Is it easy to apply SSL to an already built website? - asp.net

I'm building a website in ASP.NET, and I want it to have users so I'm creating a login page, database, aspx pages, etc, etc.
But I also want to implement SSL for extra security later on, but I don't know have the slightest idea if that will be a difficult or annoying, I have never implemented SSL for a website. So I'm wondering, is it "easy" or "hard" to apply SSL to my website after it's already built?
Do I have to build my website with SSL in mind from the start, or can I learn about it afterwards and then apply it?

You can configure SSL after deploying you website. No need to take extra measure at the time of building your web site and of-course it is very easy to implement. SSL configuration is used to encrypt the connections with your web-site. You can buy or use self signed certificate to encrypt the connection. Try these link for more info:
http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis
http://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7

Yes, you can easily add it to an existing site. Just obtain the certificate, set it up in IIS and you are good to go:
How do I add HTTPS to my asp.net website for account login?
Setting up SSL with ASP.NET - Part 1 of 3

Related

Redirect & mask URL to Azure subdomain

I have an ASP.NET MVC web app running on Azure as generic-site.co. It's a white-label site that supports a number of subdomains: acme.generic-site.co, globex.generic-site.co, initech.generic-site.co, etc. Browsing to each of them changes branding on the pages, but the underlying functionality is exactly the same.
Meanwhile I have an external domain name acme-site.com hosted by GoDaddy. I want to redirect this specifically to the acme.generic-site.co subdomain, but I also want to maintain acme-site.com as the root URL for any further browsing on that site, allowing users to have a pure acme experience without any indication of the underlying generic-site-ness.
I've tried to do this using GoDaddy's Domain Forwarding with masking, but I ran into CSRF issues almost immediately.
Is there any way I can achieve this? I suspect IIS URL rewriting might be helpful, but I'm at a loss as to how to proceed.
Don't use Domain Forwarding with masking.
Just add custom domain acme-site.com to Azure Web App.
And you may need to do one of the following:
Add a middleware or something that change Host in HTTP request header from
acme.generic-site.co to acme-site.com.
Adjust the application to
load correct branding when using domain acme-site.com.
It is probably easier to use IIS Url Rewrite module as you mentioned in your question. There are several examples on how to do this. Please start with this post by Scott Forsyth: https://weblogs.asp.net/owscott/iis-url-rewrite-redirect-multiple-domain-names-to-one

How can I get two SSL certs to work on a two domain, shared IP configuration

I have two web site that are 99% similar. They share all of the same pages except the difference being that the logos change, a few of the links change, and the products that show up on either web site are flagged to show up on either or, or both. They use the same database.
I have written a utility method that essentially injects a where clause into any database access code I write throughout the app to determine which products to display depending on the current URL.
Problem: Website B gives the user a warning message that the site they are trying to go to is in fact Website A. I've read that the SSL cert needs a distinct IP.
Right now how I have everything set up is very clean on a maintenance perspective. I can update files in one place. Any suggestions on how to make the SSL behave, or am I looking at seperate IP's for the hosting(I really don't want to have to do this)?
If the latter, what do you suggest?
Site runs ASP.NET 4.0. Precompiled DLL.
UPDATE: Thanks to #GregS comment
If the sites share the same domain you can use a wildcard certificate
site1 - site1.somedomain.com
site2 - site2.somedomain.com
Otherwise you will need to get a UCC (United communications certificate) that will be for both domains.
You will need to configure IIS 7 from the command line because the GUI doesn't support setting different host headers for the same certificate. This tutorial shows how it can be done.
I setup another website in IIS that points to the same files as the first web site, got another SSL cert for the new site.

Best way to create a sandbox area on my asp .net host

I would like to create a sandbox area on my hosting provider that only the client can see. For example the production website would be at www.domain.com. However, would it be possible to create a sandbox version of the website at www.domain.com/sandbox and only provide access to the client?
If so, what is the best method? Do I manually have to create a login page etc in the sandbox folder? Or, can I publish the test website in the sandbox area and restrict access through my hosting provider?
Generally a sandbox/staging/test version of your production site would be a complete duplicate of your production deployment, not just the login page.
You'd have a separate copy of the application and the database, and then serve it via another hostname/IP address or on an entirely different machine.
For instance, you could have www.domain.com and test.domain.com, each with the own isolated version of the software. This way your client can play as much as they want in the sandbox without fear of damaging the production environment.
To restrict access you could use access control lists in IIS to restrict the sandbox to a specific ip address (or range), or enable basic support on it with a username/password required security.

How do I implement HTTPS in an ASP.NET Project?

I want to implement HTTPS in my ASP.NET application. How do I do it?
HTTPS need not be implemented within the code itself. As long as the code runs under a server that is implementing the SSL, you will have no problem.
Have a look here: Setting up SSL correctly with IIS and ASP.NET
The only thing is to make sure that any code that calls another page should also be under the SSL site, otherwise users will be given warnings. This especially is overlooked with images.
You could start looking at How To Set Up an HTTPS Service in IIS
Maybe this question is better answered in http://www.serverfault.com

Is there a way to determine what the SSL port is for a site from an ASP.NET application?

I have an ASP.NET application. I want to redirect to the secure port for the site, but the site may not necessarily be using the default of 443. Is there some environment variable or API call I can make to determine the currently configured SSL port for a site?
Thanks!
I asked a similar question here. So far, I didn't find a solution. If you had admin rights, you could use any number of Microsoft.Web.Administration, WMI or whatever to do it... but inside the web app I didn't find anything
If you don't know this port number upfront and it can't stored somewhere known (such as your web.config) you'd need to be able to query the IIS metabase to get the SecureBindings attribute of the site's IIsWebServer node.
There are a few ways to accomplish this, such as using the System.DirectoryServices namespace, but all of them require Full Trust or elevated permissions.
I'm almost totally ignorant of how ASP.NET works, but in general, there's no guarantee that there will be an SSL port. There could be none, there could be 5... I think you'll have to provide this info to your app through some sort of config file. My apologies if this is not relevant for ASP.NET.
Can't you use this re-direction technique?

Resources