llj45
asked on
make http be https
I need to make an ASP.NET 3.5 VB system seamlessly change from http to https when the user types http:// instead of https:// .
The SSL certificate is installed on the web server. The system works well using https.
I found various suggestions on the Internet such as:
http://www.sslshopper.com/iis7-redirect-http-to-https.html
or
http://mvolo.com/blogs/serverside/archive/2007/05/24/Redirect-clients-in-your-application-with-HttpRedirection-module.aspx
with no success.
I have access to the web server as admin. However, I am reluctant to install and use Microsoft URL Rewrite Module software. I am unsure of the effect that this software may have on another existing "production" application already in use which can not be disturbed.
So, when a user types or uses a bookmark which uses http to access a page directly, I need the server or the page or something to redirect to https automatically without pause.
Thanks In Advance, LLJ45
The SSL certificate is installed on the web server. The system works well using https.
I found various suggestions on the Internet such as:
http://www.sslshopper.com/iis7-redirect-http-to-https.html
or
http://mvolo.com/blogs/serverside/archive/2007/05/24/Redirect-clients-in-your-application-with-HttpRedirection-module.aspx
with no success.
I have access to the web server as admin. However, I am reluctant to install and use Microsoft URL Rewrite Module software. I am unsure of the effect that this software may have on another existing "production" application already in use which can not be disturbed.
So, when a user types or uses a bookmark which uses http to access a page directly, I need the server or the page or something to redirect to https automatically without pause.
Thanks In Advance, LLJ45
within your pages check whether the connection is http and if it is issue a location to browser to https:// of the same page.
http://www.w3schools.com/asp/coll_servervariables.asp
Check if HTTPS is set
Request.ServerVariables("h
you would response.write("Location: https://yoursite")
You could parse the URL to strip out http and replace it with https prior to sending it back.
It is up to you on whether you want it to appear transparent, or you can output a notice saying the site can only be accessed using secure https and you should update your bookmarks/links.
http://www.w3schools.com/asp/coll_servervariables.asp
Check if HTTPS is set
Request.ServerVariables("h
you would response.write("Location: https://yoursite")
You could parse the URL to strip out http and replace it with https prior to sending it back.
It is up to you on whether you want it to appear transparent, or you can output a notice saying the site can only be accessed using secure https and you should update your bookmarks/links.
ASKER
Hi,
Thanks for the suggestions!
I am interested to try them. However, the web server is down at this time. So, I will try them in a couple of days.
Arnold: I see that you are very active on EE and earn many points in many different areas. I respect that fact.
This solution will be implemented for an entire system which consists of several hundred individual pages. The process of changing the code on each page is to be avoided!
How can your solution be implemented without page by page changes?
LLJ45
Thanks for the suggestions!
I am interested to try them. However, the web server is down at this time. So, I will try them in a couple of days.
Arnold: I see that you are very active on EE and earn many points in many different areas. I respect that fact.
This solution will be implemented for an entire system which consists of several hundred individual pages. The process of changing the code on each page is to be avoided!
How can your solution be implemented without page by page changes?
LLJ45
Do you have include files in your pages? Adding this code to an existing include file after you confirm that it works as intended.
I.e. database connection string, or do you store this info in the application session using the global.asa file?
Do you store a common function that is called for each page in memory i.e. function to check whether the user is already logged in? etc.
If you do not use include files, page by page modification is unavoidable.
The other option is to split the site
i.e. setup
two sites:
create a new web site http://www.mysite.com and make sure to bind it to any port other than 80 as a test (for this the port is 95). Configure this site as a URL redirect to https://www.mysite.com.
Now use your browser and go to http://www.mysite.com:95 you should be redirected to https://www.mysite.com.
once you are satisfied, you would go back to you web server configuration (there is a down time on the http:// access since you would need to change the port on which the current active one is listening on from 80 to anything else. and then adjust the one you created from 95 to 80.
If you do not want to use a redirect, you can configure the new site to reference a single page
that will advise the user that their link is outdated, while redirecting the user to the correct site after 5/10 seconds.
A dynamic page can make it so the user will end up on the file they requested through the wrong link i.e. http://www.mysite.com/somedirectory/info.aspx will send the user to https://www.mysite.com/somedirectory/info.aspx instead of https://www.mysite.com.
If your web server is behind a reverse proxy, you could implement that change on the proxy.
It all depends on what tools you have to get this done.
I.e. database connection string, or do you store this info in the application session using the global.asa file?
Do you store a common function that is called for each page in memory i.e. function to check whether the user is already logged in? etc.
If you do not use include files, page by page modification is unavoidable.
The other option is to split the site
i.e. setup
two sites:
create a new web site http://www.mysite.com and make sure to bind it to any port other than 80 as a test (for this the port is 95). Configure this site as a URL redirect to https://www.mysite.com.
Now use your browser and go to http://www.mysite.com:95 you should be redirected to https://www.mysite.com.
once you are satisfied, you would go back to you web server configuration (there is a down time on the http:// access since you would need to change the port on which the current active one is listening on from 80 to anything else. and then adjust the one you created from 95 to 80.
If you do not want to use a redirect, you can configure the new site to reference a single page
that will advise the user that their link is outdated, while redirecting the user to the correct site after 5/10 seconds.
A dynamic page can make it so the user will end up on the file they requested through the wrong link i.e. http://www.mysite.com/somedirectory/info.aspx will send the user to https://www.mysite.com/somedirectory/info.aspx instead of https://www.mysite.com.
If your web server is behind a reverse proxy, you could implement that change on the proxy.
It all depends on what tools you have to get this done.
ASKER
Hi, devlab2012
Since your solution seems simpler to implement, I attempted it today.
However, I was not successful.
