CloudFlare SSL与ASP.NET MVC RequireHttps的兼容性

时间:2021-01-11 03:35:38

I am hosting an ASP.NET MVC 4 site on AppHarbor (which uses Amazon EC2), and I'm using CloudFlare for Flexible SSL. I'm having a problem with redirect loops (310) when trying to use RequireHttps. The problem is that, like EC2, CloudFlare terminates the SSL before forwarding the request onto the server. However, whereas Amazon sets the X-Forwarded-Proto header so that you can handle the request with a custom filter, CloudFlare does not appear to. Or if they do, I don't know how they are doing it, since I can't intercept traffic at that level. I've tried the solutions for Amazon EC2, but they don't seem to help with CloudFlare.

我在AppHarbor(使用Amazon EC2)上托管一个ASP.NET MVC 4站点,我正在使用CloudFlare进行灵活SSL。尝试使用RequireHttps时,我遇到了重定向循环(310)的问题。问题是,与EC2一样,CloudFlare会在将请求转发到服务器之前终止SSL。但是,虽然亚马逊设置了X-Forwarded-Proto标头,以便您可以使用自定义过滤器处理请求,但CloudFlare似乎没有。或者如果他们这样做,我不知道他们是怎么做的,因为我不能拦截那个级别的流量。我已经尝试过Amazon EC2的解决方案,但它们似乎对CloudFlare没有帮助。

Has anyone experienced this issue, or know enough about CloudFlare to help?

有没有人遇到过这个问题,或者对CloudFlare有足够的了解?

3 个解决方案

#1


3  

The X-Forwarded-Proto header is intentionally overridden by AppHarbor's load balancers to the actual scheme of the request.

AppHarbor的负载均衡器故意将X-Forwarded-Proto标头覆盖到请求的实际方案。

Note that while CloudFlare's flexible SSL option may add slightly more security, there is still unencrypted traffic travelling over the public internet from CloudFlare to AppHarbor. This arguably defies the purpose of SSL for anything else than appearances and reducing the number of attack vectors (like packet sniffing on the user's local network) - i.e. it may look "professional" to your users, but it actually is still insecure.

请注意,虽然CloudFlare的灵活SSL选项可能会增加更多安全性,但仍然有未加密的流量通过公共互联网从CloudFlare传输到AppHarbor。这可以说除了外观和减少攻击向量的数量(如用户本地网络上的数据包嗅探)之外的其他任何东西都无法实现SSL的目的 - 即它对用户来说可能看起来“专业”,但它实际上仍然是不安全的。

That's less than ideal particularly since AppHarbor supports both installing your own certificates and includes piggyback SSL out of the box. CloudFlare also recommends using "Full SSL" for scenarios where the origin servers/service support SSL. So you have a couple of options:

这不太理想,特别是因为AppHarbor既支持安装自己的证书,也支持开箱即用的SSL。 CloudFlare还建议在原始服务器/服务支持SSL的情况下使用“完整SSL”。所以你有几个选择:

  • Continue to use the insecure "Flexible SSL" option, but instead of inspecting the X-Forwarded-Proto header in your custom RequireHttps filter, you should inspect the scheme attribute of the CF-Visitor header. There are more details in this discussion.
  • 继续使用不安全的“灵活SSL”选项,但不应检查自定义RequireHttps过滤器中的X-Forwarded-Proto标头,而应检查CF-Visitor标头的scheme属性。本讨论中有更多细节。

  • Use "Full SSL" and point CloudFlare to your *.apphb.com hostname. This way you can use the complimentary piggyback SSL that is enabled by default with your AppHarbor app. You'll have to override the Host header on CloudFlare to make this work and here's a blog post on how to do that. This will of course make requests to your app appear like they were made to your *.apphb.com domain - so if for instance you automatically redirect requests to a "canonical" URL or generate absolute URLs you'll likely have to take this into consideration.
  • 使用“完整SSL”并将CloudFlare指向您的* .apphb.com主机名。这样您就可以使用AppHarbor应用程序默认启用的免费搭载SSL。您必须覆盖CloudFlare上的Host标头才能使其工作,这是一篇关于如何操作的博客文章。这当然会使您的应用程序的请求显示为您的* .apphb.com域名 - 例如,如果您自动将请求重定向到“规范”URL或生成绝对URL,您可能需要将其转换为考虑。

