Welcome Guest! To enable all features please Login or Register.

Login


Options
View
Go to last post Go to first unread
Offline aeriden  
#1 Posted : 22 March 2016 16:55:37(UTC)
aeriden


Rank: YAF Forumling

Reputation:

Joined: 22/03/2016(UTC)
Posts: 2
United States
Location: Chanhassen

Was thanked: 1 time(s) in 1 post(s)
2016-03-22_10-54-17.pngI have an SSL certificate setup in IIS 8.5 (Windows 2012 R2 Standard). I am using YAF.NET 2.2.2 with MSSQL 2012 Standard. .NET Framework 4.6.1 is setup on the server. UrlRewriter.config and web.config have not been changed since the installation was done (so no many changes). I do have "Admin > Host Settings > Login / Registration Settings > Require User Login" enabled (checked).

When I enable Host Administration > Host Settings (submenu) > Permission (tab) > Use SSL while logging in (checking it, that is) and browse without HTTPS (so no SSL) in the URL, I am immediately shown an error in the latest Windows version of Chrome (and similar errors in other browsers):

The {url} page isn't working
{url} redirected you too many times.
ERR_TOO_MANY_REDIRECTS


Where {url} is the actual site. I have two sites setup (one is for production and one is for test) on separate servers that have the same problem.

I noticed on this forum that SSL isn't being used for the login (gulp for public wireless networks?!) as I was hoping to see what an existing site behavior might be like.

If I enter the {ur} using HTTPS and "Use SSL while logging in" still checked, the site comes up and I can login. Then I can change the {url} and not include SSL, navigating the forum as desired.

Thoughts?
Hans
Sponsor
Offline Ordinary Nimda  
#2 Posted : 14 April 2016 14:57:02(UTC)
Ordinary Nimda


Rank: YAF Lover

Reputation:

Joined: 08/02/2016(UTC)
Posts: 34
Slovenia
Location: LJ

Thanks: 13 times
Was thanked: 2 time(s) in 2 post(s)
Are you using DotNetNuke 8.0.1? (the one from March 16 2016)

Note:
There is an interesting advisory on the following link, which I am trying to setup and try now. This might not clean-up YAF mixed-content browser warnings, but that is another matter.
http://www.dnnsoftware.c...l-authenticated-sessions

Edited by user 14 April 2016 22:14:03(UTC)  | Reason: Not specified

Offline Ordinary Nimda  
#3 Posted : 14 April 2016 17:08:16(UTC)
Ordinary Nimda


Rank: YAF Lover

Reputation:

Joined: 08/02/2016(UTC)
Posts: 34
Slovenia
Location: LJ

Thanks: 13 times
Was thanked: 2 time(s) in 2 post(s)
This issue is now resolved like this:

  1. The above advisory is NOT good, because it does not work on DNN 8. (You cannot create a new Page with the name Login).
  2. I found a new advisory, which is more simple, but requires a little more work, flagging each page as "IsSecure".

    Here is the link:
    https://support.managed....n-a-dotnetnuke-site.aspx

    It works on my standalone web server, plus, there is no need for the URL Rewrite module, as DNN handles everything. All one needs to do outside of DNN is putting up an SSL Certificate. Because they are free nowadays, there should be no excuse for not making all pages Secure.
  3. YAF pages still deliver some mixed content, but unless one uses Internet Explorer on older machines, this should not be seen as a problem. Use Edge, Chrome, FireFox, Safari, Opera, or anything ...
    EDIT: DNN-only pages deliver mixed content too, like open fonts in one CSS, which have "http://" at beginning of their Urls. Changing the "http://" to "https://" did the trick and I do not see any more mixed content in DNN.


The important thing is, that there will be no more stealing of passwords on never-updated WiFi networks, and also no government surveillance at conspirative internet providers.:)

Edited by user 14 April 2016 22:16:48(UTC)  | Reason: Typos, as usually

Offline aeriden  
#4 Posted : 14 April 2016 23:45:55(UTC)
aeriden


Rank: YAF Forumling

Reputation:

Joined: 22/03/2016(UTC)
Posts: 2
United States
Location: Chanhassen

Was thanked: 1 time(s) in 1 post(s)
Not using DNN with YAF.NET I may do so in the future as I do development on DNN and am intrigued. I could also dig into the issue with YAF's issue with SSL, redirect coding-wise. But I was hoping someone would have an idea and save me that step.
thanks 1 user thanked aeriden for this useful post.
Ordinary Nimda on 15/04/2016(UTC)
Offline Ordinary Nimda  
#5 Posted : 15 April 2016 03:25:10(UTC)
Ordinary Nimda


Rank: YAF Lover

Reputation:

Joined: 08/02/2016(UTC)
Posts: 34
Slovenia
Location: LJ

Thanks: 13 times
Was thanked: 2 time(s) in 2 post(s)
This is interesting, DNN has the same problem as standalone YAF. Might this be a more fundamental issue, somewhere within .NET Framework or even in Windows proper?!

Offline DarkLogix  
#6 Posted : 29 April 2016 00:17:33(UTC)
DarkLogix


Rank: YAF Camper

Reputation:

Joined: 22/02/2015(UTC)
Posts: 22
United States
Location: Texas

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
To do SSL on my YAFNET setup I just removed the port 80 binding in IIS.

Then made a separate site with the port 80 binding but the port 80 site only redirects to 443.
Then on the 443 site added HSTS response headers so once any compliant browser has hit my site it'll only connect over SSL, and the forum is not available on non-SSL.

Though I have a mixes content message in firefox (little yellow triangle on the lock.) so maybe that CSS file that the other user mentioned needs an edit, which file is it?
Offline Ordinary Nimda  
#7 Posted : 29 April 2016 09:09:51(UTC)
Ordinary Nimda


Rank: YAF Lover

Reputation:

Joined: 08/02/2016(UTC)
Posts: 34
Slovenia
Location: LJ

Thanks: 13 times
Was thanked: 2 time(s) in 2 post(s)
In YAF, it is in the first line of the skin file, THEME.CSS. Changing the url, to be https instead of http does a lot of magic. There might be more, Firefox is good at showing all included URLs in the "View page info" and then "Media" section - just scroll down the list of URLs, you will quickly notice any http:// instead of an https:// (There's more of those in DNN's skin, but the solution is the same, just change http to https, Google has everything done properly).

One should write down (or remember) such changes, even if they are small, because the next time a YAF Upgrade arrives, the yellow triangles will come back. :)

You have an interesting solution to the 80 to 443 redirect.
Offline DarkLogix  
#8 Posted : 29 April 2016 15:45:49(UTC)
DarkLogix


Rank: YAF Camper

Reputation:

Joined: 22/02/2015(UTC)
Posts: 22
United States
Location: Texas

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Well the way I did the 80 to 443 redirect is really the only way to implement HSTS properly, since per the HSTS spec the HSTS header should not be sent over an insecure channel (IE the HSTS header should never be sent over port 80) so in IIS to achieve that 80 and 443 need to be different sites, and since I'm guessing he custom HTTP headers config in IIS is stored in one of the config files within the site folder you'd have to ether setup replication between the port 80 site's folder and the 443 in a way that wouldn't copy the custom headers config or more simply just have anything that hits port 80 be redirected to 443.
Offline DarkLogix  
#9 Posted : 29 April 2016 15:55:03(UTC)
DarkLogix


Rank: YAF Camper

Reputation:

Joined: 22/02/2015(UTC)
Posts: 22
United States
Location: Texas

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
That worked, though there are alot of theme.css files.

Happen to know of a find replace that would be able to do them all?
I got the one for my mail forum page so the triangle is gone.
Offline Ordinary Nimda  
#10 Posted : 29 April 2016 16:01:03(UTC)
Ordinary Nimda


Rank: YAF Lover

Reputation:

Joined: 08/02/2016(UTC)
Posts: 34
Slovenia
Location: LJ

Thanks: 13 times
Was thanked: 2 time(s) in 2 post(s)
Originally Posted by: DarkLogix Go to Quoted Post
Well the way I did the 80 to 443 redirect is really the only way to implement HSTS properly, since per the HSTS spec the HSTS header should not be sent over an insecure channel (IE the HSTS header should never be sent over port 80) so in IIS to achieve that 80 and 443 need to be different sites, and since I'm guessing he custom HTTP headers config in IIS is stored in one of the config files within the site folder you'd have to ether setup replication between the port 80 site's folder and the 443 in a way that wouldn't copy the custom headers config or more simply just have anything that hits port 80 be redirected to 443.