I use VB.NET. So, I converted the code you gave to
Protected Sub Application_BeginRequest(s
If Not Request.IsSecureConnection
Dim secureUrl As [String] = Request.Url.ToString().Rep
Response.Redirect(secureUr
End If
End Sub
No problem.
I created the global.asax file by adding it to the root of the project. I copied the converted code into the global.asax file. I verified that the code in the global asax file converts http to https.
However, when a http is page is browsed in IE8, a 403 error is generated. The page does not display?
So, the code is right. Yet, something else is not right. What?
Thanks, LLJ45
Since your solution seems simpler to implement, I attempted it today.
However, I was not successful.
I use VB.NET. So, I converted the code you gave to
Protected Sub Application_BeginRequest(s
If Not Request.IsSecureConnection
Dim secureUrl As [String] = Request.Url.ToString().Rep
Response.Redirect(secureUr
End If
End Sub
No problem.
I created the global.asax file by adding it to the root of the project. I copied the converted code into the global.asax file. I verified that the code in the global asax file converts http to https.
However, when a http is page is browsed in IE8, a 403 error is generated. The page does not display?
So, the code is right. Yet, something else is not right. What?
Thanks, LLJ45
ASKER
Hi,
I am patiently waiting for assistance with my original post on 4/29 from anyone.
Also, I am continuing to do research on the Internet. One additional factor to consider is the web server is part of a web farm. This fact affects how the web server can be interacted with to make the change from http to https using what I have read on the Internet.
This system is not configured to implement Arnold's solution. I have not heard from devlab2012 since 4/30.
Thanks, LLJ45
I am patiently waiting for assistance with my original post on 4/29 from anyone.
Also, I am continuing to do research on the Internet. One additional factor to consider is the web server is part of a web farm. This fact affects how the web server can be interacted with to make the change from http to https using what I have read on the Internet.
This system is not configured to implement Arnold's solution. I have not heard from devlab2012 since 4/30.
Thanks, LLJ45
A web farm that is behind a hardware load-balancer? If this is the setup, the switch has the certificate?
In this case it is rather simple, you setup one server as a web server and configure its default site and default page to redirect to https://yoursite either way URL redirect within IIS, or an index.html with a meta http-equiv=refresh entry.
You would then alter the load-balancer mapping for port 80 to this new server.
and that is all that is needed, you should put at least two of these types of systems in the event one fails, the other will still respond.
Unfortunately, you did not specifically reference which of my suggestions is not possible because of the way the system is configured, the include file route?
In this case it is rather simple, you setup one server as a web server and configure its default site and default page to redirect to https://yoursite either way URL redirect within IIS, or an index.html with a meta http-equiv=refresh entry.
You would then alter the load-balancer mapping for port 80 to this new server.
and that is all that is needed, you should put at least two of these types of systems in the event one fails, the other will still respond.
Unfortunately, you did not specifically reference which of my suggestions is not possible because of the way the system is configured, the include file route?
Have you tried my solution on the server or in the Visual Studio environment? If you have not tried it on the server, then try it once.
ASKER
Hi, devlab2012
I attempted your solution on the remote web server not locally in the Visual Studio environment. A SSL security certificate is installed on the remote server with SSL enabled in IIS 7.
The site runs under SSL, no problem.
However, when a page using http is requested, the site does not automatically redirect to https. The site generates a 403 type error.
Just to be clear, this automatic redirection is what I seek to create in IE, Firefox and Chrome.
I read at various places on the Internet where this kind of code works in general. It is just that we need to make it work here.
Thanks for the follow-up!
LLJ45
I attempted your solution on the remote web server not locally in the Visual Studio environment. A SSL security certificate is installed on the remote server with SSL enabled in IIS 7.
The site runs under SSL, no problem.
However, when a page using http is requested, the site does not automatically redirect to https. The site generates a 403 type error.
Just to be clear, this automatic redirection is what I seek to create in IE, Firefox and Chrome.
I read at various places on the Internet where this kind of code works in general. It is just that we need to make it work here.
Thanks for the follow-up!
LLJ45
ASKER
Everyone:
IIS7 on the remote web server running in classic mode.
LLJ45
IIS7 on the remote web server running in classic mode.
LLJ45
ASKER
Hi, devlab2012
I am moving on to work with Arnold.
Thanks for the suggestions,
LLJ45
I am moving on to work with Arnold.
Thanks for the suggestions,
LLJ45
ASKER
Hi, Arnold
While I am not sure of how successful we may be in creating a solution meeting my specific needs, I have tried this code in page_load with poor results such as:
1) page will not load in IE8
2) Chrome complains about too many redirects. Then, the page will not load.
I have attached a code snippet to this message. Am I headed in the direction of your original suggestion?
LLJ45
While I am not sure of how successful we may be in creating a solution meeting my specific needs, I have tried this code in page_load with poor results such as:
1) page will not load in IE8
2) Chrome complains about too many redirects. Then, the page will not load.
I have attached a code snippet to this message. Am I headed in the direction of your original suggestion?
LLJ45
If Request.ServerVariables("HTTPS") <> "ON" Then
Dim url As String = Request.ServerVariables("SERVER_NAME")
Dim page As String = Request.ServerVariables("SCRIPT_NAME")
Response.Redirect("https://" & url & page)
End If
How is the web farm setup? Is your web farm being connected through a reverse proxy?
Internet <=> reverse proxy <=> Web farm?
In this case, you can change the reverse proxy's response for the request of http://www.domain.com to respond back with a Location:
This is possible with both Apache and squid reverse proxy.
Internet <=> reverse proxy <=> Web farm?
In this case, you can change the reverse proxy's response for the request of http://www.domain.com to respond back with a Location:
This is possible with both Apache and squid reverse proxy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window