Old Forums
Search:
Installation and deployment Questions on installation, system configuration and deployment to the live server.
Version 5.x > Installation and deployment > Using Require SSL Security with a SSL Offload Device View modes: 
User avatar
Member
Member
monitor.admins-myus - 8/9/2011 4:03:03 PM
   
Using Require SSL Security with a SSL Offload Device
Hello All, we are deploying Kentico in a load balanced environment containing 3 physical servers. These servers sit behind a load balancer as well as a SSL Offload/Accelerator device. All SSL Encryption/Decryption happens on the Offload device. When a client hits a page using HTTPS, the SSL Offload device will decrypt the traffic and create a new HTTP session to the backend server. This means that all backend kentico servers will only see HTTP traffic. If I enable "Require SSL Security", this results in a redirect loop. Is there anyway to make the require SSL option work in this scenario? Is there anyone out there that uses an SSL Offload device with kentico?

User avatar
Kentico Support
Kentico Support
kentico_zdenekc - 8/11/2011 8:32:14 PM
   
RE:Using Require SSL Security with a SSL Offload Device
Hello,

The usage of any SSL balancer / accelerator hits a limitation in current versions of Kentico CMS (including last 5.5 R2). Our RewritingEngine detects the protocol from URL only. It doesn't detect any of the methods to inform server about forwarded HTTPS request, like HTTP.X-Forwarded-Proto or X-Forwarded-SSL headers or similar. When the http url for a page that "Requires SSL" is hit, the rewriter redirects to https:// and starts an infinite loop.

Currently there are two options:
1) Modify the source code of our UrlRewriter to reflect those headers for protocol detection. (This requires the source code license).

2) Incorporate your own detection code into Global.asax.cs and manually detect which pages (URLs) should be under SSL and check the X-Forwarded headers to prevent redirection loops.
(You cannot use the SSL settings on the Security tab of the document properties in that case.)

Fortunately, in upcoming version 6.0 (Q3/2011), there should be a possibility to enable detection of these forwarded requests from SSL offload/balancers. Please feel free to contact us after official release to get more details.

Best regards,
Zdenek Cetkovsky

User avatar
Member
Member
monitor.admins-myus - 8/12/2011 8:42:04 AM
   
RE:Using Require SSL Security with a SSL Offload Device
Thanks for the informative reply. It's nice to hear that future versions *may* have the option to use custom headers.

User avatar
Member
Member
monitor.admins-myus - 8/12/2011 10:09:23 AM
   
RE:Using Require SSL Security with a SSL Offload Device
I have one other question. Will 6.0 allow for the use of the x-forwarded-for header in the IPCountryHelper class?

User avatar
Kentico Developer
Kentico Developer
kentico_ivanat - 8/15/2011 2:22:02 AM
   
RE:Using Require SSL Security with a SSL Offload Device
Hi,

Unfortunately, this header is not used in the version 6.0. I created a requirement to add its support to one of next version.

Best regards,
Ivana Tomanickova

User avatar
Member
Member
monitor.admins-myus - 8/15/2011 8:53:33 AM
   
RE:Using Require SSL Security with a SSL Offload Device
Will the header for the SSL be included? or are you referring to both?

Thanks

User avatar
Kentico Developer
Kentico Developer
kentico_ivanat - 8/16/2011 5:32:46 AM
   
RE:Using Require SSL Security with a SSL Offload Device
Hi,

as for SSL - SSL headers will not be checked directly, but there will be a possibility to take a look into headers (if there is x-forwarded-ssl,...) and then set one property (for example IsSSL) which ensures correct handling and general system support. Everything will be described in the documentation for version 6.0.

Best regards,
Ivana Tomanickova

Top