Commerce Manager cannot load cdns in loadbalanced environment

Vote:
 

We're running Commerce Manager in a load balanced environment. Although the browser requests Commerce Manager over https, the load balancer redirects to non-http, which gives issues with mixed content. This is nicely explained in this article:

https://world.episerver.com/blogs/Quan-Mai/Dates/2017/7/commerce-manager-over-https-on-load-balancer/

The article suggests two things to solve this:

1) Use at least Commerce Manager 10.6.0. We use 11.8 so that should be fine.

2) Configure the header X-Forwarded-Proto to "https" on your load balancer. This we did.

With above solution, Commerce Manager now loads it's own internal scripts and stylesheets over https, so that's great. However Commerce Manager still tries to load cdns over http, as seen here:

Snippet from browser's console log:

"Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js'. This request has been blocked; the content must be served over HTTPS.
default.aspx:1 Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.js'. This request has been blocked; the content must be served over HTTPS.
default.aspx:1 Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.js'. This request has been blocked; the content must be served over HTTPS.
ContentFrame.aspx?_a=Catalog&_v=Catalog-List:1 Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js'. This request has been blocked; the content must be served over HTTPS.
ContentFrame.aspx?_a=Catalog&_v=Catalog-List:1 Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.js'. This request has been blocked; the content must be served over HTTPS.
ContentFrame.aspx?_a=Catalog&_v=Catalog-List:1"

How to fix this?

#195659
Edited, Aug 03, 2018 9:00
Vote:
 

I think I tried a solution for this, basically you canoverwrite the CDN url. Can't remember how it looks like, but will get back to you.

#195664
Aug 03, 2018 10:37
Vote:
 

I think you need to do something like this in application_start or an initiliazation module

https://stackoverflow.com/questions/11949504/scriptmanager-enablecdn-does-not-work-on-ssl

#195688
Aug 04, 2018 0:16
Vote:
 

Exactly! The solution in Mark's post is what I sent to another customer. 

Adding this to Global.asax/Application_Start

System.Reflection.Assembly ext = typeof(ScriptManager).Assembly;
System.Reflection.Assembly web = typeof(HttpApplication).Assembly;
ScriptManager.ScriptResourceMapping.AddDefinition("WebForms.js", web,
new ScriptResourceDefinition
{
ResourceName = "WebForms.js",
ResourceAssembly = web,
CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js",
CdnSupportsSecureConnection = true
});
ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjax.js", ext,
new ScriptResourceDefinition
{
ResourceName = "MicrosoftAjax.js",
ResourceAssembly = ext,
CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.js",
CdnSupportsSecureConnection = true
});
ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjaxWebForms.js", ext,
new ScriptResourceDefinition
{
ResourceName = "MicrosoftAjaxWebForms.js",
ResourceAssembly = ext,
CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.js",
CdnSupportsSecureConnection = true
});



Note that they should change <compilation debug="false" in web.config

#195690
Edited, Aug 04, 2018 8:17
Vote:
 

That works. Thanks :-)

#195722
Aug 06, 2018 13:35
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.