Bohack » Redirection http://www.bohack.com Check In and Tune Out! Wed, 25 Aug 2010 00:44:12 +0000 en hourly 1 http://wordpress.org/?v=abc Redirect HTTP to SSL with IIS http://www.bohack.com/2008/12/redirect-http-to-ssl-with-iis/ http://www.bohack.com/2008/12/redirect-http-to-ssl-with-iis/#comments Sun, 07 Dec 2008 17:58:09 +0000 Bohack http://www.bohack.com/?p=141 It has become culture to prepend the http:// prefix in front of a URL. In fact if you type the URL in most web browsers and hit ctrl-enter, the browser will prepend the http:// in front of the URL. The HTTP (Hypertext Transfer Protocol) works on port 80 TCP and is defined in RFC 2616. Since HTTP language is clear text over port 80 TCP that means that forms authentication will travel over clear text and can be intercepted. So it is recommended that HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) be used to encrypt the session with SSL. HTTPS or SSL works over port 443 TCP and requires a private certificate be installed from a browser trusted Certificate Authority (out of the scope of this article).

When you install Microsoft IIS, it defaults the first web site called “Default Web Site” to Port 80 and listens for HTTP requests on all assigned IPs. Sometime we need to install an application that requires SSL or we have chosen to require all communications be encrypted with SSL for the web application. IIS can be told to “Require Secure Channel (SSL)” and refuse all HTTP or non-SSL traffic; however it is culture to prepend the HTTP. So a redirection is needed from the HTTP request to an HTTPS request or Port 80 TCP to Port 443 TCP.

In my example, the server I installed uses a self-signed cert that was generated using the IIS Resource Kit 6 tool SelfSSL. On your site you may choose to use a public CA or internal CA trusted by your browser. So the first step is to install your application and install a Certificate through the “Directory Security” tab of the web site’s properties. On the Directory Security tab find the section titled “Secure Communications” and click “Edit”; you will then see the “Require Secure Channel (SSL)” option (see figure below).

IIS Secure Communications Dialog Box

Once this is selected the site will return “HTTP Error 403.4 – Forbidden: SSL is required to view this resource. Internet Information Services (IIS)”, if clear text is used; not the most friendly error for your users.

HTTP Error 403.4 - Forbidden: SSL is required to view this resource.

To solve this simple problem we will create a new web site that listens only for HTTP on port 80 TCP and redirects to the URL via HTTPS on port 443 TCP. You will need to re-assign an unused port number to the SSL site and you still need a directory to point the new site to.

Step 1 – Right click on your original site and click “Properties” then click on the “Web Site Tab”. Change the “TCP Port” under “Web Site Identification” to an unused port like 8080.

Web Site Identification Dialog Box

Step 2 – Create a “redirection” file folder under c:\inetpub or your root web files. I usually create a file that describes not to ever delete the folder. You need to create this folder, because your redirection site needs to point to a folder even if it is not going to use it.

Redirection Website Place Holder Directory

Step 3 – Create the “Redirection” Web Site by right clicking “Web Sites” in the MMC and selecting “New” then “Web Site” from the context menu. Follow the wizard and name it “Redirection” and point it to the directory created in Step 2; assume all defaults.

Redirection Web Site

Step  4 – Right click the web site created in Step 3 and select “Properties” from the context menu, then select the “Home Directory” tab. From this tab you will click on “A Redirection to a URL” then type in your redirection URL of HTTPS://www.bohack.com.

Home Directory Dialog Box ]]> http://www.bohack.com/2008/12/redirect-http-to-ssl-with-iis/feed/ 2