SSL accelerator support

In some scenarios, SSL decryption and encryption may not be performed directly by your application’s server. Instead, the decryption and encryption is performed via a reverse proxy, which is equipped with an SSL offload hardware (for example, an SSL accelerator). This means that requests are forwarded to the application internally using the standard HTTP protocol, even when the client accesses the page through HTTPS. If the settings for using SSL are enabled for the website, it may result in a redirection loop.

You can solve this issue by adding custom code to the application’s request handlers. It is necessary to appropriately set the IsSSL static property of the CMS.Helpers.RequestContext class. If set to true, the system treats all requests as secured, regardless of their URL format, and redirection to HTTPS page versions is not performed by the application. You also need to set the SSLUrlPort property of the CMS.Helpers.URLHelper class to 443 (or any other port that you use for HTTPS requests). Of course, it is necessary to correctly identify which requests originally used SSL, for example by checking the request headers.

Setting the IsSSL and SSLUrlPort properties

  1. Open your web project in Visual Studio.

  2. Create a new class called SSLRequestLoader.cs in the App_Code folder (or CMSApp_AppCode -> Old_App_Codeif you installed the project as a web application) with the following code:

    using System;
    using System.Web;
    using System.Collections.Specialized;
    
    using CMS.Base;
    using CMS.Helpers;
    
    [SSLRequestLoader]
    public partial class CMSModuleLoader
    {
        /// <summary>
        /// Module registration
        /// </summary>
        private class SSLRequestLoaderAttribute : CMSLoaderAttribute
        {
            /// <summary>
            /// Called automatically when the application starts
            /// </summary>
            public override void Init()
            {
                // Assigns a handler which is called before each request is processed
                RequestEvents.Prepare.Execute += HandleSSLRequests;
            }
    
            // Checks if requests are forwarded as SSL
            private static void HandleSSLRequests(object sender, EventArgs e)
            {
                if ((HttpContext.Current != null) && (HttpContext.Current.Request != null))
                {
                    // Loads the request headers as a collection
                    NameValueCollection headers = HttpContext.Current.Request.Headers;
    
                    // Gets the value from the X-Forwarded-Ssl header
                    string forwardedSSL = headers.Get("X-Forwarded-Ssl");
                    RequestContext.IsSSL = false;
    
                    // Checks if the original request used HTTPS
                    if (String.Equals(forwardedSSL, "on", StringComparison.OrdinalIgnoreCase))
                    {
                        RequestContext.IsSSL = true;
                        URLHelper.SSLUrlPort = 443;
                    }
                }
            }
        }
    }

In this example, we used the override of the Init() method (executed automatically when the application starts) to assign a handler that will be called before each request is processed. We also used the X-Forwarded-Ssl header to check if the original request was submitted via HTTPS before the SSL accelerator forwarded it to the application. If this is the case, the IsSSL property is set to true and the SSLUrlPort property is set to 443, so the system processes the request as if it used the HTTPS protocol.

Important

Your proxy device may use a different method to identify requests that were originally secured by SSL. In such cases, you need to write a condition that fits your specific scenario. For example, another typical approach is to check if the value of the X-Forwarded-Proto request header is https.

You may also include additional custom code to fulfill any other security requirements, such as validation of the proxy’s IP address.