In HTTPS request , Request.IsSecureConnection return false

Question

I have an asp.net application working in https (SSL). This is working well in my local computer and Amazon AWS(production environment).

But when I host this application in office (for testing) some strange things happens.

1. I can see the https in browser and the lock sign.

2. Fiddler also showing that the output is encrypted and shows port 443.

3. But HttpContext.Current.Request.IsSecureConnection returns false

4. And HttpContext.Current.Request.Url.Scheme returns http.

In the office we are using Juniper SSG firewall and TMG 2010 (Forefront Threat Management Gateway 2010). So server receive request through Juniper and TMG 2010. Thanks in advance.

Answer 1

To reduce costs I suspect that the SSL certificate is installed on the TMG Gateway and that this gateway is simply rewriting the request to standard HTTP when passing it to the actual web server. So by the time the request hits IIS and your web application it is a standard plain HTTP request.

Answer 2

This tripped my up after deploying to Amazon's Elastic Beanstalk environment. I couldn't see any way to get the load-balancer to allow the SSL request straight through to the server. Instead it was always terminating the SSL at the load-balancer and passing plain http back to the server.

I found this documentation: Elastic Load Balancing Concepts - X-Forwarded Headers.

Essentially the load-balancer injects a number of additional HTTP Headers into each request before forwarding it to the back-end server. The most relevant one is X-Forwarded-Proto which tracks the protocol used to connect from the client's browser to the load-balancer. This can be checked like so:

var loadbalancerReceivedSSLRequest = string.Equals(Request.Headers["X-Forwarded-Proto"], "https"); var serverReceivedSSLRequest = Request.IsSecureConnection;  if (loadbalancerReceivedSSLRequest || serverReceivedSSLRequest) {     // SSL in use. } else {     // SSL not in use. }