3

I have a load balancer with some web servers behind it. The traffic hitting the load balancer is secured with SSL and the data coming from the load balancer to the web server is sent as unencrypted HTTP traffic. I am using the DotNetOpenAuth OAuth Service Provider behind the load balancer on the web servers.

When a request is sent from my client, I am hitting https://www.mydomain.com/OAuth.ashx However, once it hits the load balancer, the protocol is changed to HTTP and the URL that is actually read by the HttpContext's Request.Url is http://www.mydomain.com/OAuth.ashx.

The protocol in the URL is getting modified. Has anyone encountered this and if so, how did you resolve this problem? The only thing I can think of is to get the DotNetOpenAuth source, modify the code to force the https URL, then compile it and use that instead of the pre-packed assemblies.

Any direction is appreciated.

Brandon
  • 10,744
  • 18
  • 64
  • 97
  • possible duplicate of [DotNetOpenAuth RP fails behind SSL appliance](http://stackoverflow.com/questions/3209169/dotnetopenauth-rp-fails-behind-ssl-appliance) – Andrew Arnott Jun 25 '11 at 02:28

2 Answers2

6

In case anyone runs into this, here is the answer to the problem:

DotNetOpenAuth RP fails behind SSL appliance

I talked to my host and had them put the X_FORWARDED_PROTO header to every request and give it the value of 'HTTPS'. This resolved all issues we were facing.

Community
  • 1
  • 1
Brandon
  • 10,744
  • 18
  • 64
  • 97
  • I hope they're only applying that header to the requests that actually do come in as HTTPS. – Andrew Arnott Jun 25 '11 at 02:28
  • Thanks for the response Andrew. We enforce 100% of all traffic as HTTPS to our load balancer. If a request comes in as HTTP, it gets redirected to HTTPS. We have this in our user documentation for those consuming our OAuth Service Provider. Glad you had already answered this in another post because we were pulling our hair out trying to figure this out. – Brandon Jun 25 '11 at 03:01
-1

Contact your network admins, they may have a network component (e.g. the load balancer) offloading SSL processing. So you can either work with the HTTP protocol or have them disable SSL offloading, which I suspect they probably don't really want to do.

dotnetnate
  • 769
  • 4
  • 11