I have a web service and I want to call it from https. What is the solution?
This work for http.
Since I have a pretty good background in server setup, I will try and tackle this question.
First off, you need to set up SSL on your website. This involves buying a SSL Certificate or self signing one. Once you have a SSL certificate you need to set up your server to use it and serve your website through SSL.
As for you web code, the service you are hosting will work just fine under SSL as without. You will just have to change how you call it to use https:// instead of http://.
If you are trying to secure sensitive data you may want to set up your web server to redirect all non SSL requests to the the same path but under SSL by changing http:// in the path to https://. Any decent server administrator should know how to do this.
Related
I'm trying to figure out how to set up my Azure Web App to require client certification. The idea is to force the client's browser to send a SSL certificate (that's installed on their machine) to the web app. The web app then validates attributes in the certificate to make sure the client is authorized to access the web app.
The purpose is to enhance the security of our web app since user cannot login from a device that doesn’t have the SSL cert explicitly installed (even if they have the username/password somehow).
I'm not sure where I should begin with this. I understand SSL handshakes and the highlevel concepts but I don't really understand how to implement this in my current ASP.NET MVC web app. A tutorial that would point me in the correct direction would really help out. Or even the steps required to achieve this as I am not sure where to begin (setting up SSL certificate with IIS? Getting client to send the SSL certificate? Where did the certificate come from?) All of these questions...
UPDATE: I found this article:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
But I don't know where to begin...
I created a self hosted HTTPS WCF web service running on my Localhost machine. Now i make a request to this web service from a GWT based application hosted on some domain.
I use self-signed X.509certificate which is not approved yet. Whenever my GWT application make requests, It shows an error because of untrusted Certificate. Can i bypass this error from my GWT client code or suggest me an alternative solutions ?
Is there are any other protocol which supports WCF service that we can use for communication and will not trigger the security alert from browser?
Updated
Whole scenario:
You installed a exe in your system, which take cares of WCF web service and importing certificate to your local machine.
You open a GWT based website from your browser. Let's say some.com
some.com continuously polling a request to his/her local machine. Let's say on https://localhost:8098/{someendpoint}
But because of this HTTPS and untrusted certificate. It is not able to make request.
since you said
Let's start with local testing
How about installing your self signed certificate onto the machine on which you are testing the GWT ?
You should be able to double click the certificate and follow the prompts/wizard to install it.
This applies to development only (for production you'd need a proper certificate)
I have prepared an ASP.NET web application (ASP.NET V2.0) and I configured it in my IIS (V7.5). I used Request.Url.AbsoluteUri in my application and it works fine in my server. I deployed the web application on my client's server machine (2008 R2 Server). But in my client's environment Request.Url.AbsoluteUri always return http url even though they enabled SSL. Whether any IIS settings configured on my client's server machine? Please guide me
I have seen this before. The reason was that the load balancer at the production site terminated the SSL connection. It by itself connected to IIS using HTTP only. This scheme is a way to offload the SSL computations to the load balancer. It means that the IIS application does never see the HTTPS protocol although the browser does see it.
As spender pointed out in the comments, please see the HTTP headers arriving at your application. The load balancer is likely to add information to them that allows you to reconstruct everything.
If you want to check whether request is HTTP or HTTPS. You should check headers. Below link really helped me to solve it.
http://www.bugdebugzone.com/2013/12/identifying-https-or-ssl-connection-in.html
I know ASP.NET, and know why people use HTTPS and I know a bit about IIS, but I have never created a HTTPS website or page in my site.
How can I create a HTTPS website?
How can I only make my login page HTTPS in a normal HTTP project?
Are there any other considerations I need to be aware of when using HTTPS?
HTTPS means HTTP and SSL. So to create a HTTPS website, you need to create a normal website and a SSL layer to ensure the secure connection between your web server and web browser. Your web server will need a SSL certificate that you can generate yourself for private or development purpose or to get a trusted certificate from a trusted vendors.
Redirect your login page to https://yoursite/loginpage to obtain a HTTPS page.
You can get a free SSL certificate from cert.startcom.org
In IIS7 you simply add https binding to website on which you want to use SSL.
For this is necessary to have a certificate. You can use self-signed certificate or buy it from VeriSign, Thawte,...
You can use your pages same way as in http. SSL is not for user autentication, but for securing communication chanel. You can only check if is used secure connection
if (Request.IsSecureConnection)
{
}
I have to send a request as https post to a third party Apache server.
It seems my code is fine as testing to an aspx page shows parameters without any problem, but when I tried to conect to Apache server answers like I didn't send anything.
As I've been digging a bit more, I found out a reference to "servers handshake". Does this mean IIS has to have SSL enabled to conect to the Apache Server?
I don't think so.
the ability to call https from your code (hosted on iis) doesn't involves iis ssl settings.
you need to make sure you ignore certificate errors (if there are some) and it should work.