0

I am preparing a website for private beta. The website can be used anonymously as well as allowing users to sign in (using Identity).

During Private beta, I need the entire site to be password protected so that only users with the password are able to access the main site. Once they get there, they can choose to browse the site "Anonymously" or they can signup for an actual account and browse with an account.

I am after any good/cheap solution to this problem whether it be

  • a 3rd party website that can wrap my entire site in a secure/private setting
  • A simple "gatekeeper" application that receives all requests for the website and just forwards them onto the full website if the user is authenticated
  • some other solution (maybe using proxy server like nginx/HAproxy or somethine else entirely)

The solution has to be non intrusive to my current code base which is why I need it to completely wrap my application. Once beta is complete, I will then be able to remove the wrapping (and maybe repoint some DNS records) and the site will continue working without the authentication step.

So far I have not been able to find a suitable 3rd party site to use.

My attempt at creating my own wrapper

I have tried to create a very simple MVC application which takes a general route and sends it to a simple action that checks if the user is authenticated (private beta user) before requesting the proper page from the actual website (some internal url)

if(authenticated());
string url = "http://internalurl"+ Request.Url.LocalPath;

This has allowed me to keep my proper URL as the one that faces the user and their requests are just forwarded to the application that does all of the work.

The user has no idea that the request is forwarded since they only see properURL.com/somepage Basic concept on getting ActionResult from External site

I am having issues with this too because it only partially works. The HTML is retrieved from the internal site however the requests for the css and js files fail because when the wrapper site gets a request like

properURL.com/Content/css/style.css

the wrapper site tries to find the style.css file locally instead of catching the request for the static file and treating it as an action (to request it from the internal site).

I have tried many ways to get IIS to ignore this file type request and give the request to the RouteConfig to get caught in a route as follows:

routes.MapRoute(
            "Content", 
            "Content/{*something}",
            new { controller = "Home", action = "Content" } defaults
        );

However this does not do anything to help

I have also tried adding a handler to the Web.config but it does not seem to help either.

      <add name="CssFileHandler" path="Content*" verb="GET" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

Any ideas?

Brad Baskin
  • 1,265
  • 2
  • 14
  • 20

1 Answers1

0

You can create a windows user account for this and then set up basic auth in IIS with permissions to the site. Then users can log in with that to get to the site. This is independent of your site's auth logic so they can then browse anonymously or create an account and log into the site using the asp.net authentication. This solution would also not require any modification to your application code.

https://technet.microsoft.com/en-us/library/Cc772009(v=WS.10).aspx

dinomix
  • 956
  • 4
  • 5
  • I actually did try this method (and will try again now just to make sure) but it seemed that when I turned on the Basic Authentication in IIS, it knew that the app was .net and tried to authenticate the user via the internal login of the site.... it took them to mysite.com/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3..... (endless loop) This did not work with the fact that that login was only for my Identity users. The bulk of the site is usable for non logged in users (but authenticated for beta) – Brad Baskin Aug 26 '15 at 01:49
  • Basic auth is not related to .net auth at all, it's done at the http level not at your application level, so the problem you are having is probably due to a different issue. Do you have the [AllowAnonymous] decorators set on the controllers you wish to allow anonymously? – dinomix Aug 26 '15 at 02:04
  • I do have [AllowAnonymous] on my methods. In my IIS Authentication settings, I only have Basic Authentication enabled. Anonymous Auth (and all others) are disabled. I have tried 3 different options for Authorization Rules; All users, All anonymous users & the "Beta" user windows account. All 3 of these take me to mysite.com/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%....... repeat forever – Brad Baskin Aug 26 '15 at 02:12
  • 1
    This is going to sound weird, but check if there is a file called WebMatrix.Data.dll or WebMatrix.WebData.dll in your bin folder and remove it. http://stackoverflow.com/questions/5009565/asp-net-mvc3-and-windows-auth-on-iis-keeps-redirecting-to-account-login – dinomix Aug 26 '15 at 02:20
  • Was a good idea, I did not have the WebMatrix files in my appication bin folder. The only Webmatrix files on the server were in the C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET Web Pages\v1.0\Assemblies directory. I temporarily removed these dlls and restarted the server... unfortunately same issue with the Account/Login?returnUrl.... – Brad Baskin Aug 26 '15 at 02:32
  • Probably a stupid question but should I be setting the Authentication on the Server tab or on the Sites/Mysite tab (in IIS manager). I have tried both but does it make a difference? – Brad Baskin Aug 26 '15 at 02:34
  • On the site tab. If you google "mvc 4 keeps redirecting to login page" there are several other things to try regarding the auth. This has always been tricky with asp.net due to numerous bugs in IIS and ASP.NET. I believe even if you didn't have the basic auth you would still encounter some of these issues deploying. Try and see if any of those results help. I don't currently have an MVC 4 setup to play with exactly so i may not be able to assist much further. – dinomix Aug 26 '15 at 03:04