Redirect HTTP to SSL with IIS
Error Resizing Image: error_loading_image
Original Image Path: "/home/.facades/bohack/bohack.com/wp-content/uploads/2008/12/secure-communications-properties.jpg"
File does not exist?
Error Resizing Image: error_loading_image
Original Image Path: "/home/.facades/bohack/bohack.com/wp-content/uploads/2008/12/403-error.jpg"
File does not exist?
Error Resizing Image: error_loading_image
Original Image Path: "/home/.facades/bohack/bohack.com/wp-content/uploads/2008/12/web-site-identification.jpg"
File does not exist?
Error Resizing Image: error_loading_image
Original Image Path: "/home/.facades/bohack/bohack.com/wp-content/uploads/2008/12/placeholder-directory.jpg"
File does not exist?
Error Resizing Image: error_loading_image
Original Image Path: "/home/.facades/bohack/bohack.com/wp-content/uploads/2008/12/home-directory-redirection.jpg"
File does not exist?
It has become culture to prepend the http:// prefix in front of a URL. In fact if you type the URL in most web browsers and hit ctrl-enter, the browser will prepend the http:// in front of the URL. The HTTP (Hypertext Transfer Protocol) works on port 80 TCP and is defined in RFC 2616. Since HTTP language is clear text over port 80 TCP that means that forms authentication will travel over clear text and can be intercepted. So it is recommended that HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) be used to encrypt the session with SSL. HTTPS or SSL works over port 443 TCP and requires a private certificate be installed from a browser trusted Certificate Authority (out of the scope of this article).
When you install Microsoft IIS, it defaults the first web site called “Default Web Site” to Port 80 and listens for HTTP requests on all assigned IPs. Sometime we need to install an application that requires SSL or we have chosen to require all communications be encrypted with SSL for the web application. IIS can be told to “Require Secure Channel (SSL)” and refuse all HTTP or non-SSL traffic; however it is culture to prepend the HTTP. So a redirection is needed from the HTTP request to an HTTPS request or Port 80 TCP to Port 443 TCP.
In my example, the server I installed uses a self-signed cert that was generated using the IIS Resource Kit 6 tool SelfSSL. On your site you may choose to use a public CA or internal CA trusted by your browser. So the first step is to install your application and install a Certificate through the “Directory Security” tab of the web site’s properties. On the Directory Security tab find the section titled “Secure Communications” and click “Edit”; you will then see the “Require Secure Channel (SSL)” option (see figure below).
Once this is selected the site will return “HTTP Error 403.4 – Forbidden: SSL is required to view this resource. Internet Information Services (IIS)”, if clear text is used; not the most friendly error for your users.
To solve this simple problem we will create a new web site that listens only for HTTP on port 80 TCP and redirects to the URL via HTTPS on port 443 TCP. You will need to re-assign an unused port number to the SSL site and you still need a directory to point the new site to.
Step 1 – Right click on your original site and click “Properties” then click on the “Web Site Tab”. Change the “TCP Port” under “Web Site Identification” to an unused port like 8080.
Step 2 – Create a “redirection” file folder under c:\inetpub or your root web files. I usually create a file that describes not to ever delete the folder. You need to create this folder, because your redirection site needs to point to a folder even if it is not going to use it.
Step 3 – Create the “Redirection” Web Site by right clicking “Web Sites” in the MMC and selecting “New” then “Web Site” from the context menu. Follow the wizard and name it “Redirection” and point it to the directory created in Step 2; assume all defaults.
Step 4 – Right click the web site created in Step 3 and select “Properties” from the context menu, then select the “Home Directory” tab. From this tab you will click on “A Redirection to a URL” then type in your redirection URL of HTTPS://www.bohack.com.
Tags: IIS, Redirection, Windows
December 30th, 2008 at 3:23 am
Thanks for your help…. this works great. One question, if my cert is 1024 bit, should I check the box to require 128 bit encryption?
Thanks
Andre Alexanian
December 30th, 2008 at 10:06 am
My personal recommendation is to check 128 bit encryption most all browsers today support 128 bit encryption. I think that with Internet Explorer 4.0 it became a standard feature and in Windows NT 4.0 Service Pack 4 it was in the standard service pack for the OS to support it. I can’t remember it was too long ago either way it was almost 10 years ago, todays browsers can support 128 bit, the only motivation for not checking it is CPU power on the server.
As for the strength of the key that has nothing to do with the strength of the encryption. The certificate has been signed with a 1024 bit signature for authentication purposes, that is only the first stage of SSL. During the IKE or Internet Key Exchange the browser and the server will use the key and the Diffe Helman algorithm to create a mutual SSL key and strength that is where that check box is relevant.
December 12th, 2010 at 12:57 pm
Nice article. Totally agree with you.
January 31st, 2011 at 6:03 pm
Really, great article to read, thanks