CloudFlare SSL与ASP.NET MVC RequireHttps的兼容性


I am hosting an ASP.NET MVC 4 site on AppHarbor (which uses Amazon EC2), and I'm using CloudFlare for Flexible SSL. I'm having a problem with redirect loops (310) when trying to use RequireHttps. The problem is that, like EC2, CloudFlare terminates the SSL before forwarding the request onto the server. However, whereas Amazon sets the X-Forwarded-Proto header so that you can handle the request with a custom filter, CloudFlare does not appear to. Or if they do, I don't know how they are doing it, since I can't intercept traffic at that level. I've tried the solutions for Amazon EC2, but they don't seem to help with CloudFlare.

我在AppHarbor(使用Amazon EC2)上托管一个ASP.NET MVC 4站点,我正在使用CloudFlare进行灵活SSL。尝试使用RequireHttps时,我遇到了重定向循环(310)的问题。问题是,与EC2一样,CloudFlare会在将请求转发到服务器之前终止SSL。但是,虽然亚马逊设置了X-Forwarded-Proto标头,以便您可以使用自定义过滤器处理请求,但CloudFlare似乎没有。或者如果他们这样做,我不知道他们是怎么做的,因为我不能拦截那个级别的流量。我已经尝试过Amazon EC2的解决方案,但它们似乎对CloudFlare没有帮助。

Has anyone experienced this issue, or know enough about CloudFlare to help?


3 个解决方案



The X-Forwarded-Proto header is intentionally overridden by AppHarbor's load balancers to the actual scheme of the request.


Note that while CloudFlare's flexible SSL option may add slightly more security, there is still unencrypted traffic travelling over the public internet from CloudFlare to AppHarbor. This arguably defies the purpose of SSL for anything else than appearances and reducing the number of attack vectors (like packet sniffing on the user's local network) - i.e. it may look "professional" to your users, but it actually is still insecure.

请注意,虽然CloudFlare的灵活SSL选项可能会增加更多安全性,但仍然有未加密的流量通过公共互联网从CloudFlare传输到AppHarbor。这可以说除了外观和减少攻击向量的数量(如用户本地网络上的数据包嗅探)之外的其他任何东西都无法实现SSL的目的 - 即它对用户来说可能看起来“专业”,但它实际上仍然是不安全的。

That's less than ideal particularly since AppHarbor supports both installing your own certificates and includes piggyback SSL out of the box. CloudFlare also recommends using "Full SSL" for scenarios where the origin servers/service support SSL. So you have a couple of options:

这不太理想,特别是因为AppHarbor既支持安装自己的证书,也支持开箱即用的SSL。 CloudFlare还建议在原始服务器/服务支持SSL的情况下使用“完整SSL”。所以你有几个选择:

  • Continue to use the insecure "Flexible SSL" option, but instead of inspecting the X-Forwarded-Proto header in your custom RequireHttps filter, you should inspect the scheme attribute of the CF-Visitor header. There are more details in this discussion.
  • 继续使用不安全的“灵活SSL”选项,但不应检查自定义RequireHttps过滤器中的X-Forwarded-Proto标头,而应检查CF-Visitor标头的scheme属性。本讨论中有更多细节。

  • Use "Full SSL" and point CloudFlare to your *.apphb.com hostname. This way you can use the complimentary piggyback SSL that is enabled by default with your AppHarbor app. You'll have to override the Host header on CloudFlare to make this work and here's a blog post on how to do that. This will of course make requests to your app appear like they were made to your *.apphb.com domain - so if for instance you automatically redirect requests to a "canonical" URL or generate absolute URLs you'll likely have to take this into consideration.
  • 使用“完整SSL”并将CloudFlare指向您的* .apphb.com主机名。这样您就可以使用AppHarbor应用程序默认启用的免费搭载SSL。您必须覆盖CloudFlare上的Host标头才能使其工作,这是一篇关于如何操作的博客文章。这当然会使您的应用程序的请求显示为您的* .apphb.com域名 - 例如,如果您自动将请求重定向到“规范”URL或生成绝对URL,您可能需要将其转换为考虑。

  • Upload your certificate and add a custom hostname to AppHarbor. Then turn on "Full SSL" on CloudFlare. This way the host header will remain the same and your application will continue to work without any modifications. You can read more about the SSL options offered by AppHarbor in this knowledge base article.
  • 上传您的证书并向AppHarbor添加自定义主机名。然后在CloudFlare上启用“完整SSL”。这样主机头将保持不变,您的应用程序将继续工作而无需任何修改。您可以在此知识库文章中阅读有关AppHarbor提供的SSL选项的更多信息。



This is interesting.


Just I recently had a discussion with one of our clients, who asked me about "flexible" SSL and suggested that we (Incapsula) also offer such option.


After some discussion we both came to the conclusion that such a feature would be misleading, since it will provide the end-user with a false sense of security while also exposing the site owner to liability claims.


Simply put, the visitor on one of "flexible" SSL connection may feel absolutely safe behind the encryption and will be willing provide sensitive data, not knowing that the 'server to cloud' route is not encrypted at all and can be intercepted (i.e. by backdoor shells).


It was interesting to visit here and see others reach the same conclusion. +1

访问这里很有意思,看到其他人得出同样的结论。 +1

Please know that as website owner you may be liable for any unwanted exposure such setup may cause.


My suggestion is to do the responsible thing and to invest in SSL certificate or even create a self signed one (to use for encryption of 'cloud to server' route).




Or you could just get a free one year SSL cert signed by StartCom and upload that to AppHarbor.


Then you can call it a day and pat yourself on the back! That is until future you one year from now has to purchase a cert =).