How to make a website work only with https [duplicate] - asp.net

This question already has answers here:
How to force HTTPS using a web.config file
(10 answers)
Closed 7 years ago.
How do I make a website to work only with https? Is there any method to make my website work only if the protocol is https?
For example let me say http://www.mywebsite.com, this should work only with https://www.mywebsite.com, if it's http the website should not be accessible .
Is it possible to make a website work only with https? Is it possible to restrict a website /make a website inaccessible if the website was http?

Sure, assuming you are using IIS to host your site, open IIS Manager and select your web site and then binding on the right:
make sure you only have a binding for https not for http.
This way IIS will only send https traffic to that web site.
Edit: What is the difference between Andre's answer Require SSL and mine?
using Require SSL, when users requesting http:// they will get a:
403 - Forbidden: Access is denied.
When using only an https binding, no connection is made at all and the user eventually gets:
ERR_CONNECTION_TIMED_OUT
It's up to you which option you prefer.
I usually have a catch-all site on all servers that respond to any requests not picked up by real sites and just displays a basic 404 page.
The third option is to actually allow http:// but then redirect to https:// as mentioned in the comments. For that solution you have to install the URL rewrite module and add a redirect rule.
My single binding option is the leanest, but it all depends on how you want you site to handle http:// requests.

Create Rule in your web.config which will force to open in https only as shown below
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>

For IIS? Start the IIS Manager, click on your site and double click "SSL Settings" and check "Require SSL".
What I have done using Apache: add redirect from http to https

Related

Why i need to type HTTPS manually to access my site?

why do I need to type https before my site URL every time in the browser? Tho my website has SSL enabled it's going to default IIS page. Please help me with this.
This url i'm typing in browser -- fdrms.visiontek.co.in/
If I want to see my SSL enabled page every time I need to add https:// before above URL like -- https://fdrms.visiontek.co.in/
Once the SSL certificate is installed, your site still remains accessible via a regular insecure HTTP connection. To connect secure url you need to manually enter https:// prefix. To force a secure connection on your website you need to set redirect rule which redirects http to https.
You could follow below steps to redirect site from http to https:
Download Url rewrite module manually or from web platform installer.https://www.iis.net/downloads/microsoft/url-rewrite
Open IIS manager window and select site from connection pane which you want to apply redirect rule.
Select URL Rewrite from feature view.
Click Add Rule from Action pane in a rewrite module.
Select Blank Rule in the Inbound section, then press OK.
Enter the rule name.
In the “Match URL” section:
Select “Matches the Pattern” in the “Requested URL” drop-down menu
Select “Regular Expressions” in the “Using” drop-down menu
Enter the following pattern in the “Match URL” section: “(.*)”
Check the “Ignore case” box
In the “Conditions” section, select “Match all” under the “Logical Grouping” drop-down menu and press “Add” In the prompted window:
Enter “{HTTPS}” as a condition input
Select “Matches the Pattern” from the drop-down menu
Enter “off” as a pattern
- Press “OK”
- In the “Action” section, select “Redirect” as the action type and specify the following for “Redirect URL”: https://{HTTP_HOST}{REQUEST_URI}
- Check the “Append query string” box.
- Select the Redirection Type.
- Click on “Apply” on the right side of the “Actions” menu.
You could also add this rule directly in web.config file withoud using UI module which mention above.
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Regards,
Jalpa.
The behavior you are seeing is your browser's doing. When you type www.example.com, it translates that to http://www.example.com. How your WebServer is configured doesn't really affect what your browser does in this case. As others have mentioned, if you want, you can have your web server automatically redirect any requests to HTTP to HTTPS and thus use your SSL site.
URL Rewite is the best way to accomplish this, you can check out what the rule would looke like here: https://ruslany.net/2009/04/10-url-rewriting-tips-and-tricks/#redirect-https

