Problem
They all appear to be related to ASP.NET and other similar technologies.
I usually run Linux on my servers but for this one client I am using Windows with IIS 7.5 (and Plesk 10). This being the reason why I am slightly unfamiliar with IIS and web.config files. In an .htaccess file you can use rewrite conditions to detect whether the protocol is HTTPS and redirect accordingly. Is there a simple way to achieve this using a web.config file, or even using the ‘URL Rewrite’ module that I have installed?
I’m not familiar with ASP.NET, so if it’s part of the solution, please provide detailed instructions on how to implement it.
The reason for me doing this with the web.config and not PHP is that I would like to force HTTPS on all assets within the site.
Asked by Ben Carey
Solution #1
You’ll need the URL Rewrite module, preferably the v2 version (I have no v1 installed, so cannot guarantee that it will work there, but it should).
Here is an example of such web.config — it will force HTTPS for ALL resources (using 301 Permanent Redirect):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
P.S. This solution has nothing to do with ASP.NET/PHP or any other technology because it is implemented solely through the URL rewriting module — which is handled at one of the initial/lower levels — before the request reaches the point where your code is performed.
Answered by LazyOne
Solution #2
For individuals who work with ASP.NET MVC. To force all responses to be HTTPS, use the RequireHttpsAttribute:
GlobalFilters.Filters.Add(new RequireHttpsAttribute());
Other steps you could take to help secure your website include:
Answered by Muhammad Rehan Saeed
Solution #3
Here’s an annotated version of LazyOne’s answer to go along with it.
<rewrite>
<rules>
<clear />
<rule name="Redirect all requests to https" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action
type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
Delete any additional rules that may have already been set up on this server. Make a new rule called “Redirect all requests to https” and save it. Do not process any additional rules after this one has been processed! All incoming URLs must be matched. Then see if all of the following conditions are met: HTTPS is disabled. That’s the sole stipulation (but be sure it’s true). If that’s the case, send the client a 301 Permanent Redirect to http://www.foobar.com/whatever?else=the#url-contains. Don’t include the query string at the end of that because it will be duplicated!
The meanings of the properties, attributes, and some of the values are as follows.
Variables on the server
See also: https://www.iis.net/learn/extensions/url-rewrite-module/url-rewrite-module-configuration-reference
Answered by Shaun Luttin
Solution #4
I was unable to use the accepted solution. This blog’s instructions were followed to the letter.
I had forgotten to download and install the URL Rewrite Tool for IIS, which was a crucial step. This is where I discovered it. The end result was as follows:
<rewrite>
<rules>
<remove name="Http to Https" />
<rule name="Http to Https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<serverVariables />
<action type="Redirect" url="https://{HTTPS_HOST}{REQUEST_URI}" />
</rule>
</rules>
</rewrite>
Answered by Eric
Solution #5
Follow the steps at https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl in.Net Core.
Add the following to your startup.cs file:
// Requires using Microsoft.AspNetCore.Mvc;
public void ConfigureServices(IServiceCollection services)
{
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new RequireHttpsAttribute());
});`enter code here`
Add the following to the startup.cs file to redirect Http to Https.
// Requires using Microsoft.AspNetCore.Rewrite;
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
var options = new RewriteOptions()
.AddRedirectToHttps();
app.UseRewriter(options);
Answered by Oracular Man
Post is based on https://stackoverflow.com/questions/9823010/how-to-force-https-using-a-web-config-file