External DNS encryption fails in loading a https enabled website.

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
1/16/2015 6:59:54 PM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

External DNS encryption fails in loading a https enabled website.

Hi Joe Audette,

Im facing a serious issue, which Im unable to handle.

The issue is, an external DNS management, which also provides SSL encryption, fails in serving HTTPS requests to mojoPortal modules, including Login/Register.

Scenario: Im dealing with an external Cloud based DNS management based service provided by CloudFlare, who is also providing a FREE SSL - Also known as Flexible SSL, which just encrypts the incoming HTTPS traffic, wherein, there're other options, to have FULL SSL (enabling SSL on shared hosting server(arvixe) as well as on the DNS console). But I have chosen Flexible SSL in this scenario.

When i enable the SSL (as per the articles,https://www.mojoportal.com/use-ssl and https://www.mojoportal.com/configuring-ssl-in-mojoportal) the site loads with the CMS pages (HTML module) but fails with any other inbuilt modules like Login/Register or basic-custom modules created like web forms, which was earlier working fine with StartSSL's free ssl.

This happened in a Billing software(WHMCS) and Support Software(Kayako) and WordPress which i  had fixed it after realizing that they are depending on the applications are looking for local(hosting server's) IP address to serve the https requests, which accidentally fails with external IP address provided by the CloudFlare's nameservers.

Now, I guess the similar issue has occurred with mojoPortal. So I would request you to fix this issue or let me know, if i need to make some changes somewhere in the code or settings to achieve the portal serving secured requests.

Thank you in Advance.

Regards,

Guruprasad

1/17/2015 9:03:09 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: External DNS encryption fails in loading a https enabled website.

Hi,

The scenario you describe is really a proxy server scenario. The Web server does not have an ssl certificate so it is not encrypting traffic but another server sits in front of the web server and and serves as a proxy for the real web server, it intercepts requests from the client web browsers and it encrypts traffic between itself and the web browsers, but behind the scenes it makes a non secure request to the web server, it gets the result and encrypts it and send it back to the browser.

The problem in this scenario is that the web server itself does not know the request is secure, from its own point of view it is not a secure request, but a standard request. More specifically the normal way we detect a secure request is to check

HttpContext.Current.Request.IsSecureConnection

but in this scenario it always returns false, because as stated the traffic between the web server and the proxy server is not really secure, only the traffic between the proxy server and the web browser is secure.

So what happens when you set SSLIsAvailable to true, mojoPortal code is trying to secure the important pages such as login, register, user profile by redirecting non secure requests to make them secure. But since it can never detect a secure connection it results in a redirect loop.

One option, is leave SSLIsAvailable as false and ask the host or service provider if they have a way to force all traffic as secure. In other words mojoPortal code doesn't have to be the one doing redirects to force secure requests, the external provider may be able to do that for you.

There may be another way to make it work but it depends. Sometimes a proxy server will provide a custom server variable that can be used to tell the web server that it is a secure request. mojoPortal has configuration settings to tell it to look for a custom server variable but to do that we need to know the name of the custom variable and what value it should have.

What I would like you to do is look for this in Web.config and either change it to true there or copy it to user.config and make it true in user.config

<add key="EnableDeveloperMenuInAdminMenu" value="false" />

also for now set SSLIsAvailable as false

create a temporary user with admin role and privately send me credentials and the url to login. joe dot audette at g mail dotcom

That will allow me to look at Administration > Advanced Tools > Developer Tools > Server Variables

By looking at that page with both http and https I can see if there is any custom variable available. If there is then I may be able to tell you configuration settings to solve the problem.

after that you can delete the temporary user.

Best Regards,

Joe

1/18/2015 6:30:58 PM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

Re: External DNS encryption fails in loading a https enabled website.

Hi Joe,
Many thanks for addressing upon this issue.
I have created a temporary Admin account on my Customer's website and have PM'ed you via an email, as you preferred.
Please take a look at the same and do the needful.
Thanks in advance.

