IIS Tips & Tricks

Location: BlogsComments    
Posted by: Dale Sunday, April 01, 2007
In this post I'll mention any clever things I've come across with regard to IIS.

HTTPS Only sites: Some sites only allow access via HTTPS. Now its not very user friendly to show the traditional 403;4 error message when someone navigates to http://www.yoursite.com. So what you can do is build an HTML page which automatically redirects from the HTTP page to the HTTPS page using JavaScript and then edit the 403;4 HTTP error on the "Custom Errors" tab under properties for the website in question in IIS and set it to point to your HTML file. The great thing is you don't even need to locate the file within the website - it can be anywhere on the server and shared by as many sites as you like.


Matt Christenson pointed out that this solution isn't google friendly and doesn't always work with mobile browsers. He suggested the following ASP.NET solution.

"Configure a single IIS website to allow both HTTP and HTTPS; then use HTTP Modules to intercept HTTP requests and redirect them, here are two of them that I use – one redirects all pages to HTTPS; the second redirects pages that contain modules identified in my custom data layer (I developed this for my custom shopping cart module, to be sure that any page that accepts credit cards is encrypted)."

 

<HTTPMODULES>
  <ADD name="RequireSSLModule" type="SkydiveSecure.HttpModules.RequireSSLModule, SkydiveSecure.DNNSharedLibrary" />
</HTTPMODULES> 

<HTTPMODULES>
  <ADD name="SelectiveSSLModule" type="SkydiveSecure.HttpModules.SelectiveSSLModule, SkydiveSecure.DNNSharedLibrary" />
</HTTPMODULES> 

 

using System;
using System.Web;
namespace HttpModules
{
    public class RequireSSLModule : IHttpModule
    {
        public String ModuleName         
        {
            get { return "RequireSSLModule";}
        }

        public void Init(HttpApplication Application)
        {
            Application.BeginRequest += (new EventHandler(this.Application_BeginRequest));
        }

        public void Application_BeginRequest(Object Sender, EventArgs Args)
        {
            HttpApplication Application = (HttpApplication)Sender;
            HttpContext Context = Application.Context;
            String SECURE = "https://", UNSECURE = "http://";
            if (!Context.Request.IsSecureConnection)
            {
                Context.Response.StatusCode = (int)System.Net.HttpStatusCode.MovedPermanently; //permanent HTTP 301
                Context.Response.Status = "301 Moved Permanently";
                Context.Response.RedirectLocation = Context.Request.Url.ToString().Replace(UNSECURE, SECURE);
            }
        }

        public void Dispose()
        {
            // Does nothing - Empty stub required for IHttpHodule
        }
    }
}
Permalink |  Trackback

Your name:
Title:
Comment:
Add Comment   Cancel