我在谷歌和StackOverflow周围搜索,试图找到一个解决方案,但他们似乎都与ASP有关。净等。
我通常在我的服务器上运行Linux,但对于这个客户端,我使用带有IIS 7.5(和Plesk 10)的Windows。这就是为什么我对IIS和web有点不熟悉的原因。配置文件。在.htaccess文件中,您可以使用重写条件来检测协议是否为HTTPS并相应地重定向。有没有一个简单的方法来实现这一点使用网络。配置文件,甚至使用'URL重写'模块,我已经安装?
我没有ASP的经验。NET因此,如果这涉及到解决方案,那么请包括如何实现的明确步骤。
我这样做的原因是。配置而不是PHP是我想强制HTTPS在网站内的所有资产。
我不允许在我的环境中安装URL重写,所以,我找到了另一个路径。
把这个加到我的网里。config添加了错误重写,并适用于iis7.5:
<system.webServer>
<httpErrors errorMode="Custom" defaultResponseMode="File" defaultPath="C:\WebSites\yoursite\" >
<remove statusCode="403" subStatusCode="4" />
<error statusCode="403" subStatusCode="4" responseMode="File" path="redirectToHttps.html" />
</httpErrors>
然后,按照这里的建议:https://www.sslshopper.com/iis7-redirect-http-to-https.html
我将IIS网站配置为需要SSL,并创建了html文件,在403(禁止)错误时执行重定向(redirectToHttps.html):
<html>
<head><title>Redirecting...</title></head>
<script language="JavaScript">
function redirectHttpToHttps()
{
var httpURL= window.location.hostname + window.location.pathname + window.location.search;
var httpsURL= "https://" + httpURL;
window.location = httpsURL;
}
redirectHttpToHttps();
</script>
<body>
</body>
</html>
我希望有人发现这是有用的,因为我无法找到所有的碎片在一个地方在其他地方。
在.Net Core中,请遵循https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl上的说明
在startup.cs中添加以下内容:
// Requires using Microsoft.AspNetCore.Mvc;
public void ConfigureServices(IServiceCollection services)
{
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new RequireHttpsAttribute());
});`enter code here`
要将Http重定向到Https,请在startup.cs . xml文件中添加以下内容
// Requires using Microsoft.AspNetCore.Rewrite;
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
var options = new RewriteOptions()
.AddRedirectToHttps();
app.UseRewriter(options);
我不允许在我的环境中安装URL重写,所以,我找到了另一个路径。
把这个加到我的网里。config添加了错误重写,并适用于iis7.5:
<system.webServer>
<httpErrors errorMode="Custom" defaultResponseMode="File" defaultPath="C:\WebSites\yoursite\" >
<remove statusCode="403" subStatusCode="4" />
<error statusCode="403" subStatusCode="4" responseMode="File" path="redirectToHttps.html" />
</httpErrors>
然后,按照这里的建议:https://www.sslshopper.com/iis7-redirect-http-to-https.html
我将IIS网站配置为需要SSL,并创建了html文件,在403(禁止)错误时执行重定向(redirectToHttps.html):
<html>
<head><title>Redirecting...</title></head>
<script language="JavaScript">
function redirectHttpToHttps()
{
var httpURL= window.location.hostname + window.location.pathname + window.location.search;
var httpsURL= "https://" + httpURL;
window.location = httpsURL;
}
redirectHttpToHttps();
</script>
<body>
</body>
</html>
我希望有人发现这是有用的,因为我无法找到所有的碎片在一个地方在其他地方。
对于那些使用ASP。净MVC。您可以使用requirehttpattribute强制所有响应为HTTPS:
GlobalFilters.Filters.Add(new RequireHttpsAttribute());
你可能还想做其他事情来帮助保护你的网站:
Force Anti-Forgery tokens to use SSL/TLS:
AntiForgeryConfig.RequireSsl = true;
Require Cookies to require HTTPS by default by changing the Web.config file:
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
Use the NWebSec.Owin NuGet package and add the following line of code to enable Strict Transport Security (HSTS) across the site. Don't forget to add the Preload directive below and submit your site to the HSTS Preload site. More information here and here. Note that if you are not using OWIN, there is a Web.config method you can read up on on the NWebSec site.
// app is your OWIN IAppBuilder app in Startup.cs
app.UseHsts(options => options.MaxAge(days: 720).Preload());
Use the NWebSec.Owin NuGet package and add the following line of code to enable Public Key Pinning (HPKP) across the site. More information here and here.
// app is your OWIN IAppBuilder app in Startup.cs
app.UseHpkp(options => options
.Sha256Pins(
"Base64 encoded SHA-256 hash of your first certificate e.g. cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=",
"Base64 encoded SHA-256 hash of your second backup certificate e.g. M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=")
.MaxAge(days: 30));
Include the https scheme in any URL's used. Content Security Policy (CSP) HTTP header and Subresource Integrity (SRI) do not play nice when you imit the scheme in some browsers. It is better to be explicit about HTTPS. e.g.
<script src="https://ajax.aspnetcdn.com/ajax/bootstrap/3.3.4/bootstrap.min.js">
</script>
Use the ASP.NET MVC Boilerplate Visual Studio project template to generate a project with all of this and much more built in. You can also view the code on GitHub.