We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

make http be https

llj45
llj45 asked
on
Medium Priority
960 Views
Last Modified: 2012-05-11
I need to make an ASP.NET 3.5 VB system seamlessly change from http to https when the user types http:// instead of https:// .

The SSL certificate is installed on the web server.  The system works well using https.
I found various suggestions on the Internet such as:
http://www.sslshopper.com/iis7-redirect-http-to-https.html
or
http://mvolo.com/blogs/serverside/archive/2007/05/24/Redirect-clients-in-your-application-with-HttpRedirection-module.aspx
with no success.

I have access to the web server as admin.  However, I am reluctant to install and use Microsoft URL Rewrite Module software.  I am unsure of the effect that this software may have on another existing "production" application already in use which can not be disturbed.

So, when a user types or uses a bookmark which uses http to access a page directly, I need the server or the page or something to redirect to https automatically without pause.
Thanks In Advance, LLJ45
Comment
Watch Question

Add a global application class (Global.asax) and write code in BeginRequest event to redirect to https:// if request url is http://. The code will be as follow:


protected void Application_BeginRequest(object sender, EventArgs e)
        {
            if (!Request.IsSecureConnection)
            {
                String secureUrl = Request.Url.ToString().Replace("http:", "https:");
                Response.Redirect(secureUrl);
            } 
        }

Open in new window

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
within your pages check whether the connection is http and if it is issue a location to browser to https:// of the same page.

http://www.w3schools.com/asp/coll_servervariables.asp

Check if HTTPS is set
Request.ServerVariables("https") if it is not On it means the
you would response.write("Location: https://yoursite")

You could parse the URL to strip out http and replace it with https prior to sending it back.
It is up to you on whether you want it to appear transparent, or you can output a notice saying the site can only be accessed using secure https and you should update your bookmarks/links.

Author

Commented:
Hi,
  Thanks for the suggestions!
  I am interested to try them.  However, the web server is down at this time.  So, I will try them in a couple of days.

  Arnold:  I see that you are very active on EE and earn many points in many different areas.  I respect that fact.
This solution will be implemented for an entire system which consists of several hundred individual pages.  The process of changing the code on each page is to be avoided!
  How can your solution be implemented without page by page changes?
LLJ45
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Do you have include files in your pages? Adding this code to an existing include file after you confirm that it works as intended.

I.e. database connection string, or do you store this info in the application session using the global.asa file?
Do you store a common function that is called for each page in memory i.e. function to check whether the user is already logged in? etc.
If you do not use include files, page by page modification is unavoidable.
The other option is to split the site
i.e. setup
two sites:
create a new web site http://www.mysite.com and make sure to bind it to any port other than 80 as a test (for this the port is 95). Configure this site as a URL redirect to https://www.mysite.com.

Now use your browser and go to http://www.mysite.com:95 you should be redirected to https://www.mysite.com.

once you are satisfied, you would go back to you web server configuration (there is a down time on the http:// access since you would need to change the port on which the current active one is listening on from 80 to anything else. and then adjust the one you created from 95 to 80.

If you do not want to use a redirect, you can configure the new site to reference a single page
that will advise the user that their link is outdated, while redirecting the user to the correct site after 5/10 seconds.

A dynamic page can make it so the user will end up on the file they requested through the wrong link i.e. http://www.mysite.com/somedirectory/info.aspx will send the user to https://www.mysite.com/somedirectory/info.aspx instead of https://www.mysite.com.

If your web server is behind a reverse proxy, you could implement that change on the proxy.
It all depends on what tools you have to get this done.



Author

Commented:
Hi, devlab2012
  Since your solution seems simpler to implement, I attempted it today.
  However, I was not successful.

  I use VB.NET.  So, I converted the code you gave to
Protected Sub Application_BeginRequest(sender As Object, e As EventArgs)
      If Not Request.IsSecureConnection Then
            Dim secureUrl As [String] = Request.Url.ToString().Replace("http:", "https:")
            Response.Redirect(secureUrl)
      End If
End Sub
No problem.
I created the global.asax file by adding it to the root of the project.  I copied the converted code into the global.asax file.  I verified that the code in the global asax file converts http to https.

However, when a http is page is browsed in IE8, a 403 error is generated.  The page does not display?
So, the code is right.  Yet, something else is not right.  What?
Thanks, LLJ45

Author

Commented:
Hi,

  I am patiently waiting for assistance with my original post on 4/29 from anyone.

  Also, I am continuing to do research on the Internet.  One additional factor to consider is the web server is part of a web farm.  This fact affects how the web server can be interacted with to make the change from http to https using what I have read on the Internet.

  This system is not configured to implement Arnold's solution.  I have not heard from devlab2012 since 4/30.  
Thanks, LLJ45
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
A web farm that is behind a hardware load-balancer? If this is the setup, the switch has the certificate?

In this case it is rather simple, you setup one server as a web server and configure its default site and default page to redirect to https://yoursite either way URL redirect within IIS, or an index.html with a meta http-equiv=refresh entry.
You would then alter the load-balancer mapping for port 80 to this new server.
and that is all that is needed, you should put at least two of these types of systems in the event one fails, the other will still respond.

Unfortunately, you did not specifically reference which of my suggestions is not possible because of the way the system is configured, the include file route?

 
Have you tried my solution on the server or in the Visual Studio environment? If you have not tried it on the server, then try it once.

Author

Commented:
Hi, devlab2012
  I attempted your solution on the remote web server not locally in the Visual Studio environment.  A SSL security certificate is installed on the remote server with SSL enabled in IIS 7.
  The site runs under SSL, no problem.
  However, when a page using http is requested, the site does not automatically redirect to https.  The site generates a 403 type error.
  Just to be clear, this automatic redirection is what I seek to create in IE, Firefox and Chrome.

  I read at various places on the Internet where this kind of code works in general.  It is just that we need to make it work here.

Thanks for the follow-up!
LLJ45

Author

Commented:
Everyone:
IIS7 on the remote web server running in classic mode.

LLJ45

Author

Commented:
Hi, devlab2012
  I am moving on to work with Arnold.
Thanks for the suggestions,
LLJ45

Author

Commented:
Hi, Arnold
  While I am not sure of how successful we may be in creating a solution meeting my specific needs, I have tried this code in page_load with poor results such as:
1) page will not load in IE8
2) Chrome complains about too many redirects.  Then, the page will not load.

I have attached a code snippet to this message.  Am I headed in the direction of your original suggestion?
LLJ45

If Request.ServerVariables("HTTPS") <> "ON" Then
            Dim url As String = Request.ServerVariables("SERVER_NAME")
            Dim page As String = Request.ServerVariables("SCRIPT_NAME")

            Response.Redirect("https://" & url & page)
        End If

Open in new window

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
How is the web farm setup? Is your web farm being connected through a reverse proxy?

Internet <=> reverse proxy <=> Web farm?

In this case, you can change the reverse proxy's response for the request of http://www.domain.com to respond back with a Location:

This is possible with both Apache and squid reverse proxy.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.