Geek Answers Handbook

CloudFlare SSL Compatibility with ASP.NET MVC RequireHttps

I host the ASP.NET MVC 4 site on AppHarbor (which uses Amazon EC2) and I use CloudFlare for flexible SSL. While trying to use RequireHttps, I had a problem with redirect cycles (310). The problem is that, like EC2, CloudFlare terminates SSL before sending a request to the server. However, while Amazon sets the X-Forwarded-Proto header so that you can process the request with a custom filter, CloudFlare does not appear. Or if they do, I don’t know how they do it, because I can’t intercept traffic at this level. I tried solutions for Amazon EC2, but they don't seem to help CloudFlare.

Has anyone experienced this issue or found out about CloudFlare to help?

+4
source share
3 answers

The X-Forwarded-Proto header is intentionally redefined by the AppHarbor load balancers to the actual request schema.

Please note that while the CloudFlare flexible SSL option can slightly enhance security, still unencrypted traffic is distributed over the public Internet from CloudFlare to AppHarbor. This probably contradicts the purpose of SSL for anything else than the appearance and reduction of the number of attack vectors (for example, sniffing packets on the user's local network), that is, it may look "professional" for your users, but in fact it still unsafe.

This is less than ideal because AppHarbor supports both the installation of your own certificates and the inclusion of piggyback SSL. CloudFlare also recommends using "Full SSL" for scenarios where source servers / services support SSL. Thus, you have several options:

  • Continue to use the unsafe "Flexible SSL" parameter, but instead of checking the X-Forwarded-Proto header in your custom RequireHttps filter, you should check the scheme attribute of the CF-Visitor header. See the discussion for more information.
  • Use Full SSL and hover CloudFlare in your *.apphb.com name. This way you can use the free piggyback SSL, which is enabled by default with your AppHarbor application. You will have to redefine the Host header on CloudFlare to make this work, and here's a blog post on how to do this . This, of course, will make requests to your application, as they were made in your *.apphb.com domain, so if, for example, you automatically redirect requests to the "canonical" URL or generate absolute URLs, you you may have to take this into account.
  • Upload your certificate and add your own hostname in AppHarbor. Then enable "Full SSL" on CloudFlare. Thus, the host header will remain the same and your application will continue to work without any changes. You can learn more about SSL options offered by AppHarbor in this knowledge base article .
+3
source

It is interesting.

Recently, I recently spoke with one of our clients who asked me about “flexible” SSL and suggested that we (Incapsula) also offer this option.

After some discussion, we both came to the conclusion that such a function would be misleading, as it would provide the end user with a false sense of security, as well as exposing the site owner to liability.

Simply put, a visitor on one of the “flexible” SSL connections can feel completely secure after encryption and will provide confidential data, not knowing that the “server for clouds” route is not encrypted at all and can be intercepted (that is, backdoor shells )

It was interesting to visit here and see that others reach the same conclusion. +1

Please be aware that as the owner of the website, you can be held responsible for any undesirable effects that this setting may cause.

My suggestion is to do the crucial thing and invest in an SSL certificate or even create a self-signed one (use the cloud to server encryption for the route).

0
source

Or you can simply get a free SSL certificate for the year signed by StartCom and upload it to AppHarbor.

Then you can call it a day and pat yourself on the back! That is, until you get cert =) in a year.

0
source

More articles:


All Articles