locked
https asp.net mvc website with valid certificate accessing WCF service hosted in http RRS feed

  • Question

  • User1918766559 posted

    Hello, 

    Our asp.net MVC website is hosted over https & secured with valid certificate from CA. It's trying to access the WCF service over http, but it's throwing the issue as : 

    Mixed Content: The page at 'https://localhost/...' was loaded over HTTPS, but requested an insecure script 'http://x.x.x.x.9999/signalr/hubs'. This request has been blocked; the content must be served over HTTPS.

    We've used absolute URI for WCF service & client endpoint base addresses. 

    Any pointers will be appreciated. 

    Thanks,

    Anindita

    Friday, August 18, 2017 11:25 AM

All replies

  • User753101303 posted

    Hi,

    And you are using SignalR as well? Use F12 to see from where this query comes from but for now it seems you (or something else ?) are using a signalr connection using http rather than https.

    Just in case see https://docs.microsoft.com/en-us/aspnet/signalr/overview/getting-started/introduction-to-signalr to see what is SignalR. 

    Friday, August 18, 2017 12:01 PM
  • User1918766559 posted

    Hi there, 

    We could bypass the mixed content browser warning while connecting through WCF app services with http:// uri(unsecure) called from secure https:// website by forcing the browser to load unsafe scripts from client side & on doing that, immediately we can see 'Not Secure' warning with red icon on browser, though SignalR hub is getting started & working. 

    Our requirement : is there any way from application side(programmatically) to automatically force the browser to load the unsafe script from http:// url(what have to do manually now).  

    Thanks,

    Saturday, August 19, 2017 1:38 PM
  • User753101303 posted

    It would defeat the purpose and the correct fix would be rather to use https. You really checked where this query comes from and why it uses http rather than https? For now my guess is that http is hardcoded somewhere and for now I don't understand why using https rather than http seems beyond your control. It comes from a 3rd party library? Or from an ASP.NET built in mechanism such as a script manager?

    To start with did you find the place where this script is loaded?

    Saturday, August 19, 2017 4:17 PM
  • User1918766559 posted

    Hi there, 

    The script is loaded from the WCF App service which's hosted with http:// uri scheme. From the asp.net MVC website hosted with valid CA certificate & with https:// uri scheme we're trying to load the script from the app service. Since the scripts are loaded from web services hosted with http:// into the webpage with https://, browser gives mixed content security issue. 

    The website is hosted into AWS EC2 instances IIS 8.5 web server. 

    Is there any way to pro grammatically(application side) control loading scripts directly from http:// WCF service into asp.net https:// webpage? 

    Thanks,

    Saturday, August 19, 2017 4:59 PM
  • User1168443798 posted

    Hi Anindita,

    It is restricted by security when request http resource from HTTPS. The recommended way is to secure WCF Service by https.

    For another way, you may call WCF Service from controller by adding service reference to generate client code, and then request the controller again.

    Best Regards,

    Edward

    Monday, August 21, 2017 9:11 AM