SSL redirector usage and configuration

Common HTTP does not offer any protection of the communication. Server identity could not be validated and transferred data are not protected from eavesdropping and malicious modifications. HTTPS (or SSL, TLS) does solve this problem, but brings is own family of them: caching, higher CPU usage and so on. For most applications, the recommended solution is to use HTTPS only when needed - ie. for login pages and pages containing sensitive data. SSL redirector contained in this library solves this problem. You can specify areas of your web site, where SSL is mandatory (or prohibited) and the module would automatically redirect requests between secure and open connection.

Register configuration section

Include the following section registration in your web.config file:
<configSections>
    <sectionGroup name="altairis.web">
        <section name="management" type="Altairis.Web.Management.Configuration.ManagementSection, Altairis.Web.Management"/>
    </sectionGroup>
</configSections>

Register HTTP module

Register the RedirectorModule HTTP module (used also by host redirector, so register it only once):
<system.webServer>
    <modules>
        <add name="RedirectorModule" type="Altairis.Web.Management.RedirectorModule, Altairis.Web.Management" />
    </modules>
</system.webServer>

Configure the SSL redirector

This is sample configuration, which forces all requests whose virtual path begins with ~/secure trough HTTPS and all other requests trough HTTP:
<altairis.web>
    <management>
        <sslRedirector enabled="true" defaultAction="ForceUnsecure">
            <rules>
                <add virtualPath="~/secure/" action="ForceSecure" />
            </rules>
        </sslRedirector>
    </management>
</altairis.web>
Possible attributes of the sslRedirector element:
Name Default value Description
enabled false Set to true to enable SSL redirector.
excludeLocalRequests true Ignore requests coming from the same computer (useful for development).
verbs GET Comma-separated list of HTTP verbs for which redirection should be used.
excludeSystemUrls true Ignore requests to system URLs, like WebResource.axd and so on.
securePort 443 Port used for secure (HTTPS) connections.
unsecurePort 80 Port used for unsecure (HTTP) connections.
defaultAction None Action used as fallback, when no other action is derived from rules. May be ForceSecure, ForceUnsecure or None.
sniFallbackAction Off Action used when browser does not support SNI. May be Off, UseUnsecure or UseAlternatePort. See below for details.
sniAlternatePort 8000 Alternate port for SNI fallback - see below.

The element contains element rules with add elements, specifying the rules. The add element has attribute named virtualPath which is string matched against beginning of virtual path and action, which may be ForceSecure, ForceUnsecure or None. The first matching rule is used. When no matching rule is found, defaultAction is performed instead.

SNI Fallback

Starting with version 8.0, IIS supports the Server Name Indication (SNI). This technology allows running several HTTPS web sites on single IP address/port. But the problem is that SNI isn't supported by any version of IE, when running on Windows XP.

The SSL redirector therefore supports feature called "SNI fallback": When redirection to SSL page is about to happen and non-SNI browser is detected, you can either skip the redirection alltogether (set sniFallbackAction to UseUnsecure), so older browser can access unencrypted connection, or you can set sniFallbackAction to UseAlternatePort and redirect such users to alternate port.

To use SSL redirector with SNI and SNI fallback, do the following, first setup three bindings in IIS:
  • http://yourserver:80 - non-ssl access
  • https://yourserver:443 - and check "require SNI"
  • https://yourserver:8000 - use some non-standard and server-unique port, such as 8000 or 8080, without SNI

Then use the the following configuration in web.config:
<altairis.web>
    <management>
        <sslRedirector enabled="true" defaultAction="ForceUnsecure"
                       sniFallbackAction="UseAlternatePort" sniAlternatePort="8000">
            <rules>
                <add virtualPath="~/secure/" action="ForceSecure" />
            </rules>
        </sslRedirector>
    </management>
</altairis.web>

If user tries to access http://yourserver/secure, the redirector checks if he's using MSIE on Windows XP. If yes (and therefore the client does not support SNI), user is redirected to https://yourserver:8000/secure. If any other browser is used (and therefore we presume it supports SNI), user is redirected to SSL on standard port: https://yourserver/secure.

Last edited Oct 22, 2012 at 1:11 AM by altair, version 3

Comments

No comments yet.