ColdFusion 9 and IIS server encryption - iis

We have a ColdFusion developer who claims that solely by adding a few lines of code in the Application.cfm file of an application that he wants to be encrypted that he can force the IIS Web server to encrypt all communications involving that application. So for example, let's assume this developer's ColdFusion application resides at www.ThisIsIt.com/xyz/. He includes a conditional statement in his Application.cfm file (see below) to force a Web browser to preface the URL to his application with https.
<CFIF not cgi.server_port_secure>
<CFLOCATION URL="https://#cgi.server_name##cgi.script_name#" ADDTOKEN="no"/>
</CFIF>
Meanwhile within Internet Information Services (IIS) Manager, the xyz directory is NOT set to require SSL. If you visit https://www.ThisIsIt.com/xyz/, it will in fact be prefaced by https, but how can the content of his application as well as the communication between server and client Web browser be encrypted if the IIS Web server is not instructed/configured to encrypt the xyz directory, and why does the Web browser indicate an encrypted communication? Is this a mere trick or a legitimate means to encrypt a ColdFusion application?

The application-based rule works by detecting that SSL is not being used and redirects the user to the secure HTTPS domain. A valid SSL certificate is required to be configured otherwise a security message is displayed.
This method only forces HTTPS access for ColdFusion scripts. Static, non-CFML files like CSS, JS, PDF (that don't care about the presence of the application.cfm script) can be accessed directly without any HTTPS redirect.
The best way to "force" SSL for all web requests using IIS is with a web.config rule.
https://stackoverflow.com/a/29089228/693068

Related

Trusted sites in web.config

I'm working on an enterprise intranet .NET web application that needs several domains to be added to trusted sites to work properly (in Windows Internet Options). Is it possible to do this from web.config (rather than advising users to change their browser configuration)?
Thanks
May I know why are you going to add trusted website for clients?Did you get anything blocked?
Trusted sites are totally client side configuration.Its dangerous if server side can control your trusted site list.
So we can't do this via remote IIS server. Please promote trusted websites from ADDS group policy.What you can do from server side is just use a valid CA certificate for your website to make the connection secure.
https://social.technet.microsoft.com/Forums/lync/en-US/0baa6428-bf48-4e8a-82e1-b961918090d9/how-to-add-trusted-sites-to-group-policy?forum=winserverGP

SSL Certificate Not Working for my Azure App Service

I choose to host my website in Azure.So I've created a App Service.Then Created a new domain for my App then created/bind the SSL certificate to my corresponding website.
After done with the SSL certificate .I'm still seeing my website url as http//: and not https://
Also i'm not seeing the Green URL for my Website ..!
It look like this
(P.s : My App Service Tier is AzureFreeTier (Basic: 1 Small)
My SSL Type is SNL SSL)
Please help to resolve my problem here
Thanks in Advance,
Jayendran
You need to do a redirect from HTTP to HTTPS. Installing a certificate just makes using HTTPS with your custom domain name possible.
You can either:
Configure your app to redirect to HTTPS when it receives a request over HTTP + enable HTTP Strict Transport Security
Or use an extension in Web Apps to do the first thing:
To install the extension, open your web app blade in Azure Portal. Go to Extensions, then click Add. Then you should find Redirect HTTP to HTTPS from the list and install it.
That will redirect any HTTP calls to HTTPS for you. I would still recommend adding Strict-Transport-Security headers to your responses to make sure your clients do not access your site insecurely the next time.
The reason you arrive to your site on HTTPS after AAD login is because the HTTPS version of your app's URL has been configured in AAD as the reply URL.
And this:
Your Connection to this site is not fully secure Attackers might be able to see the images
is a mixed content warning. It means you are loading content (e.g. images) using an HTTP URL in your pages. Change them to HTTPS and you will solve that problem.

IIS6 - HTTP redirect to HTTPS - how to disable authentication on the http

Currently I have two sites setup in IIS.
Primary Site (Uses HTTPs and requires windows integrated authentication)
Secondary Site (Uses HTTP and redirects to the HTTPs)
My problem is that if I set anonymous authentication on the HTTP redirect site, it just passes through to the HTTPS without requiring authentication.
If I have windows integrated authentication setup on the redirect site, users are forced to authenticate on the HTTP site which voids the whole reason I want to use https (to encrypt authentication).
Any help is greatly appreciated!
You may have your HTTPS site mis-configured. Check to make sure that anonymous authentication is disabled on the HTTPS site (only Windows Integrated authentication checked). If both are checked, it will allow the anonymous request through without challenging the user for credentials.

creating a secure registration web page w/o SSL?

Example, I go to the facebook webpage and see that the http URL is not https. Maybe they are hiding that it is https. I don't see a lock either on the browser.
In any case, how do websites provide secure registration web pages? I'm looking to create a registration and user login page.
Thanks for your help!
SP
your hosting server should provide SSL services
You should purchase a SSL certificate from VeriSign, or generate a one using OpenSSL
Apply the SSL certificate to your web server
Create youe Login page normal as you do with your scripting language
access the page with https://domain.com/page.php
You provide secure registration with SSL. If you do a google search for HTTPS or SSL you will find resources. It is a bit of a large topic. How to go about it depends if you are running your own server or have hosting provided to you by a service. EIther way, you will need a certificate for your domain. If you have your own server you will need to do a lot more configuration.
Here is a link about how to go about it with Apache.

Hosting someone elses SSL cert in IIS to allow https hosting on their domain from your own server

Currently customers have sites on my domain like https://customername.myapp.com. I'd like for them to be able to upload an SSL cert and then access my site via https://myappname.customername.com - how would one go about doing this programmatically in .NET/IIS 7?
bump
So I might have an answer for you but it doesn't necessarily involve .NET/IIS 7.
I'm not quite sure what the end goal is here, but I'll take a stab at it. It sounds like you want customers to go customername.myappname.com and have it show myappname.customername.com's content? You don't simply want to redirect them? Do you have a trusted SSL certificate for myapp.com? If you do, then there's a way you can extend that trust to the myappname.customername.com websites.
Assuming your customers don't want to have to pay for SSL certificates for their websites, you could have them generate self-signed certificates (or create your own CA and sign their certificates) and upload them to your website. Then, using a combination of JavaScript and Flash you could do cross-domain requests from your website to theirs over SSL.
The way this would work:
A customer would go to your website myapp.com. From there (or from customername.myapp.com if you have a wildcard SSL certificate), they could login or just click on their name. Doing so would load a page with a JavaScript implementation of SSL, Flash swf, and the SSL certificate associated with that customer. Then the JavaScript SSL would do cross-domain ajax requests to the customer's site and show their content on myapp.com. This would enable a secure connection to their website via your website.
There's another bit of complexity that you might not be able to support in your use case, however. You need your customer's websites to be able to serve an XML file that contains a Flash cross-domain policy. This policy would specifically grant your site access to theirs.
The JavaScript TLS (SSL) and Flash you would host on your website are part of an opensource project called Forge. This blog post explains how it works in further detail and provides a link to Forge on github:
http://blog.digitalbazaar.com/2010/07/20/javascript-tls-1/
Most of this stuff is done using client-side JavaScript, but you'd use .NET/IIS 7 to provide your customers with the page to upload their SSL certificate.

Resources