Using SSL for ServiceStack Requests

[stephen776]

I am building a restul service using ServiceStack.NET.  I am employing basic auth via a service base class. I would like to utilize SSL to secure all requests to my service. 

Unfortunately, I am not well versed in this area. Can anyone explain the basics to me and possibly provide examples of how to get this working? I realize I will need an SSL certificate on the hosting web server. What about the clients? My scenario involves a finite a set of known WPF clients that will consume the service(think specific workstations accross a geographic region).

[Demis Bellot]

This is actually a web server configuration and not anything to do with ServiceStack which is basically just a set of lightweight ASP.NET IHttpHandler's (when its hosted in ASP.NET).

What you're really after is configuring "SSL with IIS" w/ ASP.NET and there are a few blogs on the subject:

Here's a few just googling around:

http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx

http://msdn.microsoft.com/en-us/library/ff649205.aspx

Cheers,

On Wed, Oct 12, 2011 at 3:41 PM, stephen776 <stephen...@gmail.com> wrote:

I am building a restul service using ServiceStack.NET.  I am employing basic auth via a service base class. I would like to utilize SSL to secure all requests to my service. 

Unfortunately, I am not well versed in this area. Can anyone explain the basics to me and possibly provide examples of how to get this working? I realize I will need an SSL certificate on the hosting web server. What about the clients? My scenario involves a finite a set of known WPF clients that will consume the service(think specific workstations accross a geographic region).

--
- Demis

http://twitter.com/demisbellot

http://www.servicestack.net/mythz_blog

[stephen776]

So it would be unnecessary to do any sort of checking for certs/https in a request filter or the like?

 

[Demis Bellot]

Well if you only have your ServiceStack ASP.NET app only permitted to run under the https endpoint then you can guarantee that all traffic is going through https.

If you have both http and https endpoints enabled and you want to ensure that for e.g. the Login service was called via https then you would inspect the HttpRequest context and throw an exception if it wasn't.

On Wed, Oct 12, 2011 at 4:25 PM, stephen776 <stephen...@gmail.com> wrote:

So it would be unnecessary to do any sort of checking for certs/https in a request filter or the like?

 

[stephen776]

In my case, I plan to host the service within an MVC app. The service would require all traffic through https, the mvc site would not. 

Is this possible?

[Demis Bellot]

So both endpoints would need to be enabled in order to serve MVC on http and ServiceStack on https.

You can easily globally prohibit ServiceStack from running under https by adding this validation in the request filter.

On Wed, Oct 12, 2011 at 4:34 PM, stephen776 <stephen...@gmail.com> wrote:

In my case, I plan to host the service within an MVC app. The service would require all traffic through https, the mvc site would not. 

Is this possible?

[stephen776]

Any chance you can provide an example of the request filter? Would I just throw a 403 if the request was HTTP?

[Demis Bellot]

Yep, a 403 would be the most appropriate response status code. Something in your AppHost.Configure() like:

this.RequestFilters.Add((req, res, dto) =>
{
    if (!req.IsSecureConnection)
    {
        res.StatusCode = (int)HttpStatusCode.Forbidden;
        res.Close();
    }
}

Should do it!

Cheers,

On Wed, Oct 12, 2011 at 5:04 PM, stephen776 <stephen...@gmail.com> wrote:

Any chance you can provide an example of the request filter? Would I just throw a 403 if the request was HTTP?

[stephen776]

Awesome! Thanks a lot.