[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

make http be https

Posted on 2011-04-29
14
Medium Priority
?
833 Views
Last Modified: 2012-05-11
I need to make an ASP.NET 3.5 VB system seamlessly change from http to https when the user types http:// instead of https:// .

The SSL certificate is installed on the web server.  The system works well using https.
I found various suggestions on the Internet such as:
http://www.sslshopper.com/iis7-redirect-http-to-https.html
or
http://mvolo.com/blogs/serverside/archive/2007/05/24/Redirect-clients-in-your-application-with-HttpRedirection-module.aspx
with no success.

I have access to the web server as admin.  However, I am reluctant to install and use Microsoft URL Rewrite Module software.  I am unsure of the effect that this software may have on another existing "production" application already in use which can not be disturbed.

So, when a user types or uses a bookmark which uses http to access a page directly, I need the server or the page or something to redirect to https automatically without pause.
Thanks In Advance, LLJ45
0
Comment
Question by:llj45
  • 7
  • 5
  • 2
14 Comments
 
LVL 13

Expert Comment

by:devlab2012
ID: 35496126
Add a global application class (Global.asax) and write code in BeginRequest event to redirect to https:// if request url is http://. The code will be as follow:


protected void Application_BeginRequest(object sender, EventArgs e)
        {
            if (!Request.IsSecureConnection)
            {
                String secureUrl = Request.Url.ToString().Replace("http:", "https:");
                Response.Redirect(secureUrl);
            } 
        }

Open in new window

0
 
LVL 81

Expert Comment

by:arnold
ID: 35496129
within your pages check whether the connection is http and if it is issue a location to browser to https:// of the same page.

http://www.w3schools.com/asp/coll_servervariables.asp

Check if HTTPS is set
Request.ServerVariables("https") if it is not On it means the
you would response.write("Location: https://yoursite")

You could parse the URL to strip out http and replace it with https prior to sending it back.
It is up to you on whether you want it to appear transparent, or you can output a notice saying the site can only be accessed using secure https and you should update your bookmarks/links.
0
 

Author Comment

by:llj45
ID: 35497224
Hi,
  Thanks for the suggestions!
  I am interested to try them.  However, the web server is down at this time.  So, I will try them in a couple of days.

  Arnold:  I see that you are very active on EE and earn many points in many different areas.  I respect that fact.
This solution will be implemented for an entire system which consists of several hundred individual pages.  The process of changing the code on each page is to be avoided!
  How can your solution be implemented without page by page changes?
LLJ45
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 81

Expert Comment

by:arnold
ID: 35497314
Do you have include files in your pages? Adding this code to an existing include file after you confirm that it works as intended.

I.e. database connection string, or do you store this info in the application session using the global.asa file?
Do you store a common function that is called for each page in memory i.e. function to check whether the user is already logged in? etc.
If you do not use include files, page by page modification is unavoidable.
The other option is to split the site
i.e. setup
two sites:
create a new web site http://www.mysite.com and make sure to bind it to any port other than 80 as a test (for this the port is 95). Configure this site as a URL redirect to https://www.mysite.com.

Now use your browser and go to http://www.mysite.com:95 you should be redirected to https://www.mysite.com.

once you are satisfied, you would go back to you web server configuration (there is a down time on the http:// access since you would need to change the port on which the current active one is listening on from 80 to anything else. and then adjust the one you created from 95 to 80.

If you do not want to use a redirect, you can configure the new site to reference a single page
that will advise the user that their link is outdated, while redirecting the user to the correct site after 5/10 seconds.

A dynamic page can make it so the user will end up on the file they requested through the wrong link i.e. http://www.mysite.com/somedirectory/info.aspx will send the user to https://www.mysite.com/somedirectory/info.aspx instead of https://www.mysite.com.

If your web server is behind a reverse proxy, you could implement that change on the proxy.
It all depends on what tools you have to get this done.



0
 

Author Comment

by:llj45
ID: 35509194
Hi, devlab2012
  Since your solution seems simpler to implement, I attempted it today.
  However, I was not successful.

  I use VB.NET.  So, I converted the code you gave to
Protected Sub Application_BeginRequest(sender As Object, e As EventArgs)
      If Not Request.IsSecureConnection Then
            Dim secureUrl As [String] = Request.Url.ToString().Replace("http:", "https:")
            Response.Redirect(secureUrl)
      End If
End Sub
No problem.
I created the global.asax file by adding it to the root of the project.  I copied the converted code into the global.asax file.  I verified that the code in the global asax file converts http to https.

