How to restrict asmx web services to be SSL Only - asmx

I've got an ASMX web service that works great through an SSL conection, but I would like to make these web services inaccessible without SSL.
In web forms, I would just use the following code:
if (!Request.IsSecureConnection) Response.Redirect ("SomeOtherPage.aspx");
I know that WCF promises to be better in every way, but it's a real PITA to get something simple done with a tool as complicated as WCF.

I have some other stuff on my site that is open to the public, so I chose not to take the IIS route. I did find a simple way in the asmx service to take care of the problem:
if (!this.Context.Request.IsSecureConnection)
return null;

Easy. Make a website in IIS that is only SSL and put this page in it.
Don't allow non-SSL connections to this website

In IIS (I can't remember exactly which version so it may have moved) under the security tab of the website or virtual directory you can set it to 'require secure channel'. This will force it to require https unless I'm mistaken.

Related

Redirect & mask URL to Azure subdomain

I have an ASP.NET MVC web app running on Azure as generic-site.co. It's a white-label site that supports a number of subdomains: acme.generic-site.co, globex.generic-site.co, initech.generic-site.co, etc. Browsing to each of them changes branding on the pages, but the underlying functionality is exactly the same.
Meanwhile I have an external domain name acme-site.com hosted by GoDaddy. I want to redirect this specifically to the acme.generic-site.co subdomain, but I also want to maintain acme-site.com as the root URL for any further browsing on that site, allowing users to have a pure acme experience without any indication of the underlying generic-site-ness.
I've tried to do this using GoDaddy's Domain Forwarding with masking, but I ran into CSRF issues almost immediately.
Is there any way I can achieve this? I suspect IIS URL rewriting might be helpful, but I'm at a loss as to how to proceed.
Don't use Domain Forwarding with masking.
Just add custom domain acme-site.com to Azure Web App.
And you may need to do one of the following:
Add a middleware or something that change Host in HTTP request header from
acme.generic-site.co to acme-site.com.
Adjust the application to
load correct branding when using domain acme-site.com.
It is probably easier to use IIS Url Rewrite module as you mentioned in your question. There are several examples on how to do this. Please start with this post by Scott Forsyth: https://weblogs.asp.net/owscott/iis-url-rewrite-redirect-multiple-domain-names-to-one

Mixed authentication in ASP.NET application

I've got an ASP.NET application which uses forms authentication.
We're adding on an HttpModule that responds to requests in the /webdav folder and below. We need to use basic/digest authentication for these requests.
With <authentication> set to Forms in the root web.config, requests from webdav clients are receiving a 302 redirecting the user back to the login page.
Is MADAM the best way to achieve this?
I think MADAM would work well for you.
I'm using MADAM to make RSS feeds available that are specific to logged in users accessible to RSS Readers. I am also planning on using it when we implement mobile app access into our application. That way we can use the same controller logic and change the authentication using MADAM.
I would suggest that you use HTTPS requests if you're doing BASIC authentication. Also, if you are using IIS 7, make sure you add the http modules configuration into the system.webServer/modules section. I wasn't paying much attention and wasted time diagnosing why it was working locally and not on the development server in IIS 7.

How to efficiently create facebook-like url-rewriting in asp.net

I'm currently looking into url-rewriting and how it should be done right and hope you have some inputs here.
At the current stage of development only the kind of url-rewriting I'm interested in is adding facebook like behavior to businesses to which we provide services on our site, i.e. www.mysite.com/ShowBusinessInfo.aspx?id=1 should be rewritten to www.mysite.com/HostedBusinessName. - The idea is that when a business registers on our site they can choose whatever the last part of the url should be.
What would be the best way to support this feature? Custom IHttpModule, Global.asax (I'm afraid that this is too slow?), UrlRewriter.net/UrlRewriting.net or a completely different solution.
The site is developed in asp.net and runs on IIS 7.5.
I've actually done something like this before and this is the article I used as a resource: http://stweet.wordpress.com/2010/03/15/creating-a-new-website-programmatically-on-iis-using-asp-net/
This article will tell you how to programmically add a web site to your IIS using C#. Keep in mind that depending on how your IIS and DNS is setup, you may need to also modify your DNS server. You can find various scripts for doing this here: http://msdn.microsoft.com/en-us/library/ms682129%28VS.85%29.aspx
Hope this helps!
If you have fairly simply rewriting rules, I'd use an IHttpModule that attempts to match the URL's LocalPath property with a value in your DB, and then calls context.RewritePath(string).
If you have more complex stuff, then I'd start looking at UrlRewriting.NET or the routing options in ASP.NET.

How do I implement HTTPS in an ASP.NET Project?

I want to implement HTTPS in my ASP.NET application. How do I do it?
HTTPS need not be implemented within the code itself. As long as the code runs under a server that is implementing the SSL, you will have no problem.
Have a look here: Setting up SSL correctly with IIS and ASP.NET
The only thing is to make sure that any code that calls another page should also be under the SSL site, otherwise users will be given warnings. This especially is overlooked with images.
You could start looking at How To Set Up an HTTPS Service in IIS
Maybe this question is better answered in http://www.serverfault.com

Is there a way to determine what the SSL port is for a site from an ASP.NET application?

I have an ASP.NET application. I want to redirect to the secure port for the site, but the site may not necessarily be using the default of 443. Is there some environment variable or API call I can make to determine the currently configured SSL port for a site?
Thanks!
I asked a similar question here. So far, I didn't find a solution. If you had admin rights, you could use any number of Microsoft.Web.Administration, WMI or whatever to do it... but inside the web app I didn't find anything
If you don't know this port number upfront and it can't stored somewhere known (such as your web.config) you'd need to be able to query the IIS metabase to get the SecureBindings attribute of the site's IIsWebServer node.
There are a few ways to accomplish this, such as using the System.DirectoryServices namespace, but all of them require Full Trust or elevated permissions.
I'm almost totally ignorant of how ASP.NET works, but in general, there's no guarantee that there will be an SSL port. There could be none, there could be 5... I think you'll have to provide this info to your app through some sort of config file. My apologies if this is not relevant for ASP.NET.
Can't you use this re-direction technique?

Resources