transportwithmessagecredential https / ssl

CAT's Avatar

CAT

18 Jul, 2011 11:37 AM

Hi

For some time now have tried to get a WCF service with transportwithmessagecredential to work. I have it working on my local IIS with the current bindings and bahaviors. So i am sure that the code i have created works.

Whenever i upload to Appharbor i get the following error:
"Could not find a base address that matches scheme https for the endpoint with binding WSHttpBinding. Registered base address schemes are [http]."

I have also tried to supply a BaseAddress and/or a BaseAddressPrefix. Doesn't make any difference.

I figured that it have something to do with your load balancer, which internally transfers the https request using http. As my service is setup for Transport security the service only supports https pass through.

The only solution i could find was here: "http://blog.hackedbrain.com/2006/09/26/how-to-ssl-passthrough-with-..." but i dont feel comfortable
to handle it that way, unless thats the only way.
I think the webserver should be able to handle a web.config setup for transportwithmessagecredential.

Please share some light on my issue, as it is getting urgent.

Michael

  1. 1 Posted by CAT on 18 Jul, 2011 01:12 PM

    CAT's Avatar

    It Seems that when using any kind of Transport Security gievs the error.

    Anybody have got Transport security working with appharbor? Or am i missing something.

    Could be nice with a working example (web.config), anybody?

  2. 2 Posted by CAT on 18 Jul, 2011 01:32 PM

    CAT's Avatar

    If what I am trying to archieve is not possbile, could you supply me with the best practices for having a WCF service using ssl and username password validation?

  3. Support Staff 3 Posted by rune on 18 Jul, 2011 04:01 PM

    rune's Avatar

    Perhaps this article could be helpful?

  4. 4 Posted by CAT on 19 Jul, 2011 07:09 AM

    CAT's Avatar

    Hi Rune

    Well i think I tried all the different combninations of using Mesasge, Transport and transportwithmessagecredential security. Above i explained situation of the later and the transport doesnt fullfill my objective. Using just the Message security could be a solution but i requires a certificate to be specified in the web.config. I tried that, and it is working on my localmachine, as i know the certificate store and location.

    If you could supply me with the information of where the certificate i created in AppHarbor for my wcf service, i think message security will be sufficient. The only problem i can see is that the service will still be available using http, which will bypass the overridden Validate() method, and no authentication will be done. I am not sure of this as i have been unable to test it in the AppHarbor environment.

    I really need a solution for this either using message or transportwithmessagecredential. Am I the only one with this issue. I mean how do other people secure their wcf services in AppHarbor?

  5. Support Staff 5 Posted by rune on 19 Jul, 2011 12:09 PM

    rune's Avatar

    I'm not sure what information about the certificate you're requesting (seems like the sentence wasn't completed :-))?

    However I think the article you referred to yourself describes the same setup as the one we have (SSL offloaded by a load balancer). You could always restrict regular http-traffic in your application, for instance by redirecting to https. You can use the "HTTP_X_FORWARDED_PROTO" header to determine whether the request was sent over HTTP or HTTPS (it will be equal to either "https" or "http". You can retrieve the value of this header with Request.ServerVariables("HTTP_X_FORWARDED_PROTO")

    Now I'm not an expert in WCF, but in ASP.NET MVC I would enforce the use of HTTPS by using a custom RequireHttpsAttribute as described in this article.

    I'm leaving the discussion open in case someone else wants to chip in.

    Best,
    Rune

  6. 6 Posted by CAT on 19 Jul, 2011 01:04 PM

    CAT's Avatar

    Hi Rune

    I will try to further explain the problems i am having with WCF security.
    Basically i have to options for using Username / Password authentication.
    Message Security and transportwithmessagecredential.

    Message Security almost works on appharbor, though the problem is with the certificate as described before. I get the following error:
    "Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'xxxxxx'."

    The reason for the error message is that microsoft doesnt allow passing username and password in clear text, and there enforces the use of a certificate. Basically unless i can specify where the certificate is located i cannot use the simple Message security. If i can get this to work, then i can use the method your describe to force ssl.

    Second, using the transportwithmessagecredential gives the following error:
    "Could not find a base address that matches scheme https for the endpoint with binding WSHttpBinding. Registered base address schemes are [http]." The reason is explained in the first post.

    Hope it makes more sense now.

    I am curious about if i am the only one with this issue, and how your other users have come around this.

    Michael

  7. Support Staff 7 Posted by friism on 19 Jul, 2011 10:23 PM

    friism's Avatar

    Note that we don't install the certificate you specify for you application on the servers that host your service (it's only placed on the load balancer because the certificate is only used for SSL in most scenarios).

    For WCF to use the certificate for Message Security, you will likely need to push the certificate along with your code and read it from the filesystem. I haven't actually tried to do this, but it seems possible [1].

  8. 8 Posted by CAT on 02 Aug, 2011 03:07 PM

    CAT's Avatar

    I went away from using message and transport security. I have now overriden some of the .NET security classes and handles the username password login in the soap header.

    Thank you for trying to solve the issue.

    You can close the case.

  9. Support Staff 9 Posted by friism on 02 Aug, 2011 08:12 PM

    friism's Avatar

    Cool. If you have time, we'd love to have a blog post on this topic, either as a guest post on the AppHarbor blog.

    Let us know if this is something you could do.
    Regards
    Michael

  10. 10 Posted by CAT on 03 Aug, 2011 08:45 AM

    CAT's Avatar

    Hi Michael

    At moment i dont have the time. We are really busy getting our company started.

    Furthermore there is not too much magic to it. Basically i overrided the .NET messageinspector, and created a custom endpointbehavior including a custom endpoint configurationelement. There is many ressources on the web regarding this.

    You can close this issue.

  11. Support Staff 11 Posted by friism on 03 Aug, 2011 01:46 PM

    friism's Avatar

    OK, thanks.

    Michael

  12. friism closed this discussion on 03 Aug, 2011 01:46 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac