次の方法で共有

HTTP to HTTPS (SSL) Web Request Redirection

  • [アーティクル]

We often get requests from our customers asking how they can seamlessly redirect web requests from HTTP to HTTPS, i.e. how they can redirect a non-SSL request to an SSL based request. Recently a colleague of mine got a similar issue and we decided to use some existing scripts that we had in our database. Unfortunately none could meet the requirement.

Basically the existing scripts redirected an HTTP request to another URL and that URL was not the original request user had asked for. It took us to let's say the homepage of the site and from there one again has to click on specific links to reach the desired page. So this will be a problem for users who have book-marked their desired web page.

Here are the steps you can try for your website such that all HTTP requests get translated to HTTPS requests and have the original URL intact.

Here are two sample codes which one can try. Both of them should *hopefully* work. First one uses VBScript in an ASP page and second one uses Javascript in an HTML page.

a).

redirectSSL.asp

 <%@ Language=VBScript %>

 <% 

 strQueryString = Request.QueryString

 sslPort = null

 PlainURL = Right(strQueryString, len(strQueryString) - 4)

 FindLastCOlon = InStrRev(PlainURL, ":")

 FirstPart = Mid(PlainURL, 1, FindLastColon - 1)

 LastPart = Mid(PlainURL, FindLastColon)

 LastPart = (Mid(LastPart, InStr(LastPart, "/")))

  

 'If the SSL Port is not the default 443, you need to uncomment the line below, by default SSL port is 443.

 'sslPort = ":449"

 if (sslPort = null) then

     url= FirstPart & LastPart

 else

     url = FirstPart & sslPort & LastPart

 end if 

 strSecure = Replace(url, "http:", "https:", 1, 1)

 Response.Redirect strSecure

 %>

Steps:

-- Copy the above code and put in a file redirectSSL.asp under your Website root directory for which you want redirection to work.

-- Force SSL on the web site. To do that follow the steps mentioned below:
      - Go to --> <Your_Web_Site> -> Properties -> Directory Security -> Edit (Secure Communications)
      - Select Require secure channel (SSL).

-- Uncheck "Require secure channel (SSL)" option for the redirectSSL.asp page. To achieve that:
     - Go to --> <Your_Web_Site> -> redirectSSL.asp -> Properties -> File Security -> Edit (Secure Communications)
     - Uncheck Require secure channel (SSL).

So now we are forcing SSL to be used for all of the website contents except the redirectSSL.asp page which can be accessed over non-SSL (HTTP).

-- In the IIS manager -> <Your_Web_Site> -> Properties -> Custom Errors, modify the entry for 403;4 to look like this:

image

Now if you try to browse to some URL, let's say https://www.abc.com/asp/test/ssl/iistsart.htm, you will be redirected to http**s**://www.abc.com/asp/test/ssl/iistsart.htm, without you requiring to modify HTTP to HTTPS.

If your SSL port is not the default port 443 then you need to un-comment a line in the code as mentioned in there and it will redirect the request to the appropriate URL with corrected SSL port embedded in it.

b).

redirectSSL.html

 <html>

 <head>

  

 <script language="javascript">

  

 var currentURL=location.href.substring(0,5)

  

 if(currentURL.toLowerCase()!="https")

 {

 currentURL = location.href.substring(4,location.href.lastIndexOf(''))

 var portStartPos = currentURL.lastIndexOf(':')

 var sslPort = null

 if(portStartPos!=0)

 {

 var relativeURL = currentURL.substring(portStartPos)

 var postPortURL = relativeURL.substring(relativeURL.indexOf('/'))

 var URL = currentURL.substring(0,portStartPos)

 // If you are running your SSL site on a non default port other than 443 then uncomment the next line and add the right Port number.

 //sslPort = ":447"

 if(sslPort == null)

     currentURL = URL + postPortURL

 else

     currentURL = URL + sslPort + postPortURL

 }

  

 var targetURL = "https" + currentURL

 window.location = targetURL

 }

 </script> 

  

 </head>

 </html>

Steps:

-- Copy the above code and put in a file redirectSSL.html under your Website root directory for which you want redirection to work.

