Iis – How to restrict access to web pages for HTTPS

httpsiis

IIS 7.

Normally I would add some addresses (client IP) with deny or allow status to IIS configuration to restrict access to web pages (so from IP A.A.A.A it would be possible to get to the web page, but from B.B.B.B not). However I have a setup with SSL as well, so user can enter

http://www.home.com

or

https://www.home.com

In the first case she/he will be redirected to https. However, when user explicitly enters the second form no matter what IP it is, she/he gets access all the time. I am surprised that settings for restricting access apply only to HTTP, not HTTPS. Anyway, the question is:

How can I restrict access to web pages (for HTTPS), or how I can make existing restriction for HTTP to work for HTTPS as well?

SOLVED

The solution is stupid-simple: it is required to change the default access to "deny" (however I don't understand how/why default=allow and allowing single user makes sense and can work). With default access set to deny it works as required, however oddly I (I am allowed to access the site) cannot use HTTP, only HTTPS.

Best Answer

You can certainly limit a folder/virtual-directory/application in IIS to HTTPS only (HTTP requests will be redirected to HTTPS).

The method depends on the IIS version.

IIS7 and later (for Vista/2008/Win7/2008R2):

  • In the containing Web Site, ensure SSL is configured (i.e. a HTTPS/SSL binding and certificate are configured).
  • Select the right location in the folder tree
  • Use SSL Settings to select "Require SSL".

IIS6 and earlier:

  • In the properties of the web site configure certificate and SSL port.
  • In the properties of applicable folder in the Directory Security Tab click on Edit and select Require Secure Channel (SSL)
Related Topic