  • Upload your certificate and add a custom hostname to AppHarbor. Then turn on "Full SSL" on CloudFlare. This way the host header will remain the same and your application will continue to work without any modifications. You can read more about the SSL options offered by AppHarbor in this knowledge base article.
  • 上传您的证书并向AppHarbor添加自定义主机名。然后在CloudFlare上启用“完整SSL”。这样主机头将保持不变,您的应用程序将继续工作而无需任何修改。您可以在此知识库文章中阅读有关AppHarbor提供的SSL选项的更多信息。

#2


0  

This is interesting.

这是有趣的。

Just I recently had a discussion with one of our clients, who asked me about "flexible" SSL and suggested that we (Incapsula) also offer such option.

我刚刚与我们的一位客户进行了讨论,他们向我询问了“灵活”的SSL,并建议我们(Incapsula)也提供这样的选择。

After some discussion we both came to the conclusion that such a feature would be misleading, since it will provide the end-user with a false sense of security while also exposing the site owner to liability claims.

经过一番讨论后,我们都得出结论,这样的功能会产生误导,因为它会给最终用户提供一种虚假的安全感,同时也会让网站所有者承担责任索赔。

Simply put, the visitor on one of "flexible" SSL connection may feel absolutely safe behind the encryption and will be willing provide sensitive data, not knowing that the 'server to cloud' route is not encrypted at all and can be intercepted (i.e. by backdoor shells).

简单地说,访问者在“灵活”SSL连接之一上可能会感觉绝对安全,并且愿意提供敏感数据,而不知道“服务器到云”路由根本没有加密并且可以被拦截(即通过后门炮弹)。

It was interesting to visit here and see others reach the same conclusion. +1

访问这里很有意思,看到其他人得出同样的结论。 +1

Please know that as website owner you may be liable for any unwanted exposure such setup may cause.

请注意,作为网站所有者,您可能会对此类设置可能导致的任何不必要的曝光负责。

My suggestion is to do the responsible thing and to invest in SSL certificate or even create a self signed one (to use for encryption of 'cloud to server' route).

我的建议是做负责任的事情并投资SSL证书,甚至创建一个自签名的(用于加密“云到服务器”路由)。

#3


0  

Or you could just get a free one year SSL cert signed by StartCom and upload that to AppHarbor.

或者您可以获得由StartCom签署的免费一年SSL证书,并将其上传到AppHarbor。

Then you can call it a day and pat yourself on the back! That is until future you one year from now has to purchase a cert =).

那么你可以每天打电话给自己拍拍吧!那是在未来一年之后你必须购买证书=)。

#1


3  

The X-Forwarded-Proto header is intentionally overridden by AppHarbor's load balancers to the actual scheme of the request.

AppHarbor的负载均衡器故意将X-Forwarded-Proto标头覆盖到请求的实际方案。

Note that while CloudFlare's flexible SSL option may add slightly more security, there is still unencrypted traffic travelling over the public internet from CloudFlare to AppHarbor. This arguably defies the purpose of SSL for anything else than appearances and reducing the number of attack vectors (like packet sniffing on the user's local network) - i.e. it may look "professional" to your users, but it actually is still insecure.

请注意,虽然CloudFlare的灵活SSL选项可能会增加更多安全性,但仍然有未加密的流量通过公共互联网从CloudFlare传输到AppHarbor。这可以说除了外观和减少攻击向量的数量(如用户本地网络上的数据包嗅探)之外的其他任何东西都无法实现SSL的目的 - 即它对用户来说可能看起来“专业”,但它实际上仍然是不安全的。

That's less than ideal particularly since AppHarbor supports both installing your own certificates and includes piggyback SSL out of the box. CloudFlare also recommends using "Full SSL" for scenarios where the origin servers/service support SSL. So you have a couple of options:

这不太理想,特别是因为AppHarbor既支持安装自己的证书,也支持开箱即用的SSL。 CloudFlare还建议在原始服务器/服务支持SSL的情况下使用“完整SSL”。所以你有几个选择:

  • Continue to use the insecure "Flexible SSL" option, but instead of inspecting the X-Forwarded-Proto header in your custom RequireHttps filter, you should inspect the scheme attribute of the CF-Visitor header. There are more details in this discussion.
  • 继续使用不安全的“灵活SSL”选项,但不应检查自定义RequireHttps过滤器中的X-Forwarded-Proto标头,而应检查CF-Visitor标头的scheme属性。本讨论中有更多细节。

  • Use "Full SSL" and point CloudFlare to your *.apphb.com hostname. This way you can use the complimentary piggyback SSL that is enabled by default with your AppHarbor app. You'll have to override the Host header on CloudFlare to make this work and here's a blog post on how to do that. This will of course make requests to your app appear like they were made to your *.apphb.com domain - so if for instance you automatically redirect requests to a "canonical" URL or generate absolute URLs you'll likely have to take this into consideration.
  • 使用“完整SSL”并将CloudFlare指向您的* .apphb.com主机名。这样您就可以使用AppHarbor应用程序默认启用的免费搭载SSL。您必须覆盖CloudFlare上的Host标头才能使其工作,这是一篇关于如何操作的博客文章。这当然会使您的应用程序的请求显示为您的* .apphb.com域名 - 例如,如果您自动将请求重定向到“规范”URL或生成绝对URL,您可能需要将其转换为考虑。

  • Upload your certificate and add a custom hostname to AppHarbor. Then turn on "Full SSL" on CloudFlare. This way the host header will remain the same and your application will continue to work without any modifications. You can read more about the SSL options offered by AppHarbor in this knowledge base article.
  • 上传您的证书并向AppHarbor添加自定义主机名。然后在CloudFlare上启用“完整SSL”。这样主机头将保持不变,您的应用程序将继续工作而无需任何修改。您可以在此知识库文章中阅读有关AppHarbor提供的SSL选项的更多信息。

#2


0  

This is interesting.

这是有趣的。

Just I recently had a discussion with one of our clients, who asked me about "flexible" SSL and suggested that we (Incapsula) also offer such option.

我刚刚与我们的一位客户进行了讨论,他们向我询问了“灵活”的SSL,并建议我们(Incapsula)也提供这样的选择。

After some discussion we both came to the conclusion that such a feature would be misleading, since it will provide the end-user with a false sense of security while also exposing the site owner to liability claims.

经过一番讨论后,我们都得出结论,这样的功能会产生误导,因为它会给最终用户提供一种虚假的安全感,同时也会让网站所有者承担责任索赔。

Simply put, the visitor on one of "flexible" SSL connection may feel absolutely safe behind the encryption and will be willing provide sensitive data, not knowing that the 'server to cloud' route is not encrypted at all and can be intercepted (i.e. by backdoor shells).

简单地说,访问者在“灵活”SSL连接之一上可能会感觉绝对安全,并且愿意提供敏感数据,而不知道“服务器到云”路由根本没有加密并且可以被拦截(即通过后门炮弹)。

It was interesting to visit here and see others reach the same conclusion. +1

访问这里很有意思,看到其他人得出同样的结论。 +1

Please know that as website owner you may be liable for any unwanted exposure such setup may cause.

请注意,作为网站所有者,您可能会对此类设置可能导致的任何不必要的曝光负责。

My suggestion is to do the responsible thing and to invest in SSL certificate or even create a self signed one (to use for encryption of 'cloud to server' route).

我的建议是做负责任的事情并投资SSL证书,甚至创建一个自签名的(用于加密“云到服务器”路由)。

#3


0  

Or you could just get a free one year SSL cert signed by StartCom and upload that to AppHarbor.

或者您可以获得由StartCom签署的免费一年SSL证书,并将其上传到AppHarbor。

Then you can call it a day and pat yourself on the back! That is until future you one year from now has to purchase a cert =).

那么你可以每天打电话给自己拍拍吧!那是在未来一年之后你必须购买证书=)。