How to convert whole ASP.net site to https

Madhuri Kadam 1 Reputation point
2021-06-18T19:19:52.65+00:00

Hello ,

We have old ASp.net MVC application that needs to be converted to https.
I do not have a lot of experience with ASP.net so struggling with this issue

The application has a default Webpage and multiple tabs , where each tab is new aspx page.

I have downloaded the cert and installed on the webserver and associated the cert to site with 443 binding.
Also downloaded Url Rewrite module and added the rewrite rules to route any http to https.

All this works well when both port 80 and port 443 are enabled in the bindings

However, when I remove port 80 binding and keep just port 443 , when I browse the application , the startup page loads fine with https , however when I click tab to go to another page and it goes to http by default and gives 404 error (not found).
If I change url manually to https for any aspx page it works.

How do I make sure all the pages on website are only using https (443), as we need to remove port 80.

Am I missing any conifguration ?

Below is the redirect rule from web.config

<rewrite>
<rules>
<rule name="HTTP to HTTPS Redirection" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
</rewrite>

Thank you and appreciate any help !!

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,246 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yijing Sun-MSFT 7,061 Reputation points
    2021-06-21T06:55:27.14+00:00

    Hi @Madhuri Kadam ,
    As far as I think,you could use HTTP Strict Transport Security and force HTTPS for ALL resources.Just like this: 

    <?xml version="1.0" encoding="UTF-8"?>  
<configuration>  
    <system.webServer>  
        <rewrite>  
            <rules>  
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">  
                    <match url="(.*)" />  
                    <conditions>  
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />  
                    </conditions>  
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"  
                        redirectType="Permanent" />  
                </rule>  
            </rules>  
            <outboundRules>  
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">  
                    <match serverVariable="RESPONSE_Strict_Transport_Security"  
                        pattern=".*" />  
                    <conditions>  
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />  
                    </conditions>  
                    <action type="Rewrite" value="max-age=31536000" />  
                </rule>  
            </outboundRules>  
        </rewrite>  
    </system.webServer>  
</configuration>

    More details,you could refer to below article:
    https://stackoverflow.com/questions/47089/best-way-in-asp-net-to-force-https-for-an-entire-site
    Best regards,
    Yijing Sun

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. PatriceSc 166 Reputation points
    2021-06-24T14:15:20.127+00:00

    Hi,

    Usually you try to write your app so that it keeps using the current protocol which is quite easy. Here it seems you created links by hardcoding http rather than based on the current protocol?

    HSTS is a security feature to instruct the browser to always use https rather than http for a given site. As pointed already it could be used as a workaround so that you don't have right now to fix all those wrong links (could be still better to consider fixing them later).

    0 comments