ASP.NET Request.ServerVariables["SERVER_PORT_SECURE"] and proxy SSL by load balancer

views:

211

answers:

+1 Q:

ASP.NET Request.ServerVariables["SERVER_PORT_SECURE"] and proxy SSL by load balancer

We have some legacy ASP.NET code that detects if a request is secure, and redirects to the https version of the page if required.

This code uses Request.ServerVariables["SERVER_PORT_SECURE"] to detect if SSL is needed.

Our operations team has suggested doing proxy SSL at the load balancer (F5 Big-IP) instead of on the web servers (assume for the purposes of this question that this is a requirement).

The consequence would be that all requests appear as HTTP to the web server.

My question: how can we let the web servers known that the incoming connection was secure before it hit the load balancer? Can we continue to use Request.ServerVariables["SERVER_PORT_SECURE"]?

Do you know of a load balancer config that will send headers so that no application code changes are needed?

+1 A:

Use an iRule to effectively add a custom element to the HTTP header and then detect it in the ASP.NET code via Request.Headers. Dig into the collection of the Request.Headers object as well as your F5 hardware may already be marking itself on one of the HTTP Headers anyway.

Nissan Fan 2010-03-11 19:54:10

Can this be done in such a way that the header cannot be spoofed?For example, if an inbound request over HTTP contained the custom header, is the load balancer smart enough to not pass this along to the web server?

frankadelic 2010-03-11 22:33:31

Simply create an iRule to always delete if present then create the inbound header with a private known value, and to strip it out on the way out. That way the downstream user never gets the header and doesn't know the secret key stored within it.

Nissan Fan 2010-03-11 22:35:21

ansaurus

tags:

views:

answers:

ASP.NET Request.ServerVariables["SERVER_PORT_SECURE"] and proxy SSL by load balancer

related questions