我在谷歌和StackOverflow周围搜索,试图找到一个解决方案,但他们似乎都与ASP有关。净等。
我通常在我的服务器上运行Linux,但对于这个客户端,我使用带有IIS 7.5(和Plesk 10)的Windows。这就是为什么我对IIS和web有点不熟悉的原因。配置文件。在.htaccess文件中,您可以使用重写条件来检测协议是否为HTTPS并相应地重定向。有没有一个简单的方法来实现这一点使用网络。配置文件,甚至使用'URL重写'模块,我已经安装?
我没有ASP的经验。NET因此,如果这涉及到解决方案,那么请包括如何实现的明确步骤。
我这样做的原因是。配置而不是PHP是我想强制HTTPS在网站内的所有资产。
对于那些使用ASP。净MVC。您可以使用requirehttpattribute强制所有响应为HTTPS:
GlobalFilters.Filters.Add(new RequireHttpsAttribute());
你可能还想做其他事情来帮助保护你的网站:
Force Anti-Forgery tokens to use SSL/TLS:
AntiForgeryConfig.RequireSsl = true;
Require Cookies to require HTTPS by default by changing the Web.config file:
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
Use the NWebSec.Owin NuGet package and add the following line of code to enable Strict Transport Security (HSTS) across the site. Don't forget to add the Preload directive below and submit your site to the HSTS Preload site. More information here and here. Note that if you are not using OWIN, there is a Web.config method you can read up on on the NWebSec site.
// app is your OWIN IAppBuilder app in Startup.cs
app.UseHsts(options => options.MaxAge(days: 720).Preload());
Use the NWebSec.Owin NuGet package and add the following line of code to enable Public Key Pinning (HPKP) across the site. More information here and here.
// app is your OWIN IAppBuilder app in Startup.cs
app.UseHpkp(options => options
.Sha256Pins(
"Base64 encoded SHA-256 hash of your first certificate e.g. cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=",
"Base64 encoded SHA-256 hash of your second backup certificate e.g. M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=")
.MaxAge(days: 30));
Include the https scheme in any URL's used. Content Security Policy (CSP) HTTP header and Subresource Integrity (SRI) do not play nice when you imit the scheme in some browsers. It is better to be explicit about HTTPS. e.g.
<script src="https://ajax.aspnetcdn.com/ajax/bootstrap/3.3.4/bootstrap.min.js">
</script>
Use the ASP.NET MVC Boilerplate Visual Studio project template to generate a project with all of this and much more built in. You can also view the code on GitHub.
你需要URL重写模块,最好是v2(我没有安装v1,所以不能保证它会在那里工作,但它应该)。
这是一个这样的网络的例子。config——它将强制所有资源使用HTTPS(使用301永久重定向):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
注:
这个特殊的解决方案与ASP没有任何关系。NET/PHP或任何其他技术,因为它只使用URL重写模块完成——在请求到达代码执行点之前,它在初始/较低的级别之一进行处理。
在.Net Core中,请遵循https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl上的说明
在startup.cs中添加以下内容:
// Requires using Microsoft.AspNetCore.Mvc;
public void ConfigureServices(IServiceCollection services)
{
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new RequireHttpsAttribute());
});`enter code here`
要将Http重定向到Https,请在startup.cs . xml文件中添加以下内容
// Requires using Microsoft.AspNetCore.Rewrite;
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
var options = new RewriteOptions()
.AddRedirectToHttps();
app.UseRewriter(options);
当您在AWS上使用带有应用程序负载均衡器的IIS 10时,必须按以下方式配置重定向。
<rule name="Force HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_X_Forwarded_Proto}" pattern="^https$" negate="true" />
<add input="{HTTP_HOST}" pattern="^(www\.)?dname\.com$" />
</conditions>
<action type="Redirect" url="https://www.dname.com{REQUEST_URI}" />
</rule>
如果你有子域重定向使用如下:
<!--START REDIRECT TO HTTPS-->
<rule name="Force HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_X_Forwarded_Proto}" pattern="^https$" negate="true" />
<add input="{HTTP_HOST}" pattern="subdomain\.domain\.com$" />
</conditions>
<action type="Redirect" url="https://subdomain.domain.com{REQUEST_URI}" />
</rule>
<!--END REDIRECT TO HTTPS-->