"This webpage is not available" from localhost after SSL removed

When I attempt to debug my ASP.NET MVC 5 project I am getting the IIS error "This webpage is not available". Here is the sequence of events that led to this:
The project was originally using SSL and IIS Express and working fine.
I wanted to use Fiddler and saw that Fiddler doesn't (easily) monitor https traffic, so went into the project properties (F4) tab and changed it back to use http.
This is when I started seeing the error "The page can't be displayed". I noticed that even though my ProjectUrl and Start URL in the project properties window was http://localhost:57505, when I debugged, the URL would change to https.
A complication (sorry, I don't remember what it was) prompted me to use Local IIS (IIS 7.5) instead of IIS Express.
I restarted IIS and I decided to get rid of the SSL certificate in IIS but that didn't help.
Because nothing worked I changed the project back to use SSL. Now I am seeing "This webpage is not available" when I debug.
I have rebooted and recycled frequently
I'm not sure what to do next because my project is unusable right now. Any help appreciated.
Did you happen to had an entry in web.config that force a redirection to the HTTPS site?
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="^account/logon$|^account/register$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
Note that redirectType="Permanent", it will return Permanent Redirect(301) to your browser. This will be cached permanently on your browser so you couldn't access the normal HTTP site even if you've removed this redirection. You will need to manually clear your browser caches to fix it.
If it happens with other projects as well then try to disable windows firewall or any other firewalls on the system and hopefully it should work.
Also try to run the website without fiddler and see if it works.
I had similar problem and it was the firewall causing it.
With HTTPS, you can only have one "web site" per ip_address:port. So https://localhost, https://example.com, it's all the same (modulo certificate errors.)
HTTP, however, allows multiple web sites per ip_address:port pair, via the "HOST" header in the HTTP 1.1 spec. IIS needs to know what site you want, and it defaults to binding the web site to the machine's hostname. (That is probably what is getting you.)
If you just want all requests that resolve to your host (like "localhost") to hit the same web site, edit the site bindings in inetmgr and set "Host Name" to empty string or *.

Windows Azure: How to 301 non-www url to www for a domain

I recently deployed an Windows Azure application and configured DNS of my domain through DreamHost portal. Now my site is accessible through http://www.coziie.com, but not through non-www address.
I read in one of the articles that I should add an A record in DNS settings and point to virutal IP of Windows Azure. How do I get virutal IP of my Windows Azure deployment?
Or is there any better way to 301 redirect all non-www urls to www?
RESOLVED: I was able to solve this problem by simple configuring a website redirect settings in DreamHost DNS settings. A simple 301 redirect of http://coziie.com to www.coziie.com sorted out the issue.
You are talking about two separate issues here.
The first is to setup a DNS record so that your un-canonised url works. The second is to redirect the url if the site is accessed by it.
update I have removed the previous advice for CNAME from here as I didn't realise before that you cannot set the root domain to a CNAME record. It seems that with the ip restrictions of Azure you will have to point the root domain record at non-azure, asp.net hosting and then put a 301 redirect (such as the one further down my reply) to forward it on to the Azure domain (www domain).
When you have http://coziie.com/ pointing at your site and serving the page its then time to fix this because Google can get confused, think its two different sites and then dilute your page rank between the two.
The trick is to set up a 301 redirect. I believe the url rewriting tool started out as an addon for IIS7 but is now included in it? You might have to do a quick search on that.
Anyway, this is how I do it on an IIS7 server with the official url rewrite extension installed (this goes in your web.config):
<system.webServer>
<rewrite>
<rules>
<clear/>
<rule name="WWW Rewrite" enabled="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTP_HOST}" negate="true" pattern="^www\."/>
</conditions>
<action type="Redirect" url="http://www.{HTTP_HOST}/{R:0}" appendQueryString="true" redirectType="Permanent"/>
</rule>
</rules>
</rewrite>
</system.webServer>
Intellisense will complain that its not a recognised element but thats just a cosmetic issue while you are editing the file.
The VIP address is easily obtained by either looking at the portal (read deployment details) or by simply pinging your .cloudapp.net address. You can set an A record, but you must be prepared to update that in case you delete your deployment. Once you delete a deployment, the VIP address will be returned to the pool and there is pretty much a guarantee that you will get a new VIP address on the next deploy.
You can maintain your VIP address by using the Upgrade feature as opposed to new deployments. There are some limitations to this, but it works for updates that do not change the Service Definition broadly speaking.
We used to say that the VIP address was not guaranteed even if you did an update, but MS has come back with stronger language about guarantees. See here.
CNAMES are only for subdomains, like sub.example.com or www.example.com, you can't register a CNAME for example.com in other words. If your domain provider supports it you could create a redirect from example.com to www.example.com and then create a CNAME record for www.example.com, the CNAME will match www.example.com against example.cloudapp.net. My domain provider has a web console where I can do this easily, perhaps yours have too?

