我在谷歌和StackOverflow周围搜索,试图找到一个解决方案,但他们似乎都与ASP有关。净等。
我通常在我的服务器上运行Linux,但对于这个客户端,我使用带有IIS 7.5(和Plesk 10)的Windows。这就是为什么我对IIS和web有点不熟悉的原因。配置文件。在.htaccess文件中,您可以使用重写条件来检测协议是否为HTTPS并相应地重定向。有没有一个简单的方法来实现这一点使用网络。配置文件,甚至使用'URL重写'模块,我已经安装?
我没有ASP的经验。NET因此,如果这涉及到解决方案,那么请包括如何实现的明确步骤。
我这样做的原因是。配置而不是PHP是我想强制HTTPS在网站内的所有资产。
你需要URL重写模块,最好是v2(我没有安装v1,所以不能保证它会在那里工作,但它应该)。
这是一个这样的网络的例子。config——它将强制所有资源使用HTTPS(使用301永久重定向):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
注:
这个特殊的解决方案与ASP没有任何关系。NET/PHP或任何其他技术,因为它只使用URL重写模块完成——在请求到达代码执行点之前,它在初始/较低的级别之一进行处理。
你需要URL重写模块,最好是v2(我没有安装v1,所以不能保证它会在那里工作,但它应该)。
这是一个这样的网络的例子。config——它将强制所有资源使用HTTPS(使用301永久重定向):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
注:
这个特殊的解决方案与ASP没有任何关系。NET/PHP或任何其他技术,因为它只使用URL重写模块完成——在请求到达代码执行点之前,它在初始/较低的级别之一进行处理。
对于那些使用ASP。净MVC。您可以使用requirehttpattribute强制所有响应为HTTPS:
GlobalFilters.Filters.Add(new RequireHttpsAttribute());
你可能还想做其他事情来帮助保护你的网站:
Force Anti-Forgery tokens to use SSL/TLS:
AntiForgeryConfig.RequireSsl = true;
Require Cookies to require HTTPS by default by changing the Web.config file:
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
Use the NWebSec.Owin NuGet package and add the following line of code to enable Strict Transport Security (HSTS) across the site. Don't forget to add the Preload directive below and submit your site to the HSTS Preload site. More information here and here. Note that if you are not using OWIN, there is a Web.config method you can read up on on the NWebSec site.
// app is your OWIN IAppBuilder app in Startup.cs
app.UseHsts(options => options.MaxAge(days: 720).Preload());
Use the NWebSec.Owin NuGet package and add the following line of code to enable Public Key Pinning (HPKP) across the site. More information here and here.
// app is your OWIN IAppBuilder app in Startup.cs
app.UseHpkp(options => options
.Sha256Pins(
"Base64 encoded SHA-256 hash of your first certificate e.g. cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=",
"Base64 encoded SHA-256 hash of your second backup certificate e.g. M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=")
.MaxAge(days: 30));
Include the https scheme in any URL's used. Content Security Policy (CSP) HTTP header and Subresource Integrity (SRI) do not play nice when you imit the scheme in some browsers. It is better to be explicit about HTTPS. e.g.
<script src="https://ajax.aspnetcdn.com/ajax/bootstrap/3.3.4/bootstrap.min.js">
</script>
Use the ASP.NET MVC Boilerplate Visual Studio project template to generate a project with all of this and much more built in. You can also view the code on GitHub.
为了补充LazyOne的答案,这里有一个注释版本的答案。
<rewrite>
<rules>
<clear />
<rule name="Redirect all requests to https" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action
type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
Clear all the other rules that might already been defined on this server. Create a new rule, that we will name "Redirect all requests to https". After processing this rule, do not process any more rules! Match all incoming URLs. Then check whether all of these other conditions are true: HTTPS is turned OFF. Well, that's only one condition (but make sure it's true). If it is, send a 301 Permanent redirect back to the client at http://www.foobar.com/whatever?else=the#url-contains. Don't add the query string at the end of that, because it would duplicate the query string!
这就是属性、属性和一些值的含义。
clear removes all server rules that we might otherwise inherit.
rule defines a rule.
name an arbitrary (though unique) name for the rule.
stopProcessing whether to forward the request immediately to the IIS request pipeline or first to process additional rules.
match when to run this rule.
url a pattern against which to evaluate the URL
conditions additional conditions about when to run this rule; conditions are processed only if there is first a match.
logicalGrouping whether all the conditions must be true (MatchAll) or any of the conditions must be true (MatchAny); similar to AND vs OR.
add adds a condition that must be met.
input the input that a condition is evaluating; input can be server variables.
pattern the standard against which to evaluate the input.
ignoreCase whether capitalization matters or not.
action what to do if the match and its conditions are all true.
type can generally be redirect (client-side) or rewrite (server-side).
url what to produce as a result of this rule; in this case, concatenate https:// with two server variables.
redirectType what HTTP redirect to use; this one is a 301 Permanent.
appendQueryString whether to add the query string at the end of the resultant url or not; in this case, we are setting it to false, because the {REQUEST_URI} already includes it.
服务器变量为
{HTTPS}是关闭或打开。
{HTTP_HOST}是www.mysite.com,和
{REQUEST_URI}包含URI的其余部分,例如/home?键=值
浏览器处理#片段(参见LazyOne的评论)。
参见:https://www.iis.net/learn/extensions/url-rewrite-module/url-rewrite-module-configuration-reference