21

I have an aspx page which is checking Request.IsSecureConnection to ensure it is true, if not it does a redirect to the the secure page at https://www.domain.com/page.aspx.

The server has an SSL cert installed for the domain, and the browser shows the padlock icon.

The same code ran fine on a different server, but now Request.IsSecureConnection always returns false.

I have created a completely empty aspx file, that just prints the return value of Request.IsSecureConnection and it is still false, so there is no other content coming from a standard http request.

Could anyone suggest what might be causing this, or give any hints on how I might find out what is causing this to always return false?

Will
  • 994
  • 1
  • 10
  • 8

2 Answers2

29

If there's a load balancing router or similar in front of your web server with ssl termination then the connection from there to your web server won't be over SSL. In this case you usually have to check for a connection on a specific port or for headers being set by the load balancer.

Adam Cooper
  • 8,077
  • 2
  • 33
  • 51
  • 3
    Or leave it up to he load balancer to ensure the connection is secure from the client to your website. – David McEwing Jun 15 '09 at 21:22
  • He should be able to confirm this suspicion by outputting Request.UserHostAddress and/or Request.UserHostName on that test page. If those values aren't the client he is connecting from (or a proxy that client is going through), it is likely they will identify some sort of load balancer or reverse proxy that is sitting in front of his web server. – Grant Wagner Jun 15 '09 at 21:25
  • Request.UserHostAddress and Request.UserHostName both return my IP address. – Will Jun 15 '09 at 22:03
1

Some load balancers add a new header to the request which you can use to determine if the original request from client came over SSL. With Azure websites the following code seems to work:

if (string.IsNullOrEmpty(Request.Headers["x-arr-ssl"]))
{
     // No SSL
}
else
{
     // Secure connection
}

Some other load balancers may use another header, for example X-Forwarded-Proto.

Juha Palomäki
  • 26,385
  • 2
  • 38
  • 43