Announcement

Collapse
No announcement yet.

Force IIS 6.0 to only accept SSL requests.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Force IIS 6.0 to only accept SSL requests.

    Hello All,

    I am looking for a way to force my site to (accessible only by LAN traffic) only reply to requests on 443 (SSL).

    What I am looking to achieve:
    If some were to go to http://www.mysite.com I want them to be automatically redirected to https://www.mysite.com ...even if they manually try and access the site through port 80 (http).

    I would like the site to handle the error by redirecting to the https url rather than throwing a 403.4 error.

    I've seen this done through ASP scripts, but I am not that well versed in ASP.

    Could anyone please help me out with this, or a least set me in the right direction.

    Thank you all who take time to contribute in advance.

    Stats:
    IIS 6.0
    MS Server 2003 SP2

  • #2
    Re: Force IIS 6.0 to only accept SSL requests.

    Something like this as redirect.asp ?

    Code:
    <%@ Language=VBScript %>
     <%
    Response.Status="301 Moved Permanently"
    Response.AddHeader "Location", "https://site.domain.com/page/"
     %>
    I can't remember the site I got this from a while ago. Google shows quite a few examples of re-direct though.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Force IIS 6.0 to only accept SSL requests.

      Is
      Response.Status="301 Moved Permanently"
      reference to the http error code?

      Then if I were to edit the script for "SSL Required"

      Code:
      ---------
      <%@ Language=VBScript %>
      <%
      Response.Status="403 Forbidden"
      Response.AddHeader "Location", "https://site.domain.com/page/"
      %>
      ---------
      the
      Response.AddHeader
      would redirect to the url indicated?

      I am understanding this correctly?

      Comment


      • #4
        Re: Force IIS 6.0 to only accept SSL requests.

        This looks promising:

        http://blogs.msdn.com/saurabh_singh/...direction.aspx

        HTTP to HTTPS (SSL) Web Request Redirection
        We often get requests from our customers asking how they can seamlessly redirect web requests from HTTP to HTTPS, i.e. how they can redirect a non-SSL request to an SSL based request. Recently a colleague of mine got a similar issue and we decided to use some existing scripts that we had in our database. Unfortunately none could meet the requirement.

        Basically the existing scripts redirected an HTTP request to another URL and that URL was not the original request user had asked for. It took us to let's say the homepage of the site and from there one again has to click on specific links to reach the desired page. So this will be a problem for users who have book-marked their desired web page.

        Here are the steps you can try for your website such that all HTTP requests get translated to HTTPS requests and have the original URL intact.

        Here are two sample codes which one can try. Both of them should *hopefully* work. First one uses VBScript in an ASP page and second one uses Javascript in an HTML page.

        a).

        redirectSSL.asp

        <%@ Language=VBScript %>
        <%
        strQueryString = Request.QueryString
        sslPort = null
        PlainURL = Right(strQueryString, len(strQueryString) - 4)
        FindLastCOlon = InStrRev(PlainURL, ":")
        FirstPart = Mid(PlainURL, 1, FindLastColon - 1)
        LastPart = Mid(PlainURL, FindLastColon)
        LastPart = (Mid(LastPart, InStr(LastPart, "/")))
        'If the SSL Port is not the default 443, you need to uncomment the line below, by default SSL port is 443.
        'sslPort = ":449"
        if (sslPort = null) then
        url= FirstPart & LastPart
        else
        url = FirstPart & sslPort & LastPart
        end if
        strSecure = Replace(url, "http:", "https:", 1, 1)
        Response.Redirect strSecure
        %>

        Steps:

        -- Copy the above code and put in a file redirectSSL.asp under your Website root directory for which you want redirection to work.

        -- Force SSL on the web site. To do that follow the steps mentioned below:
        - Go to --> <Your_Web_Site> -> Properties -> Directory Security -> Edit (Secure Communications)
        - Select Require secure channel (SSL).

        -- Uncheck "Require secure channel (SSL)" option for the redirectSSL.asp page. To achieve that:
        - Go to --> <Your_Web_Site> -> redirectSSL.asp -> Properties -> File Security -> Edit (Secure Communications)
        - Uncheck Require secure channel (SSL).

