Geek asks and answers

WSDL generation for WCF load balancing service

Background:

I have a service hosted on IIS 7.0, behind a load balancer that decrypts SSL as traffic passes through it.

The security mode required for the Service is mixed mode, i.e. TransportWithMessageSecurity

To allow the service to accept HTTP traffic, allowing clients to communicate with the load balancer via SSL, I created a user binding that adds a HttpTransportBindingElement user element to its channel stack.

The custom HttpTransportBindingElement, in turn, claims to be able to encrypt and sign messages ... therefore, the Framework will not complain when traffic comes through it through HTTP, because Transport claims that it signs / encrypts messages ... although it is not .

(For all interested parties, this was considered acceptable for security, because the message should have been received via SSL for load balancing ...)

Problem:

When we use svcutil.exe to generate a client proxy, the resulting automatically generated app.config file contains the endpoint for the service that is addressed via HTTP. This should be over HTTPS .

In addition, the <transport> element in the <customBinding> node is defined as the <httpTransport> element when it should be the <httpsTransport> Element .

I suspect that this is due to the fact that the WSDL that is generated by the framework on the server is built with HTTP addresses instead of HTTPS>, in turn, as a result of using a custom HttpTransportBindingElement (as described above).

Automatically generated app.config for client:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
    <bindings>
        <customBinding>
            <binding name="myBindingEndpoint">
                <!--    WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://tempuri.org/':    -->
                <!--    <wsdl:binding name='myBindingEndpoint'>    -->
                <!--        <sp:HttpToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">..</sp:HttpToken>    -->
                <security defaultAlgorithmSuite="Default" authenticationMode="CertificateOverTransport"
                    requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true"
                    keyEntropyMode="CombinedEntropy" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                    <localClientSettings cacheCookies="true" detectReplays="false"
                        replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
                        replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                        sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                        timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
                    <localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                    <secureConversationBootstrap />
                </security>
                <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                    messageVersion="Default" writeEncoding="utf-8">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                </textMessageEncoding>
                <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                    maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                    bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
                    keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                    realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                    useDefaultWebProxy="true" />
            </binding>
        </customBinding>
    </bindings>
    <client>
        <endpoint address="http://myserver/GAEASSLWcfService/ServiceOverSSL.svc"
            binding="customBinding" bindingConfiguration="myBindingEndpoint"
            contract="IServiceOverSSL" name="myBindingEndpoint" />
    </client>
</system.serviceModel>
</configuration>

Job:

Just changing <httpTransport /> to <httpsTransport /> and re-addressing the endpoints to use HTTPS fixes the problem.

But we would prefer not to require our service users to change their .config files ... using our service should be as quiet as possible ...

Question:

, ???

: , " /ssl decrypter" HttpTransportBindingElement, . XXX ZZZ , XXX ZZZ /SSL.

+5
2

, WSDL http https .

WCF, , .

useRequestHeadersForMetadataAddress HTTPGetEnabled httpsGetEnabled Metadata.

, .net 4, , HttpTransportBindingElement, HttpTransportBindingElement AllowInsecureTransport TransportSecurityBindingElement.

+2

. :

<serviceBehaviors>
   <behavior name="<name>">
     <!-- Other options would go here -->
     <useRequestHeadersForMetadataAddress>
       <defaultPorts> <!-- Use your own port numbers -->
          <add scheme="http" port="81" />
          <add scheme="https" port="444" />
        </defaultPorts>
      </useRequestHeadersForMetadataAddress>
   </behavior>
</serviceBehaviors>
0

More articles:


All Articles