I am looking for the "best practice" way of secure site redirection with IIS7 and ASP.net.
Say I have two domain names:
- mydomain.com
- mydomain.net
each with a www subdomain.
I have a single EV certificate that uses the common name:
- www.mydomain.com
Therefore, the user can access the site 8 different possible ways:
- http://mydomain.com
- http://mydomain.net
- http://www.mydomain.com
- http://www.mydomain.net
- and also using https://
In order for the user to not receive certificate errors, he/she must be directed to
- https://www.mydomain.com
What is the best way to make this work transparently to the user while still ensuring that IIS serves up only secure content? In the past I have used web.config to redirect to a sub page like this:
<system.webServer>
<httpRedirect destination="https://www.mydomain.com/secureSubPage" />
or with wildcard certificates using this block in a common base page:
if (!Request.IsSecureConnection)
{
Response.Redirect(Request.Url.ToString().Replace("http:", "https:"), true);
return;
}
if (!Request.Url.ToString().Contains(".com"))
{
Response.Redirect(Request.Url.ToString().Replace(".net", ".com"), true);
return;
}
Best Answer
To force all traffic to use HTTPS on
https://www.mydomain.com
you can simply use a single rewrite rule:This will redirect all non-HTTPS traffic, regardless of the domain name used to reach the site to
https://www.mydomain.com
. It will also redirecthttps://mydomain.com
tohttps://www.mydomain.com
. Because most SSL certificates nowadays include both the domain with and without www this will not cause an error in the browser.The above redirect rule can not prevent users from reaching your site with for example
https://www.mydomain.net
. This is because the check on the host header name can only be done after the HTTPS session has been established and before that the browser will already show an error because the domain name does not match the common name of the certificate. The only way to prevent this is to use a separate IP address for the domain namemydomain.com
and a separate IP address for all other domain names you want your site to be reachable under.To do this, you set up your DNS to let
(www.)mydomain.net
(and any other domain names you want your site to be reachable on) to point to IP addressX.X.X.1
. This IP address is bound to a HTTP-only dummy site in IIS. The only purpose of this site is to redirect all traffic tohttps://www.mydomain.com
using the following rewrite rule:You then set up another site on IP address
X.X.X.2
using both HTTP and HTTPS for(www.)mydomain.com
. Using the above rewrite rule (the first one) you force HTTPS and the use of thewww.mydomain.com
.This solution will effectively make your website unreachable via HTTPS unless the correct domain
mydomain.com
is used but that also what you want because you don't have any valid certificates for the other domain names.