Enabling SSL in asp.net 4.0 and IIS 7.5

I have created an asp.net 4.0 project. I want to enable SSL for it. Do I need to map this web project to new website in IIS. When I try to create a new website, I get:
The binding '*:80:' is assigned to another site. If you assign the same binding to this site, you will only be able to start one of the sites. Are you sure that you want to add this duplicate binding?
I am trying to follow the following posts:
http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx
http://mscrm4humans.wordpress.com/2010/06/24/enabling-ssl-on-iis-7-0-using-self-signed-certificates/
my IIS is 7.5.7600....
I am totally new to SSL in asp.net. Please suggest solution to this issue.
Whilst it is possible to configure host headers to do what you're after, the easy way is to configure your new site with a different IP address.
Add the new IP address to the server, then setup your binding for the new site to the new IP address on port 80 and 443. Set the app pool to run using .NET 4, then for a nice touch you could add a URLRewrite rule to push all non-SSL traffic to HTTPS by sticking this in your web.config:
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
</system.webServer>
Or if you wanted to force SSL then just tick the Force SSL option in IIS for the site.
It sounds like you already have a site setup on port 80. Your IIS probably has a Default Web Site setup. If you're not using that site, you can delete it before you follow the steps in Scott Guthrie's blog post and that should clear up the issue.
If you are using the Default Web Site, change your new site's port to 81 when you create it. You can change the port in the screen shown by the second image in Scott Guthrie's blog post.
If you want to prevent any non-ssl traffic from reaching your new site, you should delete the binding on port 80 (or 81) after you've finished setting everything up.
To use SSL you must:
Have a separate website in IIS
This website must have a separate IP address which will be bound on port 443
You cannot use host headers to host separate websites in IIS and use SSL.
Check this article for more help:
http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/

Redirect *.domain.com & domain.com to www.domain.com

I've got an Search Engine Optimisation problem where users are able to access my site by specifying any sub-domain. This is causing duplicate page issues with SEO.
For example if a user mis-types 'www' then posts a link on a forum, google is crawling 'wwww.domain.com'. Furthermore, google is also crawling 'domain.com'.
I need a way of forcing the site to always redirect to 'www.domain.com' regardless of how the user accesses the site.
Is it possible to do this in the web.config file? If not, how else can I achieve this?
Cheers, Curt.
You can do this using the IIS URL Rewrite module. Here's the config to rewrite domain.com to www.domain.com:
<system.webServer>
<rewrite>
<rules>
<rule name="Canonical host name">
<match url="^(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^www\.domain\.com$" negate="true" />
</conditions>
<action type="Redirect" url="http://www.domain.com/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
You might need to modify the regex a bit or add a second rule to support rewrite of specific subdomains as well.
Unfortunately URL Rewrite module is not available on IIS6.
If you want to use url rewriting, you could check one of the following:
http://www.isapirewrite.com/ (not free)
http://urlrewriter.net/ (free)
http://cheeso.members.winisp.net/IIRF.aspx (my favourite)
Ah, just did this!
Set the default site to just redirect all calls using URL Redirect to your www.site.com, then create another site with your actual content that binds just to the www subdomain.
This will mean that all traffic will be redirected to the www site if there is no other binding available.
This has worked perfectly for me:
IIS 6 how to redirect from http://example.com/* to http://www.example.com/*
I had to change a bit of the code to get it to work with my Url-Rewriting, but apart from that, spot on!

Resources