PM's Blog

Pramod Mohanan's notes about ASP.NET, MVC, C#, SQL, jQuery, Bootstrap

Setting IIS ASP.net site to work with https only and not http

Recently we had installed a SSL certificate on one of our sites and the requests with https were being served perfectly as expected, however it was noticed that the pages were still being served perfectly even when an http request was made instead of https. This to an extent was defeating the purpose of having a certificate in place to serve secured content. After some investigation and search I found two ways in which this can be addressed the second one was what I finally adopted because it would not break bookmarked pages for the users of the site

Option 1: Change IIS settings for that instance
To ensure that only SSL requests are served, we can configure the AccessSSL metabase property to force SSL content requests only.

In windows command prompt run the following command

   cscript.exe adsutil.vbs set /w3svc/[site identifier]/AccessSSL TRUE   

where site identifier is the unique number that identifies the instance in IIS. This number can be found in IIS Manager and in IIS metabase. The script file adsutil.vbs is normally found in ..\inetpub\AdminScripts folder.

Option 2: Use URL rewriting to redirect http requests to https

   IndexIgnore *
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 

The above syntax for URL rewriting is of Helicon ISAPI Rewrite in a .htaccess file (like the one thats available in Apache).

Leave a Reply

Your email address will not be published. Required fields are marked *

PM's Blog © 2015