Re: iis not transferring clients to ssl port

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 05/23/04

  • Next message: George Hester: "Re: Using IISADMPWD Virtual Directory"
    Date: Sat, 22 May 2004 22:41:26 -0700
    
    

    There are several ways to do this. The main difference is "where does the
    requirement that page X requires SSL exist"? It can either live in
    individual ASP pages, inside of IIS metabase at a per-URL level, or inside
    some central text file.

    However, you need to understand that there are limits to implementing an
    "automatic transfer from HTTP to HTTPS" using modern browsers and web
    servers. Namely, it does not work for posted FORMS, and it cannot be done
    without changing the URL in the location bar in the browser. This is
    because for all intents and purposes, the "transfer" from HTTP to HTTPS is
    over a new socket connection as well as port #, which triggers the client to
    both display the new URL as well as warn on re-posted FORMs.

    One way is to have each page that is supposed to be secured to check if they
    are accessed over secured channel, and if not, redirect. i.e.

    <%
    ' Check if request is over HTTPS or not
    ' If it is not over HTTPS, send a 302 redirection to this page over HTTPS
    IF Request.ServerVariables("SERVER_PORT_SECURE") = "0" THEN
        ' Be aware that this is vulnerable to Cross-site scripting attack...
        Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") &
    Request.ServerVariables("SCRIPT_NAME") & "?" &
    Request.ServerVariables("QUERY_STRING")
    END IF
    ' Rest of ASP page
    %>

    Another way is to have IIS check if a URL is supposed to be accessed over a
    secured channel, and if not, send a 403.4 custom error, which you will
    hijack and use to send the redirection. i.e.
    1. Go to IIS Manager UI
    2. Select the file to require SSL, choose right-click properties, and go to
    the "File Security" tab
    3. Select "Edit" under "Secure communications" and check the "Require secure
    channel (SSL)" option. OK
    4. Select the "Custom Errors" tab and modify 403.4 to execute a URL. You
    can make it execute the ASP code I gave above to see what is happening and
    how to custom-tailor to your needs

    Both "File Security" and "Custom Errors" can be set at a per-URL level or
    aggregated to a per-vdir or per-website level, so you can fine-tune it
    however you wish.

    This general idea can be extended such that all configuration is centralized
    instead of spread out amongst individual files. You can write an ISAPI
    Filter that triggers on all incoming URLs, inspect the URL and compare
    against a list of URLs from a text file that "must be over SSL", and if the
    request isn't over SSL, send a 302 redirection. This isn't as easy as
    writing an ASP page or twiddling IIS configuration, but it's doable.

    -- 
    //David
    IIS
    This posting is provided "AS IS" with no warranties, and confers no rights.
    //
    "Marty Bleck" <mbleck@gciepage.com> wrote in message
    news:e4gPJt0PEHA.2976@TK2MSFTNGP10.phx.gbl...
    Hi Paul,
    He wants to set up the server to allow the web masters to be able to
    select wich pages are protected.  (ie:  https instead of http)  He and I
    have seen this done.  He is not using active directory so he has to tell
    iis what port to transfer the clients web browser to.  He can't find
    where to do this.  Setting it up using acive directory works fine, but
    he wants the webmasters to be able to secure only the pages they want
    without being transferred to a sub domain.  You can tell the sites that
    are set up this way when they secure the page but you are not
    transferred to a sub domain.  A few of the sites that I have contacted
    seem unwilling to share how they set this up.  That is why I posted to a
    microsoft forum hoping that someone that works for ms would say 'oh yeh,
    you just have to go here and click this check box'.  I've been through
    almost every kb about ssl and have found nothing, that is why I resorted
    to using the forums.  Thanks in advance for any help you can provide.
    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
    

  • Next message: George Hester: "Re: Using IISADMPWD Virtual Directory"