SslRedirectFilter redirect only to default HTTPS port

IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.

Other

409 stars 291 forks source link

SslRedirectFilter redirect only to default HTTPS port #77

Closed Kralizek closed 11 years ago

Kralizek commented 11 years ago

If you run your the web server on a custom HTTPS port (not 443), when navigating to the site via HTTP, the issued redirect will always be to the standard HTTPS port (443), ignoring the port number set in the configuration. This creates problem when the IdentityServer web site is hosted on a shared server whose port 443 is already used.

leastprivilege commented 11 years ago

Thanks! I will look into it.

leastprivilege commented 11 years ago

Just to understand - will it be good enough to use the SSL port from config for the redirect?

Kralizek commented 11 years ago

I guess that's the expected behavior, especially if you explicitly accept a port number in your configuration.

leastprivilege commented 11 years ago

OK - just want to make sure this is what you need.

leastprivilege commented 11 years ago

I mean how do you get to the HTTPS config setting in the first place?

Kralizek commented 11 years ago

I manually browse to the HTTPS url instead of using the HTTP and let the site redirect me to the HTTPS binding. In this way I can normally use the admin UI to configure the service

leastprivilege commented 11 years ago

ah ok. cool. Will fix it.

leastprivilege commented 11 years ago

https://github.com/thinktecture/Thinktecture.IdentityServer.v2/commit/5347a8edc1fcbaa8d9597c88085d8a22ac7d0001

Does that work for you?

Kralizek commented 11 years ago

I'll try it up :)

Kralizek commented 11 years ago

Ok i deployed it and it doesn't work.

I'll try to depict the current status: On a given server we have N web sites, each bound to a specific 2nd level domain. One of these is configured for using SSL connections over the port 443 (site1.domain.com). Please note that we have a *.domain.com certificate.

At this point I added a new web site containing IdentityServer and I used these bindings:

HTTP auth.domain.com:80
HTTPS auth.domain.com:4567
HTTPS *:4567

Before your change:

Browsing to http://auth.domain.com caused a redirect to https://auth.domain.com:443 that showed the site1 login page

After your change:

From an external computer: HTTP/1.1 403 Forbidden
From the server's browser: as before the change.

leastprivilege commented 11 years ago

Well - works for me ;)

I have SSL port set to 444. When i come in via

http://idsrv.local

i get redirected to

https://idsrv.local:444

Why do you need the * binding for SSL on port 4567?

Can you debug?

Kralizek commented 11 years ago

Apparently, HTTPS *:4567 is the one that makes everything work because if i remove it i can't access the site anymore.

UPDATE: I recreated the site and now I'm able to run with only two bindings:

HTTP auth.domain.com :80 HTTPS auth.domain.com :4567

I'm trying to set up the server on my machine and debug it.

Kralizek commented 11 years ago

Ok the code works properly, but the problem is somewhere else i guess.

I tried:

on my machine running the code: OK
on my machine running the deployed package: OK
on the server (deployed package): HTTP 403 Forbidden