Re: iis not transferring clients to ssl port
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: Sat, 22 May 2004 22:41:26 -0700
There are several ways to do this. The main difference is "where does the
requirement that page X requires SSL exist"? It can either live in
individual ASP pages, inside of IIS metabase at a per-URL level, or inside
some central text file.
However, you need to understand that there are limits to implementing an
"automatic transfer from HTTP to HTTPS" using modern browsers and web
servers. Namely, it does not work for posted FORMS, and it cannot be done
without changing the URL in the location bar in the browser. This is
because for all intents and purposes, the "transfer" from HTTP to HTTPS is
over a new socket connection as well as port #, which triggers the client to
both display the new URL as well as warn on re-posted FORMs.
One way is to have each page that is supposed to be secured to check if they
are accessed over secured channel, and if not, redirect. i.e.
' Check if request is over HTTPS or not
' If it is not over HTTPS, send a 302 redirection to this page over HTTPS
IF Request.ServerVariables("SERVER_PORT_SECURE") = "0" THEN
' Be aware that this is vulnerable to Cross-site scripting attack...
Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") &
Request.ServerVariables("SCRIPT_NAME") & "?" &
' Rest of ASP page
Another way is to have IIS check if a URL is supposed to be accessed over a
secured channel, and if not, send a 403.4 custom error, which you will
hijack and use to send the redirection. i.e.
1. Go to IIS Manager UI
2. Select the file to require SSL, choose right-click properties, and go to
the "File Security" tab
3. Select "Edit" under "Secure communications" and check the "Require secure
channel (SSL)" option. OK
4. Select the "Custom Errors" tab and modify 403.4 to execute a URL. You
can make it execute the ASP code I gave above to see what is happening and
how to custom-tailor to your needs
Both "File Security" and "Custom Errors" can be set at a per-URL level or
aggregated to a per-vdir or per-website level, so you can fine-tune it
however you wish.
This general idea can be extended such that all configuration is centralized
instead of spread out amongst individual files. You can write an ISAPI
Filter that triggers on all incoming URLs, inspect the URL and compare
against a list of URLs from a text file that "must be over SSL", and if the
request isn't over SSL, send a 302 redirection. This isn't as easy as
writing an ASP page or twiddling IIS configuration, but it's doable.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Marty Bleck" <firstname.lastname@example.org> wrote in message news:e4gPJt0PEHA.2976@TK2MSFTNGP10.phx.gbl... Hi Paul, He wants to set up the server to allow the web masters to be able to select wich pages are protected. (ie: https instead of http) He and I have seen this done. He is not using active directory so he has to tell iis what port to transfer the clients web browser to. He can't find where to do this. Setting it up using acive directory works fine, but he wants the webmasters to be able to secure only the pages they want without being transferred to a sub domain. You can tell the sites that are set up this way when they secure the page but you are not transferred to a sub domain. A few of the sites that I have contacted seem unwilling to share how they set this up. That is why I posted to a microsoft forum hoping that someone that works for ms would say 'oh yeh, you just have to go here and click this check box'. I've been through almost every kb about ssl and have found nothing, that is why I resorted to using the forums. Thanks in advance for any help you can provide. *** Sent via Developersdex http://www.developersdex.com *** Don't just participate in USENET...get rewarded for it!