Asp – Enforcing SSL connection


A) Can you, at the server side, enforce SSL connection ( via selecting Require Secure Channel option ) only per web application, or can you also enforce it per virtual directory or even only per web page?

B) How exactly does enforcing SSL connection work? That if users specify http instead of https protocol ( in requested URL ), the request will automatically get rejected by IIS?


Best Solution

As stated above, 1) SSL can be set at the server, side, or virtual directory.

2) If the server/site/vdir is configured using the "Require Secure Channel" setting, the response from the server will be a "403.4 Forbidden: SSL is required to view this resource." error or a "403.5 Forbidden: SSL 128 is required to view this resource.".

You can actually customize the 403.4 or 403.5 error to redirect back to HTTPS. Create a VDIR under your site with NO SSL Requirement (**This is Important) - I use "CustomError". Create an ASP File inside this directory called 403_4_Error.asp containing the following:

<%@ LANGUAGE="VBScript" %> 
if Request.ServerVariables("HTTPS") <> "on" then
    sServer = Request.ServerVariables("SERVER_NAME")
    sScript = Request.ServerVariables("SCRIPT_NAME")
    sQuery  = Request.ServerVariables("QUERY_STRING")
    Response.Write("https://" & sServer & sScript & "?" & sQuery)
end if

Edit the server/site/vdir's Custom Error property for 403.4/403.5 and set the MessageType to URL and the URL to "/CustomError/403_4_Error.asp".

Note that ASP is used, you could easily use or any other scripting language.