Hi,

The scenario you describe is really a proxy server scenario. The Web server does not have an ssl certificate so it is not encrypting traffic but another server sits in front of the web server and and serves as a proxy for the real web server, it intercepts requests from the client web browsers and it encrypts traffic between itself and the web browsers, but behind the scenes it makes a non secure request to the web server, it gets the result and encrypts it and send it back to the browser.

The problem in this scenario is that the web server itself does not know the request is secure, from its own point of view it is not a secure request, but a standard request. More specifically the normal way we detect a secure request is to check

HttpContext.Current.Request.IsSecureConnection

but in this scenario it always returns false, because as stated the traffic between the web server and the proxy server is not really secure, only the traffic between the proxy server and the web browser is secure.

So what happens when you set SSLIsAvailable to true, mojoPortal code is trying to secure the important pages such as login, register, user profile by redirecting non secure requests to make them secure. But since it can never detect a secure connection it results in a redirect loop.

One option, is leave SSLIsAvailable as false and ask the host or service provider if they have a way to force all traffic as secure. In other words mojoPortal code doesn't have to be the one doing redirects to force secure requests, the external provider may be able to do that for you.

There may be another way to make it work but it depends. Sometimes a proxy server will provide a custom server variable that can be used to tell the web server that it is a secure request. mojoPortal has configuration settings to tell it to look for a custom server variable but to do that we need to know the name of the custom variable and what value it should have.

What I would like you to do is look for this in Web.config and either change it to true there or copy it to user.config and make it true in user.config

<add key="EnableDeveloperMenuInAdminMenu" value="false" />

also for now set SSLIsAvailable as false

create a temporary user with admin role and privately send me credentials and the url to login. joe dot audette at g mail dotcom

That will allow me to look at Administration > Advanced Tools > Developer Tools > Server Variables

By looking at that page with both http and https I can see if there is any custom variable available. If there is then I may be able to tell you configuration settings to solve the problem.

after that you can delete the temporary user.

Best Regards,

Joe

Hi,

Good news, checking the server variables I saw that the proxy is providing a variable that you can use to configure mojoPortal so that it can detect a secure request.

Specifically it provides this custom server variable:

HTTP_X_FORWARDED_PROTO

on secure requests it has the value https and on non secure requests it has the value http

If you put this in user.config

<add key="SecureConnectionServerVariableForValueCheck" value="HTTP_X_FORWARDED_PROTO" />
<add key="SecureConnectionServerVariableSecureValue" value="https" />

Then you should be able to change SSLIsAvailable back to true and it should work.

You can now delete the temporary account I used to check this.

Hope that helps,

Joe

yes please confirm if this solved it for you

Thanks,

Joe

In that case, mojoPortal cannot be the one to redirect from insecure requests to secure requests, so you will have to leave SSLIsAvailable as false and use some means external to mojoPortal to redirect insecure traffic to be secure. I suggest ask the host or ssl provider what they have to handle that for you.

I may have found the problem. If you are using the latest version 2.4.0.8 or if you upgrade to that version and then replace the mojoPortal.Web.dll with the patched one in this zip it might fix the problem.