Search code examples
asp.netsslforms-authenticationhttpcookie

IIS: How to simulate SSL termination on load balancer

Situation:

Load balanced environment where SSL terminates on the LB and all traffic below it is HTTP. We have pages with require user to be authenticated and we also have a requirement that authentication cookie carries flag "secured". Whole website must run under SSL.

I want to simulate on my local machine the live environment, i.e. I want to configure "secured" cookie under HTTP connection. Sofar, I managed to get to the point where:

Request.IsSecureConnection == true;
Request.ServerVariables["HTTPS"] == "on";

I'm doing this by manually adding https variable in IIS:

  <rewrite>
      <rules>
          <rule name="HTTPS_Always_ON" patternSyntax="Wildcard">
              <match url="*" negate="false" />
              <serverVariables>
                    <set name="HTTPS" value="on" />
              </serverVariables>
              <action type="None" />
          </rule>
      </rules>
  </rewrite>

The problem is that I am still not able to read authentication cookie under HTTP. I have to explicitly switch to https connection.

Is it possible to trick asp.net to read secured cookie under http connection? If so, then what do I need to do?

UPDATE: my post describes the problem but is not fully correct. Browsers don't send cookies marked as "secure" over HTTP, so there was no way to test my code directly. I needed to emulate the Load balancer which terminates SSL and forwards all traffic over HTTP to the actual web servers. It appears that you can do this on a single machine without major difficulties.

Solution

  • The problem was not with ASP.NET application but with the fact that a secured cookie would never be sent by browser via HTTP. I still needed to emulate the behaviour of load balancer on my local machine and here is the solution:

    • Install IIS ARR v3.0 and URL Rewrite modules - they help to setup reverse proxy in IIS
    • Enable the Reverse proxy functionality in the ARR module settings
    • Create two sites in IIS - the first one works under https://test.local and the second site is available under http://test.local. In IIS the first site points to some empty folder on the file system, while second website is your actual web application. The purpose of the first website is to simulate load balancer, i.e. terminate SSL and forward all traffic to the second site - http://test.local. The second site, in turn, simulates your webserver hidden behind the LB.
    • Go to the first website (HTTPS) and create a simple wildcard rule of type "Reverse proxy" which redirects all traffic to the second site. Select checkbox "Enable SSL Offloading".
    • now you can check that when you browse to https://test.local, your web application sees the URL as https://test.local:80, i.e. you have preserved "https" in the URL while running over HTTP on port 80. Job done.