#1
2016-03-22_10-54-17.pngI have an SSL certificate setup in IIS 8.5 (Windows 2012 R2 Standard). I am using YAF.NET 2.2.2 with MSSQL 2012 Standard. .NET Framework 4.6.1 is setup on the server. UrlRewriter.config and web.config have not been changed since the installation was done (so no many changes). I do have "Admin > Host Settings > Login / Registration Settings > Require User Login" enabled (checked).

When I enable Host Administration > Host Settings (submenu) > Permission (tab) > Use SSL while logging in (checking it, that is) and browse without HTTPS (so no SSL) in the URL, I am immediately shown an error in the latest Windows version of Chrome (and similar errors in other browsers):

The {url} page isn't working
{url} redirected you too many times.
ERR_TOO_MANY_REDIRECTS


Where {url} is the actual site. I have two sites setup (one is for production and one is for test) on separate servers that have the same problem.

I noticed on this forum that SSL isn't being used for the login (gulp for public wireless networks?!) as I was hoping to see what an existing site behavior might be like.

If I enter the {ur} using HTTPS and "Use SSL while logging in" still checked, the site comes up and I can login. Then I can change the {url} and not include SSL, navigating the forum as desired.

Thoughts?
Hans
Topic Starter
  • aeriden
  • Rank: YAF Forumling
  • Reputation:
    Neutral
    51.2%
  • Joined: 22/03/2016
  • Posts: 2
  •  United States
  • Location: Chanhassen
  • Was thanked: 1 time(s) in 1 post(s)
#2
Are you using DotNetNuke 8.0.1? (the one from March 16 2016)

Note:
There is an interesting advisory on the following link, which I am trying to setup and try now. This might not clean-up YAF mixed-content browser warnings, but that is another matter.
http://www.dnnsoftware.c...l-authenticated-sessions 
  • Ordinary Nimda
  • Rank: YAF Lover
  • Reputation:
    Friendly
    75.4%
  • Joined: 08/02/2016
  • Posts: 34
  •  Slovenia
  • Location: LJ
  • Thanks: 13 times
  • Was thanked: 2 time(s) in 2 post(s)
#3
This issue is now resolved like this:

  1. The above advisory is NOT good, because it does not work on DNN 8. (You cannot create a new Page with the name Login).
  2. I found a new advisory, which is more simple, but requires a little more work, flagging each page as "IsSecure".

    Here is the link:
    https://support.managed....n-a-dotnetnuke-site.aspx 

    It works on my standalone web server, plus, there is no need for the URL Rewrite module, as DNN handles everything. All one needs to do outside of DNN is putting up an SSL Certificate. Because they are free nowadays, there should be no excuse for not making all pages Secure.
  3. YAF pages still deliver some mixed content, but unless one uses Internet Explorer on older machines, this should not be seen as a problem. Use Edge, Chrome, FireFox, Safari, Opera, or anything ...
    EDIT: DNN-only pages deliver mixed content too, like open fonts in one CSS, which have "http://" at beginning of their Urls. Changing the "http://" to "https://" did the trick and I do not see any more mixed content in DNN.


The important thing is, that there will be no more stealing of passwords on never-updated WiFi networks, and also no government surveillance at conspirative internet providers.🙂
  • Ordinary Nimda
  • Rank: YAF Lover
  • Reputation:
    Friendly
    75.4%
  • Joined: 08/02/2016
  • Posts: 34
  •  Slovenia
  • Location: LJ
  • Thanks: 13 times
  • Was thanked: 2 time(s) in 2 post(s)
#4
Not using DNN with YAF.NET I may do so in the future as I do development on DNN and am intrigued. I could also dig into the issue with YAF's issue with SSL, redirect coding-wise. But I was hoping someone would have an idea and save me that step.
Topic Starter
  • aeriden
  • Rank: YAF Forumling
  • Reputation:
    Neutral
    51.2%
  • Joined: 22/03/2016
  • Posts: 2
  •  United States
  • Location: Chanhassen
  • Was thanked: 1 time(s) in 1 post(s)
#5
This is interesting, DNN has the same problem as standalone YAF. Might this be a more fundamental issue, somewhere within .NET Framework or even in Windows proper?!

