser over HTTPS. ... Similarly for non secure pages if the request comes over HTTPS the ... Server and given it to an Hardware SSL offloader. ...
(microsoft.public.dotnet.framework.aspnet)
Re: SSL broken after Windows 2003 upgrade
... I think you misread my post re the "bad request" - I think that was legit ... Re WFetch and HTTPS, this is what I get when I run a request to ... Tried moving the SSL port to ... > routes them to the appropriate w3wp.exe based on configuration from WAS ...
(microsoft.public.inetserver.iis)