+1-888-365-2779
Try Now
More in this section

Forums / Deployment / Hitting page by SSL drops www. ?

Hitting page by SSL drops www. ?

15 posts, 0 answered
  1. Ray
    Ray avatar
    10 posts
    Registered:
    06 Feb 2009
    06 Feb 2009
    Link to this post
    We're very new to Sitefinity so this is probably easy for someone experienced.

    We added an SSL certificate to our web server. When we hit the web server with https://www.ourcompany.com it gets redirected as http://ourcompany.com

    Does the Require SSL option allow access to a page via HTTP or HTTPS or does it force HTTPS?

    How can we keep it the redirect from dropping the www. prefix when coming in by SSL?

    Thanks,

    Ray
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    10 Feb 2009
    Link to this post
    Hi Ray,

    After you have enabled SSL certificate for you server, you need to set Require SSL property for every single page of your website that you want to use with HTTPS. Edit, Preview and Live page are redirected to https or http depending on the Cms page RequireSSL property.

    As for the missing www, probably you have some redirect that drops www from your domain. Sitefinity does not change the domain/subdomain url.

    Let us know if there is anything else that we can do for you.

    Kind regards,
    Ivan Dimitrov
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  3. Ray
    Ray avatar
    10 posts
    Registered:
    06 Feb 2009
    23 Feb 2009
    Link to this post
    Thanks. Please accept my apologies for the delay in replying. I passed this information on to the company who installed Sitefinity and who maintains our servers. I gave them the link to this post for the support case they are going to open with Sitefinity because they are having difficulty getting it fixed.

    Ray
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    24 Feb 2009
    Link to this post
    Hi Ray,

    Let us know if you need further assistance that we could provide you.

    Sincerely yours,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
  5. Matt
    Matt avatar
    16 posts
    Registered:
    29 May 2008
    19 May 2009
    Link to this post
    I am having the same issue as Ray described above.  I used Red Gate's Reflector to find that Telerik.Cms.Web.CmsHttpModule.RedirectToHttps is using the AbsoluteUri to redirect to Https.  I placed the following code on a new ASPX file on our site:

    <%@ Page Language="C#" AutoEventWireup="true" %>

    <script runat="server">
        protected override void OnInit(EventArgs e)
        {
            Response.Write(Request.Url.AbsoluteUri);
            Response.End();
       
            base.OnInit(e);
        }
    </script>

    Even when visiting http://www.ourcompany.com/, the AbsoluteUri returns http://ourcompany.com/. 

    Is there some other approach that we may be missing as to how to prevent Sitefinity from removing the www?
  6. Vlad
    Vlad avatar
    498 posts
    Registered:
    15 Jul 2016
    20 May 2009
    Link to this post
    Hello Matt,

    Actually, Sitefintiy does not remove anything like www. from the request. It just redirects the same URL to HTTP or HTTPS depending on the RequireSSL property of the cms page.

    Here is the real code in the Telerik.Cms.Web.CmsHttpModule, which is responsible for the SSL redirection:

            protected virtual void ProcessSslRedirect(HttpContext context, ICmsUrlContext url) 
            { 
                if (url.RequireSSL && !context.Request.IsSecureConnection) 
                { 
                    this.RedirectToHttps(); 
                    return
                } 
                else if (!url.RequireSSL && context.Request.IsSecureConnection) 
                { 
                    this.RedirectToHttp(); 
                    return
                } 
            } 
     
            private void RedirectToHttps() 
            { 
                HttpContext context = HttpContext.Current; 
                context.Response.Redirect(context.Request.Url.AbsoluteUri.Replace("http://""https://"), true); 
            } 
     
            private void RedirectToHttp() 
            { 
                HttpContext context = HttpContext.Current; 
                context.Response.Redirect(context.Request.Url.AbsoluteUri.Replace("https://""http://"), true); 
            } 
     

    You could anyway create a custom CmsHttpModule and override ProcessSslRedirect to suppress the default implementation related to the RequireSSL setting:
    using System.Web; 
    using Telerik.Cms.Web; 
     
    public class CustomCmsHttpModule : CmsHttpModule 
        protected override void ProcessSslRedirect(HttpContext context, ICmsUrlContext url) 
        { 
            // suppress redirecting 
        } 
     

    However, this won't fix the problem, because it is not the Sitefinity, which drops the www..
    For further investigating this issue, you could check your hosting and IIS configuration. 

    Please let us know how it goes.

    Regards,
    Vlad
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
  7. Ray
    Ray avatar
    10 posts
    Registered:
    06 Feb 2009
    20 May 2009
    Link to this post

    It's interesting that two people from different companies are seeing the same thing. To recap, here's what we're seeing

    Go to https://www.ourcompany.com (note we're going SSL)

    The browser actually goes to

    http://ourcompany.com

    The major problem this is causing is that we have other SSL sites (non-Sitefinity) that link to this site via an iframe. We want the iframe content to display using SSL as well (it's a banking site).

    But we can't do it because something is forcing our HTTPS link to get redirected as HTTP and that is causing a "certificate name mis-match" warning. On banking sites those are quite unwelcome. :-)

    We could workaround this if Sitefinity did not force redirects. If Require SSL is set, then a redirect to SSL is appropriate. But if it's not set, we should be able to link to that content from another site using HTTPS and it should display as HTTPS.

    Ray

  8. Ray
    Ray avatar
    10 posts
    Registered:
    06 Feb 2009
    20 May 2009
    Link to this post
    We have three web servers behind a load balancer. I had our hosting company go directly to each web server individually and try https://www.ourcompany.com and each one redirected to http://ourcompany.com

    That takes the load balancer out of the equation. They said that unless it's some obscure IIS 6 setting, it's something inside Sitefinity causing this.

    Ray
  9. Vlad
    Vlad avatar
    498 posts
    Registered:
    15 Jul 2016
    20 May 2009
    Link to this post
    Hi Ray,

    Thank you for your notes.

    If you mean the problem with dropping the 'www', yes, it's strange that the same problem is reported from two different people. But, it could not be caused by the Sitefinity.
    Regarding the Sitefinity implementation, the behavior should be (when the home page is not require SSL):

    If you go to https://www.ourcompany.com (note we're going SSL)

    it will redirect you to:

    http://www.ourcompany.com (no SSL)

    Maybe you are right about this: it will be good if you can configure this behavior with different options (i.e. No SSL Redirection, Only To SSL, etc...). We will consider this for one of the next releases.
    However, customizing the CmsHttpModule is also a solution. As I mentioned in my previous post, you can override the implementation responsible for the SSL redirects.

    Please let me know if I am missing something.

    Best wishes,
    Vlad
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
  10. Ray
    Ray avatar
    10 posts
    Registered:
    06 Feb 2009
    20 May 2009
    Link to this post

    Thanks for looking at that enhancement request, Vlad.  No, you're not missing anything. Maybe Matt and I are using the same third-party developers. :-)

    From some reading it appears that an incorrectly set "HTTP Location Header" can cause missing pieces-parts on a redirect. Something to do with a RedirectLocation property.

    I'm not an ASP.NET programmer, though. Does this ring a bell with you, Matt?

    Ray

  11. Matt
    Matt avatar
    16 posts
    Registered:
    29 May 2008
    21 May 2009
    Link to this post
    IIS, as a 'feature', seems to use the server's reflected name as the SERVER_NAME, unless it matches the machine name, in which case it uses the Host HTTP Header.  ASP.Net uses the SERVER_NAME server variable as the Host in the Absolute Uri, which, in my opinion, is incorrect; it should use the Http Host header.  But that's just my opinion.

    During our pen test, we were told to change the server's reflected name, which told IIS (and therefore, ASP.Net and in turn Sitefinity) to override the SERVER_NAME.  We changed the reflected name to "ourcompany.com" rather than "www.ourcompany.com", which, for some reason, only affected that application in IIS.

    Either way, we solved the issue and, Vlad, you were correct about it not being a Sitefinity issue.
  12. Ray
    Ray avatar
    10 posts
    Registered:
    06 Feb 2009
    21 May 2009
    Link to this post
    Thanks, Matt. That was precisely our problem as well.

    Yippee!

    Ray
  13. Vlad
    Vlad avatar
    498 posts
    Registered:
    15 Jul 2016
    25 May 2009
    Link to this post
    Hi,

    We a glad that everything is fine now.

    As per your note, Ray,
    We have implemented an ability to configure the SSL Redirection behavior. In the next release (maybe 3.6 SP3), you will be able to choose one of the following options:
     - None (no redirection regardless of the RequireSSL page property)
     - ToHttpsOnly (redirects only to HTTPS if the RequireSSL  is true)
     - Both (Default - redirect in both directions regarding the RequireSSL property)
    For example:
    <cms defaultProvider="Sitefinity" sslRedirection="ToHttpsOnly" ... /> 


    Sincerely yours,
    Vlad
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
  14. Armysniper
    Armysniper avatar
    126 posts
    Registered:
    03 Mar 2005
    14 Sep 2009
    Link to this post
    Did this feature get implemented Ivan?
    Also, I am trying to create a custom version of the CmsHTTPModule as you mentioned here to actually do the opposite, force the URL to be www.mysite.com since it screws up our SSL certificate when people come in as mysite.com. How can get this module loaded into SiteFinity properly when the class is in my website project's App_Code directory.
  15. Armysniper
    Armysniper avatar
    126 posts
    Registered:
    03 Mar 2005
    15 Sep 2009
    Link to this post
    I got this to work. The code is below. You can actually use the the code to handle SSL or NonSSL missing www.

    1 using System;  
    2 using System.Collections.Generic;  
    3 using System.Linq;  
    4 using System.Web;  
    5 using Telerik.Cms.Web;  
    6 using System.Web.Configuration;  
    7  
    8  
    9 /// <summary>  
    10 /// Handles overrides of SiteFinity HTTP handling. Used to handle WWW and SSL   
    11 /// redirect issues currently.  
    12 /// </summary>  
    13 public class MySiteCmsHttpModule : CmsHttpModule  
    14 {  
    15     protected override void ProcessSslRedirect(HttpContext context, ICmsUrlContext url)  
    16     {  
    17         base.ProcessSslRedirect(context, url);  
    18  
    19         if ((string) WebConfigurationManager.AppSettings["ForceSSLRedirect"] == "true")  
    20         {  
    21             if (context.Request.Url.ToString().IndexOf("www.MySite.org") < 0)  
    22             {  
    23                 string baseUrl = (string) WebConfigurationManager.AppSettings["BaseURL"];  
    24                 if (context.Request.IsSecureConnection)  
    25                 {  
    26                     baseUrl = baseUrl.Replace("http""https");  
    27                     context.Response.Redirect(baseUrl + context.Request.RawUrl);  
    28                 }  
    29                 else 
    30                     context.Response.Redirect(baseUrl + context.Request.RawUrl);  
    31             }  
    32         }  
    33      }  
    34 }  
    35  

    The ForceSSLRedirect AppSetting is used to enable or disable the module code. This is useful if you are in development. The BaseURL AppSetting enables you to define the URL of the site. I used this to change my site name as needed.
Register for webinar
15 posts, 0 answered