I agree with the separation of the web sites, and more - I am against 80 to 443 automatic redirection, doing a port 80 http non-secure, should give the user a 404 error, with maybe some explanation, etc. But I did this thru DNN, "because everybody does it", LOL

I use Visual Studio's editor. Those multiple THEME.CSS files are from different skins, only one is used at a time on a YAF forum page. If you use just one skin for the whole forum, you don't even have to touch the others.
Offline DarkLogix  
#11 Posted : 29 April 2016 17:08:13(UTC)
DarkLogix


Rank: YAF Camper

Reputation:

Joined: 22/02/2015(UTC)
Posts: 22
United States
Location: Texas

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: Ordinary Nimda Go to Quoted Post
Originally Posted by: DarkLogix Go to Quoted Post
Well the way I did the 80 to 443 redirect is really the only way to implement HSTS properly, since per the HSTS spec the HSTS header should not be sent over an insecure channel (IE the HSTS header should never be sent over port 80) so in IIS to achieve that 80 and 443 need to be different sites, and since I'm guessing he custom HTTP headers config in IIS is stored in one of the config files within the site folder you'd have to ether setup replication between the port 80 site's folder and the 443 in a way that wouldn't copy the custom headers config or more simply just have anything that hits port 80 be redirected to 443.

I agree with the separation of the web sites, and more - I am against 80 to 443 automatic redirection, doing a port 80 http non-secure, should give the user a 404 error, with maybe some explanation, etc. But I did this thru DNN, "because everybody does it", LOL

I use Visual Studio's editor. Those multiple THEME.CSS files are from different skins, only one is used at a time on a YAF forum page. If you use just one skin for the whole forum, you don't even have to touch the others.


Well with HSTS the port 80 site is really just a bootstrap, in my setup the port 80 site is empty just blank only thing there is the webconfig using the IIS feature of http redirect, and it does it relative to what was typed (IE if you type www.domain-logix.net you will land on https://www.domain-logix.net/ if you type www.domain-logix.net/forum you will land on https://www.domain-logix.net/forum)

This is without using the URL rewrite but just the http redirection.

And with HSTS once a compliant browser has hit the 443 page once it'll never hit the 80 page again (not that the 80 site even has a default doc or anything)
So I have my IIS setup with multiple "virtual applications" all under the 443 site, and nothing at all on the 80 site.

The only issue I have is if I wanted to make a site that uses a different host header then I'd also have to make a different port 80 site for that header since while the redirect will retain everything after "https://www.domain-logix.net/" if they really need to go to say somethingelse.domain-logix.net it wouldn't do it.

Oh and for the multiple CSS files, I did edit all the ones I use, but It would be nice to edit them all so if I opt to change themes I don't then have to also edit the new CSS.

Edited by user 29 April 2016 17:09:31(UTC)  | Reason: Not specified

Offline BD9000  
#12 Posted : 07 December 2018 15:17:36(UTC)
BD9000


Rank: YAF Forumling

Reputation:

Joined: 07/12/2018(UTC)
Posts: 1
United States
Location: Ky

To fix redirection to https (and also to redirect XXX.com to www.XXX.com), add the <rewrite> section as so AFTER the <handlers> section in the web.config file.
It works everytime - just don't forget to add it back in after upgrading


Code:
<system.webServer>
...
    <handlers>
      <add name="YafHandler" preCondition="integratedMode" verb="GET" path="Resource.ashx" type="YAF.YafResourceHandler, YAF"/>
    </handlers>
[b]     <rewrite>
      <rules>
        <rule name="redirect mywebsite.com to www.mywebsite.com">
          <match url=".*"/>
          <conditions logicalGrouping="MatchAll">
            <add input="{HTTP_HOST}" pattern="^www.*" negate="true"/>
            <add input="{HTTP_HOST}" pattern="localhost" negate="true"/>
          </conditions>
          <action type="Redirect" url="http://[i]www.mywebsite.com[/i]/{R:0}"/>
        </rule>
        <rule name="httpsredirect" stopProcessing="true">
          <match url="(.*)"/>
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true"/>
          </conditions>
          <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}"/>
        </rule>
      </rules>
    </rewrite>[/b]
...

Edited by moderator 09 December 2018 03:44:16(UTC)  | Reason: Not specified

Rss Feed  Atom Feed
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Notification

Icon
Error