redirect http to https

[c676228]

Hi all,
I am trying to set this up using asp code and IIS configuration. But it
seems not working. Here it is the way I am doing.
In IIS I set up a virtual directory with secure communication, I checked
require secure channel, require 128-bit encryption. In custom error, instead
of using default message
HTTP 403.4 - Forbidden: SSL required
Internet Information Services
in iishelp 403.4htm, I am trying to do redirect automatically.
so I have a small code from internet like this in my virtual directory:
redirect.asp
<%If Request.ServerVariables("SERVER_PORT")=80 Then
Dim strQUERY_STRING
Dim strSecureURL
Dim strWork

' Get server variables
strQUERY_STRING = Request.ServerVariables("QUERY_STRING")

' Fix the query string:
strWork = Replace(strQUERY_STRING,"http","https")
strWork = Replace(strWork,"403;","")

' Now, set the new, secure URL:
strSecureURL = strWork
'response.write(strSecureURL) ' uncomment for sanity check.
Response.Redirect strSecureURL
End If %>
But it seems not working, it only have a message like this:

With custom error set up URL to /myvirtualdirectory/redrect.asp
I got this error message:
Secure Channel Required
This Virtual Directory requires a browser that supports the configured
encryption options.

If I set up custom error file to redirect.asp, this file will be displayed,
it seems this points to the right place, it just somehow didn't executed.
can you give me a clue?
Thank you.
Betty

 

[Mark J. McGinty]

Hi all,
I am trying to set this up using asp code and IIS configuration. But it
seems not working. Here it is the way I am doing.
In IIS I set up a virtual directory with secure communication, I checked
require secure channel, require 128-bit encryption. In custom error,
instead
of using default message
HTTP 403.4 - Forbidden: SSL required
Internet Information Services
in iishelp 403.4htm, I am trying to do redirect automatically.

By setting it to require SSL you have precluded it from accepting non-secure
requests, which I believe will prevent IIS from acting on a server-side
redirect. You might be able to make it happen on the client side, by
generating a page with a refresh meta-header, or client script. If not, you
will need to setup two virtual servers, one for HTTPS and the other for
HTTP, using the same IP or domain name (if using host headers.)

-Mark

 

[Evertjan.]

Mark J. McGinty wrote on 26 mei 2007 in
microsoft.public.inetserver.asp.general:

By setting it to require SSL you have precluded it from accepting
non-secure requests, which I believe will prevent IIS from acting on a
server-side redirect. You might be able to make it happen on the
client side, by generating a page with a refresh meta-header, or
client script. If not, you will need to setup two virtual servers,
one for HTTPS and the other for HTTP, using the same IP or domain name
(if using host headers.)

request.redirect invokes a clientside action,
I believe by sending an appropriate header.

It seems the [which?] browser does not like that header.

 

[Mark J. McGinty]

Mark J. McGinty wrote on 26 mei 2007 in
microsoft.public.inetserver.asp.general:


request.redirect invokes a clientside action,
I believe by sending an appropriate header.

Yes the client acts on it, but status 302 is generated by the server (as
opposed to being part of served content) which may well be why this status
is commonly referred to as a server redirect. My assumption, based on
observation, is that IIS declines to perform the server-side scripted
redirect because of security issues raised by the initial request. (IOW, I
have seen that what the OP is trying to do, doesn't work; since the exact
reason isn't documented, and MS has declined to share IIS sources with me,
I'm left with only my assumptions.)

It seems the [which?] browser does not like that header.

As if all IIS default error messages are perfectly accurate, fully descript,
and entirely based upon fact? IE is clearly thus capable, yet this error is
displayed by it as easily as by whatever sleazy niche browsers might be out
there that do not support SSL.

If you consider end-user level error messages to be empiracle... hmm... you
wouldn't happen to be interested in buying vacation property in the Florida
Everglades?


-Mark

 

[c676228]

Hi Mark and Evertjan,
Thanks for the replies. Here is another way I got from the internet.
It is not working in IIS5.0:

Create one HTML page[say Redirectssl.htm] with Folowing Javascript code :
<SCRIPT type=text/javascript>
<!--
if (location.protocol != 'https:')
{
window.location = 'https://'+ location.host + location.pathname +
location.search;
//alert(location.host + location.pathname + location.search); Just for
sanity check

}
// -->
</SCRIPT>
Just Save this page in root directory of WebSite & Follow the steps :
1)Replac the 403.4[Message type be FILE] in IIS 6 with a Redirectssl.htm
file that contains the above Javascript.
2)Save changes & Restart IIS admin[not mandatory]


But it is not working for me? can you help? t
--
Betty

Mark J. McGinty wrote on 26 mei 2007 in
microsoft.public.inetserver.asp.general:


request.redirect invokes a clientside action,
I believe by sending an appropriate header.

Yes the client acts on it, but status 302 is generated by the server (as
opposed to being part of served content) which may well be why this status
is commonly referred to as a server redirect. My assumption, based on
observation, is that IIS declines to perform the server-side scripted
redirect because of security issues raised by the initial request. (IOW, I
have seen that what the OP is trying to do, doesn't work; since the exact
reason isn't documented, and MS has declined to share IIS sources with me,
I'm left with only my assumptions.)

With custom error set up URL to /myvirtualdirectory/redrect.asp
I got this error message:
Secure Channel Required
This Virtual Directory requires a browser that supports the configured
encryption options.

It seems the [which?] browser does not like that header.

As if all IIS default error messages are perfectly accurate, fully descript,
and entirely based upon fact? IE is clearly thus capable, yet this error is
displayed by it as easily as by whatever sleazy niche browsers might be out
there that do not support SSL.

If you consider end-user level error messages to be empiracle... hmm... you
wouldn't happen to be interested in buying vacation property in the Florida
Everglades?


-Mark

 

[Mark J. McGinty]

Hi Mark and Evertjan,
Thanks for the replies. Here is another way I got from the internet.
It is not working in IIS5.0:

Create one HTML page[say Redirectssl.htm] with Folowing Javascript code :
<SCRIPT type=text/javascript>
<!--
if (location.protocol != 'https:')
{
window.location = 'https://'+ location.host + location.pathname +
location.search;
//alert(location.host + location.pathname + location.search); Just for
sanity check

}
// -->
</SCRIPT>
Just Save this page in root directory of WebSite & Follow the steps :
1)Replac the 403.4[Message type be FILE] in IIS 6 with a Redirectssl.htm
file that contains the above Javascript.
2)Save changes & Restart IIS admin[not mandatory]


But it is not working for me? can you help? t

Define "not working for me."


-Mark

--
Betty

Mark J. McGinty wrote on 26 mei 2007 in
microsoft.public.inetserver.asp.general:

By setting it to require SSL you have precluded it from accepting
non-secure requests, which I believe will prevent IIS from acting on a
server-side redirect. You might be able to make it happen on the
client side, by generating a page with a refresh meta-header, or
client script. If not, you will need to setup two virtual servers,
one for HTTPS and the other for HTTP, using the same IP or domain name
(if using host headers.)

request.redirect invokes a clientside action,
I believe by sending an appropriate header.

Yes the client acts on it, but status 302 is generated by the server (as
opposed to being part of served content) which may well be why this
status
is commonly referred to as a server redirect. My assumption, based on
observation, is that IIS declines to perform the server-side scripted
redirect because of security issues raised by the initial request. (IOW,
I
have seen that what the OP is trying to do, doesn't work; since the exact
reason isn't documented, and MS has declined to share IIS sources with
me,
I'm left with only my assumptions.)

With custom error set up URL to /myvirtualdirectory/redrect.asp
I got this error message:
Secure Channel Required
This Virtual Directory requires a browser that supports the
configured
encryption options.

It seems the [which?] browser does not like that header.

As if all IIS default error messages are perfectly accurate, fully
descript,
and entirely based upon fact? IE is clearly thus capable, yet this error
is
displayed by it as easily as by whatever sleazy niche browsers might be
out
there that do not support SSL.

If you consider end-user level error messages to be empiracle... hmm...
you
wouldn't happen to be interested in buying vacation property in the
Florida
Everglades?


-Mark

 

[c676228]

Hi Mark,
Not working, meaning when I entered http://xxxx.com, it didn't do anything
and not redirect to https://, just stay as http:// protocol.

I finally figure out to do this way on serverside:
If Request.ServerVariables("HTTPS") = "off" Then
Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") &
Request.ServerVariables("URL") & "?"
&Request.ServerVariables("QUERY_STRING")End If

But I am not sure if this is dependable.
--
Betty

Hi Mark and Evertjan,
Thanks for the replies. Here is another way I got from the internet.
It is not working in IIS5.0:

Create one HTML page[say Redirectssl.htm] with Folowing Javascript code :
<SCRIPT type=text/javascript>
<!--
if (location.protocol != 'https:')
{
window.location = 'https://'+ location.host + location.pathname +
location.search;
//alert(location.host + location.pathname + location.search); Just for
sanity check

}
// -->
</SCRIPT>
Just Save this page in root directory of WebSite & Follow the steps :
1)Replac the 403.4[Message type be FILE] in IIS 6 with a Redirectssl.htm
file that contains the above Javascript.
2)Save changes & Restart IIS admin[not mandatory]


But it is not working for me? can you help? t

Define "not working for me."


-Mark

--
Betty

Mark J. McGinty wrote on 26 mei 2007 in
microsoft.public.inetserver.asp.general:

By setting it to require SSL you have precluded it from accepting
non-secure requests, which I believe will prevent IIS from acting on a
server-side redirect. You might be able to make it happen on the
client side, by generating a page with a refresh meta-header, or
client script. If not, you will need to setup two virtual servers,
one for HTTPS and the other for HTTP, using the same IP or domain name
(if using host headers.)

request.redirect invokes a clientside action,
I believe by sending an appropriate header.

Yes the client acts on it, but status 302 is generated by the server (as
opposed to being part of served content) which may well be why this
status
is commonly referred to as a server redirect. My assumption, based on
observation, is that IIS declines to perform the server-side scripted
redirect because of security issues raised by the initial request. (IOW,
I
have seen that what the OP is trying to do, doesn't work; since the exact
reason isn't documented, and MS has declined to share IIS sources with
me,
I'm left with only my assumptions.)

With custom error set up URL to /myvirtualdirectory/redrect.asp
I got this error message:
Secure Channel Required
This Virtual Directory requires a browser that supports the
configured
encryption options.

It seems the [which?] browser does not like that header.

As if all IIS default error messages are perfectly accurate, fully
descript,
and entirely based upon fact? IE is clearly thus capable, yet this error
is
displayed by it as easily as by whatever sleazy niche browsers might be
out
there that do not support SSL.

If you consider end-user level error messages to be empiracle... hmm...
you
wouldn't happen to be interested in buying vacation property in the
Florida
Everglades?


-Mark

 

[Mark J. McGinty]

Hi Mark,
Not working, meaning when I entered http://xxxx.com, it didn't do anything
and not redirect to https://, just stay as http:// protocol.

What was the content of the error page you were left on? Did you view
source? Did a script error occur, or did an error file other than the one
you expected get sent down from the server? My first-line reality check
would've been to make the error page content visibly different (in addition
to the added script.)

I finally figure out to do this way on serverside:
If Request.ServerVariables("HTTPS") = "off" Then
Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") &
Request.ServerVariables("URL") & "?"
&Request.ServerVariables("QUERY_STRING")End If

But I am not sure if this is dependable.

Is that not exactly where we started this thread? Oh, I see, you're using a
different server variable...

As far as dependability goes, I usually like to find out what was wrong with
the things that didn't work, as understanding failure can be key to
understanding success.

Just to be on the safe side, I'd make the content of that error page a
little friendlier than the default one that comes with the server. If you
include a link to the site on it, worst case if it fails is the user will
have to click the link -- if you tack on a easily recognizable and
adequately unique [do-nothing] parameter, you can even monitor how often the
link is used, by scanning the server logs.

-Mark

Betty

Hi Mark and Evertjan,
Thanks for the replies. Here is another way I got from the internet.
It is not working in IIS5.0:

Create one HTML page[say Redirectssl.htm] with Folowing Javascript code
:
<SCRIPT type=text/javascript>
<!--
if (location.protocol != 'https:')
{
window.location = 'https://'+ location.host + location.pathname +
location.search;
//alert(location.host + location.pathname + location.search); Just for
sanity check

}
// -->
</SCRIPT>
Just Save this page in root directory of WebSite & Follow the steps :
1)Replac the 403.4[Message type be FILE] in IIS 6 with a
Redirectssl.htm
file that contains the above Javascript.
2)Save changes & Restart IIS admin[not mandatory]


But it is not working for me? can you help? t

Define "not working for me."


-Mark

--
Betty


:


Mark J. McGinty wrote on 26 mei 2007 in
microsoft.public.inetserver.asp.general:

By setting it to require SSL you have precluded it from accepting
non-secure requests, which I believe will prevent IIS from acting
on a
server-side redirect. You might be able to make it happen on the
client side, by generating a page with a refresh meta-header, or
client script. If not, you will need to setup two virtual servers,
one for HTTPS and the other for HTTP, using the same IP or domain
name
(if using host headers.)

request.redirect invokes a clientside action,
I believe by sending an appropriate header.

Yes the client acts on it, but status 302 is generated by the server
(as
opposed to being part of served content) which may well be why this
status
is commonly referred to as a server redirect. My assumption, based on
observation, is that IIS declines to perform the server-side scripted
redirect because of security issues raised by the initial request.
(IOW,
I
have seen that what the OP is trying to do, doesn't work; since the
exact
reason isn't documented, and MS has declined to share IIS sources with
me,
I'm left with only my assumptions.)

With custom error set up URL to /myvirtualdirectory/redrect.asp
I got this error message:
Secure Channel Required
This Virtual Directory requires a browser that supports the
configured
encryption options.

It seems the [which?] browser does not like that header.

As if all IIS default error messages are perfectly accurate, fully
descript,
and entirely based upon fact? IE is clearly thus capable, yet this
error
is
displayed by it as easily as by whatever sleazy niche browsers might
be
out
there that do not support SSL.

If you consider end-user level error messages to be empiracle...
hmm...
you
wouldn't happen to be interested in buying vacation property in the
Florida
Everglades?


-Mark