X-FORWARDED-FOR Does Not Allow Non-SSL Enabled Subdomains

Overview

When using a web farm to run a secure site, DNN allows the use of SSL Offload Headers to improve farm performance and simplify SSL certificate maintenance. However, this setting will not allow you to configure a subdomain to be accessed without SSL when SSL enforcement is enabled.

 

Solution

SSL Offload Headers allow you to install your SSL certificate on your load balancer and use it to manage all secure connections. When secure (HTTPS) traffic arrives at the load balancer, it passes the request on to the webserver as an insecure (HTTP) request. The SSL offload header value indicates to the web server that the load balancer is taking care of SSL and that it doesn't need to convert it back to HTTPS before sending.

Before starting, you'll need to ensure the following:

  • SSL must be enabled for the required sites and any pages that should be secure should be configured as secure pages.
  • SSL certificates must be installed on the load balancer that apply to all applicable domains. If you are running dev.<domain> or test.<domain> behind the same load balancer, the certificate will need to cover them explicitly or by wildcard.

Inputting the SSL Offload Header

  1. Navigate to Settings > Security > More
  2. Edit the SSL Offload Header Value section.
  3. In the text box, enter the header value. E.g. X-FORWARDED-FOR

 

Testing

  1. Browse your site from a system outside the load balancer using a secure (HTTPS) connection.
  2. If successful, the connection will show as secure and will be encrypted between the browser and load balancer.
  3. You will need to check the logs on the load balancer to see the interaction with the web server in HTTP.

Comments

0 comments

Please sign in to leave a comment.