However, when a http is page is browsed in IE8, a 403 error is generated.  The page does not display?
So, the code is right.  Yet, something else is not right.  What?
Thanks, LLJ45
0
 

Author Comment

by:llj45
ID: 35698226
Hi,

  I am patiently waiting for assistance with my original post on 4/29 from anyone.

  Also, I am continuing to do research on the Internet.  One additional factor to consider is the web server is part of a web farm.  This fact affects how the web server can be interacted with to make the change from http to https using what I have read on the Internet.

  This system is not configured to implement Arnold's solution.  I have not heard from devlab2012 since 4/30.  
Thanks, LLJ45
0
 
LVL 81

Expert Comment

by:arnold
ID: 35699708
A web farm that is behind a hardware load-balancer? If this is the setup, the switch has the certificate?

In this case it is rather simple, you setup one server as a web server and configure its default site and default page to redirect to https://yoursite either way URL redirect within IIS, or an index.html with a meta http-equiv=refresh entry.
You would then alter the load-balancer mapping for port 80 to this new server.
and that is all that is needed, you should put at least two of these types of systems in the event one fails, the other will still respond.

Unfortunately, you did not specifically reference which of my suggestions is not possible because of the way the system is configured, the include file route?

 
0
 
LVL 13

Expert Comment

by:devlab2012
ID: 35700489
Have you tried my solution on the server or in the Visual Studio environment? If you have not tried it on the server, then try it once.
0
 

Author Comment

by:llj45
ID: 35700660
Hi, devlab2012
  I attempted your solution on the remote web server not locally in the Visual Studio environment.  A SSL security certificate is installed on the remote server with SSL enabled in IIS 7.
  The site runs under SSL, no problem.
  However, when a page using http is requested, the site does not automatically redirect to https.  The site generates a 403 type error.
  Just to be clear, this automatic redirection is what I seek to create in IE, Firefox and Chrome.

  I read at various places on the Internet where this kind of code works in general.  It is just that we need to make it work here.

Thanks for the follow-up!
LLJ45
0
 

Author Comment

by:llj45
ID: 35700675
Everyone:
IIS7 on the remote web server running in classic mode.

LLJ45
0
 

Author Comment

by:llj45
ID: 35737816
Hi, devlab2012
  I am moving on to work with Arnold.
Thanks for the suggestions,
LLJ45
0
 

Author Comment

by:llj45
ID: 35737896
Hi, Arnold
  While I am not sure of how successful we may be in creating a solution meeting my specific needs, I have tried this code in page_load with poor results such as:
1) page will not load in IE8
2) Chrome complains about too many redirects.  Then, the page will not load.

I have attached a code snippet to this message.  Am I headed in the direction of your original suggestion?
LLJ45

If Request.ServerVariables("HTTPS") <> "ON" Then
            Dim url As String = Request.ServerVariables("SERVER_NAME")
            Dim page As String = Request.ServerVariables("SCRIPT_NAME")

            Response.Redirect("https://" & url & page)
        End If

Open in new window

0
 
LVL 81

Expert Comment

by:arnold
ID: 35737958
How is the web farm setup? Is your web farm being connected through a reverse proxy?

Internet <=> reverse proxy <=> Web farm?

In this case, you can change the reverse proxy's response for the request of http://www.domain.com to respond back with a Location:

This is possible with both Apache and squid reverse proxy.
0
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 35738074
Double check what the https: & url & page actually
You might not want to use server_name as it may reference the hostname on which the server is running rather than the Name of the site that is being served.

Alternatively, you may want to redirect the user to a special page that provides them information such that they should update their bookmarks for http:// to reflect the access as being only through https://.
This way you would not have to maintain this setup for generations since some individuals will retain and continue using the familiar since it eventually gets them where they want to be.

You would use a special page where the requested URL will be passed to this script following the redirect in the query_string ?url=http://www.mysite.com/somepath/somefile

This  page will output to the browser the notice while creating in the <head></head> section the <meta http-equiv="refresh" url="10; https://www.mysite.com/somoepath/somefile" >

The user will have 10 seconds to look at the message before it takes them to the destination or they will have a link there that does the same thing, i.e click here to go to the destination with the https:// URL as the link..
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Integration Management Part 2

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question