        So now we are forcing SSL to be used for all of the website contents except the redirectSSL.asp page which can be accessed over non-SSL (HTTP).

        -- In the IIS manager -> <Your_Web_Site> -> Properties -> Custom Errors, modify the entry for 403;4 to look like this:



        Now if you try to browse to some URL, let's say http://www.abc.com/asp/test/ssl/iistsart.htm, you will be redirected to https://www.abc.com/asp/test/ssl/iistsart.htm, without you requiring to modify HTTP to HTTPS.

        If your SSL port is not the default port 443 then you need to un-comment a line in the code as mentioned in there and it will redirect the request to the appropriate URL with corrected SSL port embedded in it.

        b).

        redirectSSL.html

        <html>
        <head>

        <script language="javascript">

        var currentURL=location.href.substring(0,5)

        if(currentURL.toLowerCase()!="https")
        {
        currentURL = location.href.substring(4,location.href.lastIndexO f(''))
        var portStartPos = currentURL.lastIndexOf(':')
        var sslPort = null
        if(portStartPos!=0)
        {
        var relativeURL = currentURL.substring(portStartPos)
        var postPortURL = relativeURL.substring(relativeURL.indexOf('/'))
        var URL = currentURL.substring(0,portStartPos)
        // If you are running your SSL site on a non default port other than 443 then uncomment the next line and add the right Port number.
        //sslPort = ":447"
        if(sslPort == null)
        currentURL = URL + postPortURL
        else
        currentURL = URL + sslPort + postPortURL
        }

        var targetURL = "https" + currentURL
        window.location = targetURL
        }
        </script>

        </head>
        </html>

        Steps:

        -- Copy the above code and put in a file redirectSSL.html under your Website root directory for which you want redirection to work.

        -- Force SSL on the web site. To do that follow the steps mentioned below:
        - Go to --> <Your_Web_Site> -> Properties -> Directory Security -> Edit (Secure Communications)
        - Select Require secure channel (SSL).

        So now we are forcing SSL to be used for all of the Website contents.

        -- In the IIS manager -> <Your_Website> -> Properties -> custom Errors, modify the entry for 403;4 to look like this:



        You need not follow the step below since we are using File Type for custom error page and not a URL as shown above in the picture. If you select URL as Type above then you will need to follow the step below.

        "-- Uncheck "Require secure channel (SSL)" option for the redirectSSL.html page. To achieve that:
        - Go to --> <Your_Web_Site> -> redirectSSL.asp -> Properties -> File Security -> Edit (Secure Communications)
        - Uncheck Require secure channel (SSL)."



        This is all you need and you should see your URL changing automagically from HTTP to HTTPS (SSL).

        Hope this helps...
        Last edited by rvalstar; 22nd May 2008, 07:43. Reason: Added link contents in case they disappear in the future
        Cheers,

        Rick

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

        Comment


        • #5
          Re: Force IIS 6.0 to only accept SSL requests.

          That did it!!!

          Thank you all for your help!

          Comment


          • #6
            Re: Force IIS 6.0 to only accept SSL requests.

            Ok, this worked for about 1 week and now it has mysteriously stopped working.

            Nothing was changed on the server..., as far as Windows updates, or IIS goes.

            ...I am going to troubleshoot why this stopped working, but in the meantime please feel free to offer advice, thanks

            Comment


            • #7
              Re: Force IIS 6.0 to only accept SSL requests.

              started....
              WWWConnect::Connect("site.domain.com","80")\n
              IP = "123.456.789.010:80"\n
              source port: 5533\r\n
              REQUEST: **************\n
              GET /webSite/ HTTP/1.1\r\n
              Host: site.domain.com\r\n
              Accept: */*\r\n
              \r\n
              RESPONSE: **************\n
              0x2746 (An existing connection was forcibly closed by the remote host.): Socket Error On Receive
              0x2746 (An existing connection was forcibly closed by the remote host.): Socket Error On Receive

              WWWConnect::Close("site.domain.com","80")\n
              closed source port: 5533\r\n
              finished.

              Comment

              Working...
              X