  • Ordinary Nimda
  • Rank: YAF Lover
  • Reputation:
    Friendly
    75.4%
  • Joined: 08/02/2016
  • Posts: 34
  •  Slovenia
  • Location: LJ
  • Thanks: 13 times
  • Was thanked: 2 time(s) in 2 post(s)
#6
To do SSL on my YAFNET setup I just removed the port 80 binding in IIS.

Then made a separate site with the port 80 binding but the port 80 site only redirects to 443.
Then on the 443 site added HSTS response headers so once any compliant browser has hit my site it'll only connect over SSL, and the forum is not available on non-SSL.

Though I have a mixes content message in firefox (little yellow triangle on the lock.) so maybe that CSS file that the other user mentioned needs an edit, which file is it?
  • DarkLogix
  • Rank: YAF Camper
  • Reputation:
    Friendly
    63.2%
  • Joined: 22/02/2015
  • Posts: 22
  •  United States
  • Location: Texas
  • Thanks: 2 times
  • Was thanked: 1 time(s) in 1 post(s)
#7
In YAF, it is in the first line of the skin file, THEME.CSS. Changing the url, to be https instead of http does a lot of magic. There might be more, Firefox is good at showing all included URLs in the "View page info" and then "Media" section - just scroll down the list of URLs, you will quickly notice any http:// instead of an https:// (There's more of those in DNN's skin, but the solution is the same, just change http to https, Google has everything done properly).

One should write down (or remember) such changes, even if they are small, because the next time a YAF Upgrade arrives, the yellow triangles will come back. 🙂

You have an interesting solution to the 80 to 443 redirect.
  • Ordinary Nimda
  • Rank: YAF Lover
  • Reputation:
    Friendly
    75.4%
  • Joined: 08/02/2016
  • Posts: 34
  •  Slovenia
  • Location: LJ
  • Thanks: 13 times
  • Was thanked: 2 time(s) in 2 post(s)
#8
Well the way I did the 80 to 443 redirect is really the only way to implement HSTS properly, since per the HSTS spec the HSTS header should not be sent over an insecure channel (IE the HSTS header should never be sent over port 80) so in IIS to achieve that 80 and 443 need to be different sites, and since I'm guessing he custom HTTP headers config in IIS is stored in one of the config files within the site folder you'd have to ether setup replication between the port 80 site's folder and the 443 in a way that wouldn't copy the custom headers config or more simply just have anything that hits port 80 be redirected to 443.
  • DarkLogix
  • Rank: YAF Camper
  • Reputation:
    Friendly
    63.2%
  • Joined: 22/02/2015
  • Posts: 22
  •  United States
  • Location: Texas
  • Thanks: 2 times
  • Was thanked: 1 time(s) in 1 post(s)
#9
That worked, though there are alot of theme.css files.

Happen to know of a find replace that would be able to do them all?
I got the one for my mail forum page so the triangle is gone.
  • DarkLogix
  • Rank: YAF Camper
  • Reputation:
    Friendly
    63.2%
  • Joined: 22/02/2015
  • Posts: 22
  •  United States
  • Location: Texas
  • Thanks: 2 times
  • Was thanked: 1 time(s) in 1 post(s)
#10
Originally Posted by: DarkLogix

Well the way I did the 80 to 443 redirect is really the only way to implement HSTS properly, since per the HSTS spec the HSTS header should not be sent over an insecure channel (IE the HSTS header should never be sent over port 80) so in IIS to achieve that 80 and 443 need to be different sites, and since I'm guessing he custom HTTP headers config in IIS is stored in one of the config files within the site folder you'd have to ether setup replication between the port 80 site's folder and the 443 in a way that wouldn't copy the custom headers config or more simply just have anything that hits port 80 be redirected to 443.


