2

How can I make IIS and ASP.NET aware of SSL Offloading so that it uses correct protocol for Response.Redirect?

I am working with a client who is using F5 load balancer with SSL offloading. The IIS web site (and ASP.NET web app) are bound to HTTP, not HTTPS, and so whenever ASP.NET uses Response.Redirect(url) it results in 302 redirect to http instead of https

Obvious solution would be to bind to HTTPS in IIS, but client does not operate that way. They have numerous other applications (mostly on apache) and report that it works just fine (it is somehow aware of SSL Offloading). SSL terminates at the load balancer, meaning user-to-load balancer is HTTPS, and then load balancer-to-server is HTTP. And they want to keep it that way (makes it easier for IDS to detect attacks in encrypted payloads, IT can snoop on users, etc.).

We've tried URL Rewrite module (from Microsoft) with very limited success. Client's IT dept reports they have also tried some configuration with F5 but I am not familiar with this product and apparently neither are they. It would be much easier if we could just force a flag in IIS or something, but I have been looking over Msft docs with no answer found so far.

Looking for a solution that is applied only to IIS, please. Thanks!

nothingisnecessary
  • 6,099
  • 36
  • 60
  • You can rewrite the location headers and http to https in F5's stream profiles and iRules, but if the application has a fair amount of AJAX you really do need the application server to respond with all SSL links. You can forward from the BIG-IP the X-Forwarded-Proto header with a value of https, but IIS would need to be able to read it and respond accordingly. I don't know IIS well, so I'll leave that as an exercise for you. – Jason Rahm Jun 30 '16 at 17:14
  • There was a similar discussion here that may provide some help depending on your application: https://devcentral.f5.com/questions/redirect-rewrite-f5-to-server-only Not sure if it will help. – Chase Jun 30 '16 at 17:34

0 Answers0