Regards,
Guruprasad

1/19/2015 7:33:32 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: External DNS encryption fails in loading a https enabled website.

Hi,

Good news, checking the server variables I saw that the proxy is providing a variable that you can use to configure mojoPortal so that it can detect a secure request.

Specifically it provides this custom server variable:

HTTP_X_FORWARDED_PROTO

on secure requests it has the value https and on non secure requests it has the value http

If you put this in user.config

<add key="SecureConnectionServerVariableForValueCheck" value="HTTP_X_FORWARDED_PROTO" />
<add key="SecureConnectionServerVariableSecureValue" value="https" />

Then you should be able to change SSLIsAvailable back to true and it should work.

You can now delete the temporary account I used to check this.

Hope that helps,

Joe

1/19/2015 8:38:01 AM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

Re: External DNS encryption fails in loading a https enabled website.

Wow,
Great Joe,
I appreciate your finding of the Custom Server Variable.
I shall make changes as you have mentioned.
Will update you soon with the result.
Thank You once again.

Regards,
Guruprasad

1/20/2015 7:10:43 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: External DNS encryption fails in loading a https enabled website.

yes please confirm if this solved it for you

Thanks,

Joe

1/21/2015 10:29:31 PM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

Re: External DNS encryption fails in loading a https enabled website.

Hi Joe,

I tried adding that key, as you have mentioned, in the user.config and also enabled "SSLisAvailable" to true and also tried enabling/disabling the "useCookies" in the <forms> tag, but still the site experiences a redirect loop when tried signing in using the default SignIn url.

I still have the admin account enabled on that website. You could take a look at it, incase if you wanted to find something else on the portal.

Please let me know what I can do further upon this issue.

Thanks in Advance,

Regards,

Guruprasad

1/22/2015 7:07:06 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: External DNS encryption fails in loading a https enabled website.

In that case, mojoPortal cannot be the one to redirect from insecure requests to secure requests, so you will have to leave SSLIsAvailable as false and use some means external to mojoPortal to redirect insecure traffic to be secure. I suggest ask the host or ssl provider what they have to handle that for you.

1/22/2015 7:14:58 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: External DNS encryption fails in loading a https enabled website.

though it would be more ideal to do redirecting on the server or from the proxy itself, you could also try to do it with javascript by putting this in the head of the layout.master file

<script>
if (window.location.protocol != "https:")
    window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);
    </script>

1/23/2015 8:01:25 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: External DNS encryption fails in loading a https enabled website.

I may have found the problem. If you are using the latest version 2.4.0.8 or if you upgrade to that version and then replace the mojoPortal.Web.dll with the patched one in this zip it might fix the problem.

1/29/2015 2:02:46 AM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

Re: External DNS encryption fails in loading a https enabled website.

Hi Joe,

Thanks a lot for finding the cause of the issue. Also after making changes to these lines,

<add key="SSLIsAvailable" value="false" />

and removing requireSSL="true" from

<forms name=".mojochangeme" protection="All" timeout="20160" path="/" cookieless="UseCookies" loginUrl="~/Secure/Login.aspx" />

and also adding these couple of lines in user.config,

<add key="SecureConnectionServerVariableForValueCheck" value="HTTP_X_FORWARDED_PROTO" />
  <add key="SecureConnectionServerVariableSecureValue" value="https" />

and a legacy force for HTTPS using the javascript that you provided,

<script type="text/javascript">
if (window.location.protocol != "https:")
    window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);
    </script>

Fixed the issue, also my web host has assured to make some changes on their server for working with the Server Variable(which hasnt done yet).

Once again I thank you for your efforts in providing the workaround :-)
I would be more glad, if you can provide me the information about the changes that you have done in the most recent version(2.4.0.8) of mojoPortal with regards to the mojoPortal.Web.dll

Thank You and have a great day ahead.

Regards,
Guruprasad

You must sign in to post in the forums. This thread is closed to new posts.