I agree with the separation of the web sites, and more - I am against 80 to 443 automatic redirection, doing a port 80 http non-secure, should give the user a 404 error, with maybe some explanation, etc. But I did this thru DNN, "because everybody does it", LOL

I use Visual Studio's editor. Those multiple THEME.CSS files are from different skins, only one is used at a time on a YAF forum page. If you use just one skin for the whole forum, you don't even have to touch the others.
  • Ordinary Nimda
  • Rank: YAF Lover
  • Reputation:
    Friendly
    75.4%
  • Joined: 08/02/2016
  • Posts: 34
  •  Slovenia
  • Location: LJ
  • Thanks: 13 times
  • Was thanked: 2 time(s) in 2 post(s)
#11
Originally Posted by: Ordinary Nimda

Originally Posted by: DarkLogix

Well the way I did the 80 to 443 redirect is really the only way to implement HSTS properly, since per the HSTS spec the HSTS header should not be sent over an insecure channel (IE the HSTS header should never be sent over port 80) so in IIS to achieve that 80 and 443 need to be different sites, and since I'm guessing he custom HTTP headers config in IIS is stored in one of the config files within the site folder you'd have to ether setup replication between the port 80 site's folder and the 443 in a way that wouldn't copy the custom headers config or more simply just have anything that hits port 80 be redirected to 443.


I agree with the separation of the web sites, and more - I am against 80 to 443 automatic redirection, doing a port 80 http non-secure, should give the user a 404 error, with maybe some explanation, etc. But I did this thru DNN, "because everybody does it", LOL

I use Visual Studio's editor. Those multiple THEME.CSS files are from different skins, only one is used at a time on a YAF forum page. If you use just one skin for the whole forum, you don't even have to touch the others.


Well with HSTS the port 80 site is really just a bootstrap, in my setup the port 80 site is empty just blank only thing there is the webconfig using the IIS feature of http redirect, and it does it relative to what was typed (IE if you type www.domain-logix.net  you will land on https://www.domain-logix.net/  if you type www.domain-logix.net/forum  you will land on https://www.domain-logix.net/forum) 

This is without using the URL rewrite but just the http redirection.

And with HSTS once a compliant browser has hit the 443 page once it'll never hit the 80 page again (not that the 80 site even has a default doc or anything)
So I have my IIS setup with multiple "virtual applications" all under the 443 site, and nothing at all on the 80 site.

The only issue I have is if I wanted to make a site that uses a different host header then I'd also have to make a different port 80 site for that header since while the redirect will retain everything after "https://www.domain-logix.net/" if they really need to go to say somethingelse.domain-logix.net it wouldn't do it.

Oh and for the multiple CSS files, I did edit all the ones I use, but It would be nice to edit them all so if I opt to change themes I don't then have to also edit the new CSS.
  • DarkLogix
  • Rank: YAF Camper
  • Reputation:
    Friendly
    63.2%
  • Joined: 22/02/2015
  • Posts: 22
  •  United States
  • Location: Texas
  • Thanks: 2 times
  • Was thanked: 1 time(s) in 1 post(s)
#12
To fix redirection to https (and also to redirect XXX.com to www.XXX.com ), add the <rewrite> section as so AFTER the <handlers> section in the web.config file.
It works everytime - just don't forget to add it back in after upgrading


<system.webServer>
...
    <handlers>
      <add name="YafHandler" preCondition="integratedMode" verb="GET" path="Resource.ashx" type="YAF.YafResourceHandler, YAF"/>
    </handlers>
🅱     <rewrite>
      <rules>
        <rule name="redirect mywebsite.com to www.mywebsite.com">
          <match url=".*"/>
          <conditions logicalGrouping="MatchAll">
            <add input="{HTTP_HOST}" pattern="^www.*" negate="true"/>
            <add input="{HTTP_HOST}" pattern="localhost" negate="true"/>
          </conditions>
          <action type="Redirect" url="http://[i]www.mywebsite.com[/i]/{R:0}"/>
        </rule>
        <rule name="httpsredirect" stopProcessing="true">
          <match url="(.😉"/>
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true"/>
          </conditions>
          <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}"/>
        </rule>
      </rules>
    </rewrite>[/b]
...
  • BD9000
  • Rank: YAF Forumling
  • Reputation:
    Neutral
    50.6%
  • Joined: 07/12/2018
  • Posts: 1
  •  United States
  • Location: Ky
Users browsing this topic

Forum Jump  
  • You cannot post new topics in this forum.
  • You cannot reply to topics in this forum.
  • You cannot delete your posts in this forum.
  • You cannot edit your posts in this forum.
  • You cannot create polls in this forum.
  • You cannot vote in polls in this forum.

About Us

The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

Powered by Resharper Donate with PayPal button

Project Twitter Updates

Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved