ARR with SSL offloading: app needs to know it was SSL - ssl

I have set up a web farm with ARR, using SSL offloading. Although the connection from ARR to the content site is proceeding with just HTTP, the application running on the site needs to know the original URL was HTTPS, so that links given in the result can be HTTPS. Can this be done?
I know I can capture the original HTTPS status as a new server variable (I'm using HTTP-X-ORIGINAL-HTTPS) using URL Rewrite on the ARR server. But how can I restore it to the content site using URL Rewrite? Obviously a redirect rule is not appropriate; a none action that sets server variables seems like it might be. I don't have an SSL binding on the content site. Do I have to make my content application look for the HTTP-X-ORIGINAL-HTTPS? Seems ugly.

Eventually I did -- I made the content application look for the request header HTTPS. (I have also switched from ARR to haproxy because haproxy gives me wildcard-bound TLS termination for free.)

Related

How to change the http into https for my domain name?

I recently bought a domain name at OVH for an app I hosted on Heroku. I then paid for the dynos in order to set an automatic SSL certificate.
Everything seems to me working fine:
Domain Status Last Updated
─────────── ─────────── ────────────
mpjrigot.eu Cert issued 2 minutes
mpjrigot.fr Cert issued 2 minutes
But my URL is still in HTTP. What am I missing?
EDIT
I'm using React.js for this app
I also have a Ruby on Rails back but for nom i'm keeping that on the heroku.app, works fine
2nd EDIT
Using react-https-redirect, force-https or react-ssl-redirect...
Basically, chrome tells me that "this is not a safe space", and that this is a fake https that might want to steal the user's passwords and stuff
So I got an SSL that is set on my HerokuApp,
I got a domain on OVH that points to the IP of the app
But the http isn't secure somehow
I really think I missed something obvious as I'm new to this...
You can add HTTPS to your app with the following methods.
Method1 (Recommended)
Since, you're using rails for the backend, you can configure your rails app to always use HTTPS.
in your production.rb add
config.force_ssl = true
More Info: https://help.heroku.com/J2R1S4T8/can-heroku-force-an-application-to-use-ssl-tls
ActionDispatch SSL: https://api.rubyonrails.org/v6.1.4/classes/ActionDispatch/SSL.html
Method2 (Easy Setup)
You can also signup for cloudflare's free plan and easily setup https redirects with cloudflare's 'Always Use HTTPS' or 'Automatic HTTPS Rewrites' feature.
The 'Always Use HTTPS' feature will redirect all http requests on your site to https address.
The 'Automatic HTTP Rewrites' feature will change the HTTP links on your site to HTTPS links.
More Info here:
Always use HTTPS: https://blog.cloudflare.com/how-to-make-your-site-https-only
Automatic HTTPS: https://www.cloudflare.com/website-optimization/automatic-https-rewrite/
Cloudflare's SSL: https://www.cloudflare.com/ssl/
cloudflare dashboard
What am I missing?
Heroku provides a certificate, so you should be able to access your application using https://. However it does not redirect HTTP requests to HTTPS for you:
Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.
Exactly how you do that depends on the language and libraries or framework that you are using. Several common examples are listed in the link I provided above.
If you edit your question to tell us what technology you have used to build your application I'll be happy to add those details to this answer. In case you are using Scala, please see How to disable HTTP requests on Heroku and/or auto-redirect to HTTPS?
solution
I eventually read about Heroku needing a specific host that takes in the address they tell you to point to when setting a domain name...
So I switched to Gandi for my domain name and set the ALIAS to point to said adress
Works like a charm

mysite.com/api and mysite/images not being aliased to my domain

I have a site being hosted on heroku so I can go to myapp.herokuapp.com/ and my SPA loads. I got a domain and used cloudflare with a CName record to alais mydomain.com to myapp.herokuapp.com. Great the sites load. Within my SPA i load some images. If my app loads directly from heroku *myapp.herokuapp.com/images/filex.png" it works fine but if I call (or type in the address bar) myDomain.com/images/files.png" I just get my site back like i types mydomain.com
Is this an issue with cloudflare? Do i need additional routing rules?
or is this an issue with my express server that is serving the app and images? does the redirected
request look different and do I need to add code to handle the redirect?
I'm not sure why the redirect is happening without more information. My best guess is that you need to follow these instructions from Heroku. Without this, Heroku servers will have no idea what to do with a request that has a host header of mydomain.com, and will perform in some unexpected way. Heroku needs some way on its side to know that all mydomain.com requests should be handled identically to myapp.herokuapp.com requests.
If this configuration is already in place, your underlying code needs to handle myapp.herokuapp.com and mydomain.com, but I believe by default express will not care about hostname.
Seems to have been an issue with heroku. It’s working fine on aws.

setting up an SSL site with multiple bindings in IIS 8.5

I am hoping you can help. I have 5 websites that run off the same .net code base and have different themes based on the url.
For example, http://site1.mydomain.co.uk is set up so that it does a http redirect to https://site1.mydomain.co.uk and I have the main SSL IIS entry as mydomain.co.uk with a wildcard SSL certificate and bindings for https://site1.mydomain.co.uk.
The issue I have though is when I put the http redirect on one of the other urls, all of them change to the last one entered. If that makes sense?
So, let's say I have just finished the site1.mydomain.co.uk entry and now move onto site2.mydomain.co.uk. I create the https://site2.mydomain.co.uk binding in the main mydomain.co.uk IIS record and then put a http redirect on http://site2.mydomain.co.uk so that it redirects to https://site2.mydomain.co.uk.
If I then go and check the previous record, site1.mydomain.co.uk the redirect has now changed to https://site2.mydomain.co.uk which is not what I wanted. Why is it doing this and how can I prevent this?
Is there any chance you're using the same folder in the filesystem for all 5 websites?
In IIS, the HTTP Redirect settings are stored in a web.config file in the folder you're serving from, so if you were serving all 5 sites from the same folder then they would all have the same settings, i.e. changing the settings for one of them would change it for all of them.
That being said, I strongly recommend that you use URL Rewrite to do http to https redirects. Doing the redirect in this way is compatible with having 5 sites served from the same folder. You can install it from here (WARNING: the install requires an iisreset, i.e. a brief downtime for your site): http://www.iis.net/downloads/microsoft/url-rewrite
After installing URL Rewrite, you can create a rule to do the redirect. Stack Overflow won't let me post the screenshot here, so I uploaded it to here: http://postimg.org/image/4s4vjajs3/cf4f5c08/
Also, if you're using a wildcard certificate, then doing the redirect in this way might remove your need for having 5 different websites.

SSL Site Setup HTML not making sense

I have been searching the internet for two days and I am stuck. I understand that I can purchase an SSL certificate to make my site work for HTTPS so that it is more secure and all that jazz.
My question is do I have to do anything special on the HTML/PHP pages I create for this site, like some PHP call to open a session, or does the fact that there is an SSL Cert on the server mean I don't have to change anything on the HTML pages?
Sorry if this is a dumb question, but I can't find the answer anywhere.
Its primary the setup of the server, e.g. that you have to make the site accessible by SSL (port etc) and configure the certificates.
But maybe you need to make adjustments to your HTML etc too, so that all resources (images, script, css..) will be loaded by SSL too, e.g. all these includes should be either be done with site-relative links or with explicite https:// links. In case the site gets served with both https and http you might also use protocol-relative links, e.g. //www.example.com/index.html will be served with http if the current protocol is http and with https if you currently use https.

htaccess redirect to shared SSL

Apologies if this is a duplicate, but I couldn't find a question fitting my exact circumstances.
I am redesigning a site, part of which will require SSL coverage. I have set up SSL with our hosting provider, but this is shared SSL. Whereas our current site is at www.companyname.com, the secure server is at companyname.genericssl-host.com.
I believe the best way to proceed is to simply shift all the web files onto the secure server, whether they need to be secure or not, then redirect www.companyname.com to there. However, the provider informs me that if I do that, the URL in the browser address bar will still read companyname.genericssl-host.com once the redirect completes, and that I would need to edit the htaccess file to make it read good ol' www.companyname.com again.
What does the htaccess file need to contain in order to do this?
Not sure what your hosting provider is referring to, but changing it back to "www.companyname.com" defeats the purpose of using SSL at all. What shows up in the browser's address bar is:
what host the browser is going to send a request to
what URI it will request
the query string if there is any
If you change it back to www.companyname.com, it's going to send a non-SSL request to that host, which defeats the purpose of redirecting it to SSL in the first place.
You need to buy a certificate for *.companyname.com and install if on a host specific to your server.