Ssl – IIS7 redirection best practices

asp.netiis-7ssl

I am looking for the "best practice" way of secure site redirection with IIS7 and ASP.net.
Say I have two domain names:

  • mydomain.com
  • mydomain.net

each with a www subdomain.

I have a single EV certificate that uses the common name:

  • www.mydomain.com

Therefore, the user can access the site 8 different possible ways:

- http://mydomain.com
- http://mydomain.net
- http://www.mydomain.com
- http://www.mydomain.net
- and also using https://

In order for the user to not receive certificate errors, he/she must be directed to

 - https://www.mydomain.com

What is the best way to make this work transparently to the user while still ensuring that IIS serves up only secure content? In the past I have used web.config to redirect to a sub page like this:

<system.webServer>

<httpRedirect destination="https://www.mydomain.com/secureSubPage" />

or with wildcard certificates using this block in a common base page:

 if (!Request.IsSecureConnection)
    {
        Response.Redirect(Request.Url.ToString().Replace("http:", "https:"), true);
        return;
    }
    if (!Request.Url.ToString().Contains(".com"))
    {
        Response.Redirect(Request.Url.ToString().Replace(".net", ".com"), true);
        return;
    }

Best Answer

To force all traffic to use HTTPS on https://www.mydomain.com you can simply use a single rewrite rule:

<rules>
    <rule name="Force HTTPS" enabled="false" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAny">
            <add input="{HTTPS}" negate="true" pattern="^ON$" />
            <add input="{HTTP_HOST}" negate="true" pattern="^www\.mydomain\.com$" />
        </conditions>
        <action type="Redirect" url="https://www.mydomain.com{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
    </rule>
</rules>

This will redirect all non-HTTPS traffic, regardless of the domain name used to reach the site to https://www.mydomain.com. It will also redirect https://mydomain.com to https://www.mydomain.com. Because most SSL certificates nowadays include both the domain with and without www this will not cause an error in the browser.

The above redirect rule can not prevent users from reaching your site with for example https://www.mydomain.net. This is because the check on the host header name can only be done after the HTTPS session has been established and before that the browser will already show an error because the domain name does not match the common name of the certificate. The only way to prevent this is to use a separate IP address for the domain name mydomain.com and a separate IP address for all other domain names you want your site to be reachable under.

To do this, you set up your DNS to let (www.)mydomain.net (and any other domain names you want your site to be reachable on) to point to IP address X.X.X.1. This IP address is bound to a HTTP-only dummy site in IIS. The only purpose of this site is to redirect all traffic to https://www.mydomain.com using the following rewrite rule:

<rules>
    <rule name="Redirect to https://www.mydomain.com" enabled="false" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAll">
            <add input="{HTTP_HOST}" negate="true" pattern="^www\.mydomain\.com$" />
        </conditions>
        <action type="Redirect" url="https://www.mydomain.com{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
    </rule>
</rules>

You then set up another site on IP address X.X.X.2 using both HTTP and HTTPS for (www.)mydomain.com. Using the above rewrite rule (the first one) you force HTTPS and the use of the www.mydomain.com.

This solution will effectively make your website unreachable via HTTPS unless the correct domain mydomain.com is used but that also what you want because you don't have any valid certificates for the other domain names.

Related Topic