-- Force SSL on the web site. To do that follow the steps mentioned below:
      - Go to --> <Your_Web_Site> -> Properties -> Directory Security -> Edit (Secure Communications)
      - Select Require secure channel (SSL).

So now we are forcing SSL to be used for all of the Website contents.

-- In the IIS manager -> <Your_Website> -> Properties -> custom Errors, modify the entry for 403;4 to look like this:

image

You need not follow the step below since we are using File Type for custom error page and not a URL as shown above in the picture. If you select URL as Type above then you will need to follow the step below.

"-- Uncheck "Require secure channel (SSL)" option for the redirectSSL.html page. To achieve that:
- Go to --> <Your_Web_Site> -> redirectSSL.asp -> Properties -> File Security -> Edit (Secure Communications)
- Uncheck Require secure channel (SSL)."

 

This is all you need and you should see your URL changing automagically from HTTP to HTTPS (SSL).

Hope this helps...

Comments

  • Anonymous
    January 03, 2008
    PingBack from http://msdn.blogsforu.com/msdn/?p=4526

  • Anonymous
    June 23, 2008
    Thanks man, that (javascript) worked a treat for me on a server we use for a client.

  • Anonymous
    August 18, 2008
    Just what I was looking for (the Javascript) - thanks!

  • Anonymous
    August 19, 2008
    Thanx bunches.  The VBScript was just what I was looking for!

  • Anonymous
    October 06, 2008
    Is there no other way found by Microsoft to accomplish this task, in .NET3.5 or IIS 7?

  • Anonymous
    January 09, 2009
    Dear Mr. Singh, I tried your method using redirectSSL.html and it worked perfectly.  Thank you very much and keep the great ideas coming! George

  • Anonymous
    February 01, 2009
    This is a works when you get "HTTP Error 403.3 - Forbidden: Write access is denied." when you enable Require secure channel (SSL) on the default website as well. That's exactly what I was trying to fix.

  • Anonymous
    March 13, 2009
    Great job!!! I have tried many other resources and yours is the first one to work with subfolders and query strings.

  • Anonymous
    April 08, 2009
    Cool its helped me to implement in time

  • Anonymous
    April 21, 2009
    Worked great!. Thanks. Saved lot of time.

  • Anonymous
    April 23, 2009
    Thanks Saurabh. I wanted a C# version that does the same. Based on your approach, here's my RedirectToSSl.aspx. <%@ Page Language="C#" %> <% // This page redirects http requests to corresponding https locations // // Sample querystring format: 403;http://jiminy.cricket.com/a/b/xyz?param1=val1&param2=val2 // Sample urls after conversion: //    https://jiminy.cricket.com/a/b/xyz?param1=val1&param2=val2 //    https://jiminy.cricket.com:444/a/b/xyz?param1=val1&param2=val2     int? sslPort = null;   // If your SSL port is not the default 443, specify it here string queryString = Request.QueryString.ToString();   Uri originalUri = new Uri    (        System.Web.HttpUtility.UrlDecode        (            queryString            .Remove // Strip off anything before the first "http"            (                0,                queryString.IndexOf("http", StringComparison.OrdinalIgnoreCase)            )        )    ); Uri secureUri = new Uri    (        String.Format        (            "https://{0}{1}{2}",            originalUri.DnsSafeHost,            (sslPort.HasValue ? String.Format(":{0}", sslPort) : String.Empty),            originalUri.PathAndQuery        )    ); Response.Redirect(secureUri.ToString(), true); %>

  • Anonymous
    June 08, 2009
    The comment has been removed

  • Anonymous
    October 04, 2009
    Thanx for the information. HTTPS error code can be edited was an useful information. But is oit requires to do at client side or server side? Please provide more information over it. Provide links to related topics if posiible.