U4-8924 - Heath Check: Pingback to HTTPS uses wrong protocol

Created by Anders Brohäll 31 Aug 2016, 10:01:13 Updated by Sebastiaan Janssen 21 Sep 2016, 06:23:46

Is duplicated by: U4-9000

On a site utilizing https, the pingback isn't working as expected under the Security Group. "Error pinging the URL http://www.domain.com:443 - 'The underlying connection was closed: An unexpected error occurred on a receive.'" My guess is cause it uses the http-protocol instead of https.

Comments

Anders Brohäll 31 Aug 2016, 10:03:02

The affected tests are 'Click-Jacking Protection' and 'Excessive Headers'


Sebastiaan Janssen 04 Sep 2016, 08:22:24

It seems like these checks are using the wrong URL. I bet you that when you look at your UmbracoTraceLog you'll see something like this when Umbraco is starting:

INFO Umbraco.Core.Sync.ApplicationUrlHelper - ApplicationUrl: http://www.domain.com:443/umbraco (UmbracoModule request)

Furthermore, I'm guessing you're trying to run your domain on https only?

Can you make sure you have your redirects set up properly: https://cultiv.nl/blog/so-you-want-to-secure-your-umbraco-site/ (scroll down to HTTPS by default).

Still, it is possible that the very first request to your site comes in over http (without the s) because people don't try https by default, especially if their browser has not visited your site yet.

Finally, if everything seems configured properly then you could set a default url in umbracoSettings.config. If you look at the ApplicationUrl in the log above, that URL is automatically detected from the first request to the site. You can tell Umbraco, however to always set that to a certain URL in web.routing/@umbracoApplicationUrl:

@umbracoApplicationUrl The url of the Umbraco application. By default, Umbraco will figure it out from the first request. Configure it here if you need anything specific. Needs to be a complete url with scheme and umbraco path, eg http://mysite.com/umbraco. NOT just "mysite.com" or "mysite.com/umbraco" or "http://mysite.com".

Let me know what you find!

It seems like if we see port number 443, we should just assume it's https and change the ApplicationUrl during startup (so in ApplicationUrlHelper as seen in the log).


Sebastiaan Janssen 06 Sep 2016, 08:00:07

@anders Did this help at all?


Anders Brohäll 06 Sep 2016, 09:56:36

I haven't gotten around to it yet, hopefully i'll be able to go through it this afternoon :)


Anders Brohäll 09 Sep 2016, 07:37:09

Ok, so. Except for the initial request (mentioned above) everything goes through HTTPS. The only thing i haven't tried is the umbracoApplicationUrl-setting. How would that work with multiple domains?

However i assume that the call to http://www.domain.com:443 should be https://www.domain.com:443, since HTTP doesn't respond on the port 443. No? Does the check work on other sites with HTTPS-only?


Sebastiaan Janssen 09 Sep 2016, 08:24:22

It works fine on my https sites yes. But yeah, we'll change Umbraco startup so that when we see port 443, we'll set the scheme to https.

umbracoApplicationUrl is just used for things like scheduled publishing and has no effect on your frontend or routing in general. It's just there in case Umbraco can't figure out the current URL correctly, like in your case.


Sebastiaan Janssen 15 Sep 2016, 15:39:03

Unfortunately I can't find a way to reproduce the issue but the following PR should fix it, if the port is 443 then add an "s" to "http" and continue. https://github.com/umbraco/Umbraco-CMS/pull/1481


Warren Buckley 16 Sep 2016, 10:49:21

Marking as re-open @sebastiaan due to the underlying healthcheck for Clickjacking needing to be updated to use HTTPS as needed.


Sebastiaan Janssen 16 Sep 2016, 11:11:45

I guess that was actually the only bug, but the fix I did was actually also important (for other reasons!).


Sebastiaan Janssen 19 Sep 2016, 07:44:46

Fixed that too now!


Warren Buckley 19 Sep 2016, 08:12:09

Yep all good - fixed :)


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.5.0, 7.5.1, 7.5.2

Due in version: 7.5.4

Sprint: Sprint 42

Story Points:

Cycle: