SSL Offload - Environment behind Balancer still using unsecure connection

SSL Offload - Environment behind Balancer still using unsecure connection

  
We have a reverse proxy (Load Balancer) in a SSL Offload scenario.

All HTTPS requests are encrypted by the Load Balancer and then sent unecrypted (HTTP) to the application servers.

This raised issues on our applications because many functions treat the environment as if it were in HTTP instead of HTTPS.

Some examples:
- In https://local.intranet.com/, the action GetURL() from HTTPRequestHandler returns http://local.intranet.com/
- Links set to Navigate redirect back to HTTP instead of HTTPS

We have followed the instructions in "C - End-to-end SSL and SSL Offloading" from this guide: https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/OutSystems_Platform_in_Reverse_Proxy_scenarios/03_OutSystems_Platform_configurations_in_reverse_proxy_scenarios

We ran the following query in our database and set the Load Balancer to send the header "X-Forwarded-Proto: https", to no avail:

insert into OSSYS_PARAMETER (Name,Val) values (‘OutSystems.HubEdition.HTTPtoHTTPSproxyHeader’,’X-Forwarded-Proto: https’)

What might be missing in our setup? Please help me to troubleshoot this.
Thank you.
Hi Caio,

The X-Forward-Proto header is an example, used by some load balancers to tell that the request is being offloaded.
Did you check that your load balancer sets that header with the "https" value? It may change depending on your load balancer configuration.

Regards,
João Rosado
João Rosado wrote:
Hi Caio,

The X-Forward-Proto header is an example, used by some load balancers to tell that the request is being offloaded.
Did you check that your load balancer sets that header with the "https" value? It may change depending on your load balancer configuration.

Regards,
João Rosado
 


 Hello, João.

Here's a list of Headers sent to our application servers. I highlighted the X-Forwarded-Proto value.

Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4,pt-PT;q=0.2
Host: os.sereduc.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Upgrade-Insecure-Requests: 1
X-Forwarded-Proto: https
OS-Path: /TESTEHTTPS
OS-Page: /ForceHTTPS.aspx?(Not.Licensed.For.Production)=
Hi,

That looks correct then.
Did you republish your application after adding the setting?
Does your page that requires HTTPS load or does it fail saying that it needs a secure connection?
Also, what version of the platform do you have?

Regards,
João Rosado