ASP.NET Request.ServerVariables["SERVER_PORT_SECURE"] and proxy SSL by load balancer

3
votes

We have some legacy ASP.NET code that detects if a request is secure, and redirects to the https version of the page if required.

This code uses Request.ServerVariables["SERVER_PORT_SECURE"] to detect if SSL is needed.

Our operations team has suggested doing proxy SSL at the load balancer (F5 Big-IP) instead of on the web servers (assume for the purposes of this question that this is a requirement).

The consequence would be that all requests appear as HTTP to the web server.

My question: how can we let the web servers known that the incoming connection was secure before it hit the load balancer? Can we continue to use Request.ServerVariables["SERVER_PORT_SECURE"]?

Do you know of a load balancer config that will send headers so that no application code changes are needed?

1
asp.netiissslhttpsload-balancing
I'm just amazed that given Request.IsSecureConnection has existed for 7 years that they would use this method to detect a secure connection.Keith Adler
I suppose we could comb through our legacy code and make these types of changes... but what is the ROI? Does it solve any problem?frankadelic
Not in your situation as your connection will always seem insecure behind the F5. You need to write to the headers and check it in the Global.asax.cs for the Begin Request.Keith Adler

1 Answers

2
votes

Use an iRule to effectively add a custom element to the HTTP header and then detect it in the ASP.NET code via Request.Headers. Dig into the collection of the Request.Headers object as well as your F5 hardware may already be marking itself on one of the HTTP Headers anyway.