Skip to main content
Logo

Serve parts of your site under HTTPS

This article will explain how you can serve specific areas of your site under HTTPS, for example you might have a login page you need to protect or secure documents you want an extra layer of security on.

Before we carry on with the steps to start serving areas of your site under HTTPS, you need to make sure you have an SSL certificate configured on your web server and a HTTPS binding set up against your site. You will also need to be using IIS7 or above, and have the IIS URL Rewrite extension installed on your server.

How to check you have IIS URL Rewrite installed

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager
  2. Click on the main server node, the features panel will be displayed in the right hand pane
  3. Check that you have the URL Rewrite feature listed

If the URL Rewrite feature isn't listed on that screen, you will need to download and install it. The download can be found on Microsoft's support site.

Set up a redirect rule to serve content under HTTPS

You need to decide which parts of your site will be served under HTTPS. We recommend login pages, documents and other sensitive information be served under a secure connection. All redirect rules will be created in your publishing servers web.config file. This file is edited through the Contensis UI available through the Management Console listed under Project Overview  you will find the Publishing Servers. This is where you will find the web.config file needed to insert the redirect rules by clicking on the Web Config link listed next to your publishing server. This will launch the config editor. You will need to create two rules.

Redirect folders/pages to HTTPS

In order for us to redirect non-HTTPS to HTTPS we first need create a rule that checks that the visitors current URL is in the list of URLs that we want to secure. We can do this using the match URL attribute in the form of a regular expression. For example we can do the following:

^boardpapers/|^aboutus/securearea/|^account/login.aspx

There are two special characters that we have used, the | character acts like an OR operator i.e. Does the URL start with boardpapers/ OR aboutus/securearea/ OR account/login.aspx. The second special character is ^, which matches the starting position of the string.

This can be very useful as you could tell all users to put everything that needs to be secured into a secure/ folder and have a rule to serve all content in this folder under HTTPS.

Now we need to add one condition to the rule and to check that the current URL is not already being served using HTTPS. Without this condition we would simply create an endless redirect loop. Take a look below:

<rule name="Redirect non-HTTPS to HTTPS" stopProcessing="true">
    <match url="^boardpapers/|^aboutus/securearea/|^account/login.aspx" />
    <conditions>
        <add input="{HTTPS}" pattern="off" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>

Redirect folders/pages back to HTTP

In addition to the first rule we need a rule to switch HTTPS back to HTTP - this may sound strange at first but when you serve a page under HTTPS all of the links on the page will point to HTTPS URLs as all URLs are relative. If this rule didn't exist a user would be served all pages under HTTPS once they hit a page served under a secure connection. This isn't ideal because there is a performance overhead to serving content under HTTPS.

To construct this rule we need to check all aspx pages by using "(.*\.aspx)" as the regular expression to match the URLs. Then we need to add some conditions to check that the current page is being served under HTTPS. Plus we need to check that the URL isn't in our list of URLs that should be served under HTTPS. This is what the rule will look like:

<rule name="Redirect HTTPS to non-HTTPS" stopProcessing="true">
    <match url="(.*\.aspx)"/>
    <conditions>
        <add input="{HTTPS}" pattern="on" />
        <add input="{URL}" pattern="^/boardpapers/" negate="true" />
        <add input="{URL}" pattern="^/aboutus/securearea/" negate="true" />
        <add input="{URL}" pattern="^/account/login.aspx" negate="true" />
    </conditions>
    <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>

One thing to note is the difference between the regular expression in rule 1 and the condition in rule 2. In rule 1 we are using ^boardpapers/and in rule 2 we are using ^boardpapers/, the additional forward slash is required because the server variable {URL} returns the URL including the first slash whereas IIS does not return the first slash to perform the URL match.

If we piece all of this together then this is the XML that you will need to paste into your web.config file:

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Redirect non-HTTPS to HTTPS" stopProcessing="true">
                    <match url="^boardpapers/|^aboutus/securearea/|^account/login.aspx" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
                </rule>
                <rule name="Redirect HTTPS to non-HTTPS" stopProcessing="true">
                    <match url="(.*\.aspx)"/>
                    <conditions>
                        <add input="{HTTPS}" pattern="on" />
                        <add input="{URL}" pattern="^/boardpapers/" negate="true" />
                        <add input="{URL}" pattern="^/aboutus/securearea/" negate="true" />
                        <add input="{URL}" pattern="^/account/login.aspx" negate="true" />
                    </conditions>
                    <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

The main thing to remember is that for every folder or page to be served under HTTPS you must have an entry in each of the two rules. One to redirect to the HTTPS version and a negative condition to exclude it from being changed back to HTTP.

If you are planning to serve a large number of pages and folders using HTTPS then there are other ways of creating the rules that may prove easier to manage. If you are going to serve a lot of individual pages under HTTPS, you should read about Rewrite maps which would be easier to manage.

For further information on the IIS URL Rewrite extension visit http://learn.iis.net/page.aspx/734/url-rewrite-module/