I have a website running under IIS which has an SSL certificate applied. We would like to enforce HTTPS usage for the website which is easily done by checking the "Require Secure Channel" box, but this will immediately break the ability for people to connect over HTTP (as designed).
What I'd like to do is find a way to automatically redirect people from HTTP -> HTTPS if they type in the wrong thing (or connect from an old bookmark).
Is there a way to do this without creating a second website in IIS?
-
If you need to do it at the server level then you will have to create another site and have it forward the the https site.
If you can edit the code, you can not enforce ssl at the server level, instead you can do it in your website by detecting if the url starts with http: and redirecting to the same url with https: instead.
Ryan Bolger : Editing the code won't help since the request will never make it to the code if the https is enforced at the IIS level.sysadmin1138 : However, if the flag is turned off (allow http), their code WILL run and redirect cleanly.Jimmie R. Houts : @Ryan, sysadmin1138 is correct, I have updated my answer to be more clear.kdmurray : OK. Thanks. I pretty much figured that was the answer. I'd really love to see an "auto-forward" feature in IIS 8 to make this sort of thing automatic. Seems a waste to clog up the IIS metabase with extra sites that are simply redirects.kdmurray : As for the code option, the HTTP variant of the site needs to be turned off, that's the whole reason for needing to enforce SSL to begin with. Simply doing a redirect in code (unless it's done at a high level so that it happens on any page) could potentially allow for bookmarked pages to be viewed over the insecure link.From Jimmie R. Houts -
I posted this on StackOverflow
If the server/site/vdir is configured using the "Require Secure Channel" setting, the response from the server will be a "403.4 Forbidden: SSL is required to view this resource." error or a "403.5 Forbidden: SSL 128 is required to view this resource.".
You can actually customize the 403.4 or 403.5 error to redirect back to HTTPS. Create a VDIR under your site with NO SSL Requirement (**This is Important) - I use "CustomError". Create an ASP File inside this directory called 403_4_Error.asp containing the following:
<%@ LANGUAGE="VBScript" %> <% if Request.ServerVariables("HTTPS") <> "on" then sServer = Request.ServerVariables("SERVER_NAME") sScript = Request.ServerVariables("SCRIPT_NAME") sQuery = Request.ServerVariables("QUERY_STRING") Response.Write("https://" & sServer & sScript & "?" & sQuery) end if %>Edit the server/site/vdir's Custom Error property for 403.4/403.5 and set the MessageType to URL and the URL to "/CustomError/403_4_Error.asp".
Note that ASP is used, you could easily use ASP.net or any other scripting language.
sysadmin1138 : This is the method we use.kdmurray : Thanks for that. I really was looking for a server-side (non-code specific) solution for this as we're marking the entire domain as requiring SSL. I'll keep this in mind for any future apps.Christopher_G_Lewis : This is completely server side - it executes in the server's error page handler.Jimmie R. Houts : +1 never thought of using the error page to do this. Very elegant.Whisk : +1 for this, it's extra easy to do in IIS7 as you can specify a redirect straight from the error customisation pagelextm : Actually this trick is also documented in KB 839357. http://support.microsoft.com/kb/839357Christopher_G_Lewis : Yes, I believe I started with that article - Exchange was the initial premise for our needs. The above script will work with any site, not just Exchange OWA.From Christopher_G_Lewis -
We ended up doing this in our application code; our page base class checks early on whether it's in HTTP, and redirects to HTTPS as required. It really depends on how much you trust your application code :)
0 comments:
Post a Comment