Elegantly Enforcing SSL in IIS 6.0

Solution 1:

If you need to do it at the server level then you will have to create another site and have it forward the the https site.

If you can edit the code, you can not enforce ssl at the server level, instead you can do it in your website by detecting if the url starts with http: and redirecting to the same url with https: instead.

Solution 2:

I posted this on StackOverflow

If the server/site/vdir is configured using the "Require Secure Channel" setting, the response from the server will be a "403.4 Forbidden: SSL is required to view this resource." error or a "403.5 Forbidden: SSL 128 is required to view this resource.".

You can actually customize the 403.4 or 403.5 error to redirect back to HTTPS. Create a VDIR under your site with NO SSL Requirement (**This is Important) - I use "CustomError". Create an ASP File inside this directory called 403_4_Error.asp containing the following:

<%@ LANGUAGE="VBScript" %> 
<%
if Request.ServerVariables("HTTPS") <> "on" then
    sServer = Request.ServerVariables("SERVER_NAME")
    sScript = Request.ServerVariables("SCRIPT_NAME")
    sQuery  = Request.ServerVariables("QUERY_STRING")
    Response.Write("https://" & sServer & sScript & "?" & sQuery)
end if
%>

Edit the server/site/vdir's Custom Error property for 403.4/403.5 and set the MessageType to URL and the URL to "/CustomError/403_4_Error.asp".

Note that ASP is used, you could easily use ASP.net or any other scripting language.

Elegantly Enforcing SSL in IIS 6.0

Solution 1:

Solution 2:

Related

Recent Posts