Secure Pages (HTTPS)

Owned by Former user (Deleted)
Sept 17, 2015

Available from SCORE v2.0

SCORE website includes four interrelated features to handle pages security (https)

  1. Identify pages that require security
  2. Render page URLs respecting secure protocol
  3. SSL detection
  4. Redirect user to correct URL if wrong protocol is used to access page

All these features are already included into SCORE solution although some configuration is required to enable them.

Identify pages that should be delivered securely

The default SCORE page template does not include 'Require SSL' field. You will need to inherit your page templates from /sitecore/templates/Score/Base/SSL to enable it.

After you finish that step you can check 'Require SSL' is secured. 

Use a custom link provider to render correct protocol

SslLinkProvider respects  'Require SSL' page field and will render a correct link to pages.

Custom Link provider
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <linkManager>
      <providers>
        <add name="sitecore">
          <patch:attribute name="type">Score.Custom.Links.SslLinkProvider, Score.Custom</patch:attribute>
        </add>
      </providers>
    </linkManager>
  </sitecore>
</configuration> 

SSL Detection

SSL detection is a little bit more complicated than simple protocol check. Often SSL encryption is offloaded from web server to Load Balancer. In this case Web Server will not get a request for using https protocol but instead Load Balancer will set a flag (typically a request will use a custom port or will include a special header) that could be detected by Sitecore.

SSL detection is implemented in SCORE as pipeline score.sslDetection and number of detectors are used as pipeline processors.

443 Port (HTTPS) Detector

Detector checks if incoming request uses port 443.

SSL Detection by port 443
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <pipelines>
      <score.sslDetection>
        <processor type="Score.Custom.Pipelines.SslDetection.Detectors.SslDetectionBy443Port, Score.Custom" />
      </score.sslDetection>
    </pipelines>
  </sitecore>
</configuration> 

Custom Port Detector

Detector checks if incoming request uses a defined port. The default port value is 8080. The sample below works similar to SslDetectionBy443Port detector.

SSL Detection by custom port
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <pipelines>
      <score.sslDetection>
        <processor type="Score.Custom.Pipelines.SslDetection.Detectors.SslDetectionByPort, Score.Custom">
          <Port>443</Port>
        </processor>
      </score.sslDetection>
    </pipelines>
  </sitecore>
</configuration> 

Forwarded Header Detector

Detects RFC7239 Forwarded Proto header. See http://tools.ietf.org/html/rfc7239#section-5.4 for more details.

SSL Detection by Forwarded Header
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <pipelines>
      <score.sslDetection>
        <processor type="Score.Custom.Pipelines.SslDetection.Detectors.SslDetectionByForwardedHeader, Score.Custom"/>
      </score.sslDetection>
    </pipelines>
  </sitecore>
</configuration> 

X-Forwarded-Proto Header Detector

Detects industry de-facto standard X-Forwarded-Proto header. See http://stackoverflow.com/questions/13111080/what-is-a-full-specification-of-x-forwarded-proto-http-header for more details.

SSL Detection by X-Forwarded-Proto Header
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <pipelines>
      <score.sslDetection>
        <processor type="Score.Custom.Pipelines.SslDetection.Detectors.SslDetectionByForwardedHeader, Score.Custom"/>
      </score.sslDetection>
    </pipelines>
  </sitecore>
</configuration> 

Custom Header Detector

Detects using secure connection if a request contains the header with the HeaderName name  and value including HeaderValue. The sample below works similarly to SslDetectionByForwardedHeader

SSL Detection by custom header
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <pipelines>
      <score.sslDetection>
        <processor type="Score.Custom.Pipelines.SslDetection.Detectors.SslDetectionByHeader, Score.Custom">
          <HeaderName>Forwarded</HeaderName>
          <HeaderValue>proto=https</HeaderValue>			
        </processor>
      </score.sslDetection>
    </pipelines>
  </sitecore>
</configuration> 

Always Secure Detector

This detector does not perform any checks but always assumes that the request is secured. 

Always Secure Detector
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <pipelines>
      <score.sslDetection>
        <processor type="Score.Custom.Pipelines.SslDetection.Detectors.SslDetectionAlwaysDetected, Score.Custom"/>
      </score.sslDetection>
    </pipelines>
  </sitecore>
</configuration> 

Redirect user to correct URL

The processor below checks if the request is secured and compares that request with page  'Require SSL' flag. It redirects the request to the correct protocol if the request and page security settings do not match.

 

Redirection Processor
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <pipelines>
      <httpRequestBegin>
        <processor patch:after="*[@type='Sitecore.Pipelines.HttpRequest.ItemResolver, Sitecore.Kernel']" type="Score.Custom.Pipelines.HttpRequest.SslVerificationProcessor, Score.Custom" />
      </httpRequestBegin>
    </pipelines>
  </sitecore>
</configuration>