Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforcing SSL #135

Closed
danroth27 opened this issue Apr 21, 2015 · 11 comments · Fixed by #3000
Closed

Enforcing SSL #135

danroth27 opened this issue Apr 21, 2015 · 11 comments · Fixed by #3000
Assignees
@Rick-Anderson
Labels
Pri0 Urgent priority Pri1
Milestone
2017-Quarter 1

Comments

@danroth27
Copy link
Member

ASP.NET MVC -> Security -> Enforcing SSL
@danroth27 danroth27 added this to the 1.0.0-rc2 milestone Dec 15, 2015
@danroth27 danroth27 added the mvc label Dec 15, 2015
@danroth27 danroth27 added the Pri1 label Feb 16, 2016
@jak-hammond
Copy link

This is how I'm currently implementing an enforcement of SSL, registering it as a piece of middleware. Granted I could probably improve things by stripping out the searching for localhost and instead use the new environment variables, but sometimes in production I will need to check on the local server and this prevents the SSL cert warnings, minor point so might be safer to move to environment variables.

public async Task Invoke(HttpContext context)
{
    var req = context.Request;
    var portDelim = req.Host.ToUriComponent().IndexOf(":", StringComparison.OrdinalIgnoreCase);
    var host = portDelim != -1 ? req.Host.ToUriComponent().Substring(0, portDelim) : req.Host.ToUriComponent();
    if (req.IsHttps || host.Equals("localhost", StringComparison.OrdinalIgnoreCase))
        await _next.Invoke(context);
    else
    {
        //If it's good enough for MS :)
        //https://github.com/aspnet/Mvc/blob/046cb976b3e899052a95387b72ea4bee6987bff0/src/Microsoft.AspNet.Mvc.Core/RequireHttpsAttribute.cs
        var newUrl = string.Concat(
            "https://",
            req.Host.ToUriComponent(),
            req.PathBase.ToUriComponent(),
            req.Path.ToUriComponent(),
            req.QueryString.ToUriComponent());
        context.Response.Redirect(newUrl, true);
    }
}

@Rick-Anderson
Copy link
Contributor

@Jak893 if you just want to enforce SSL for your MVC app, you can do that in Startup.ConfigureServices

        services.Configure<MvcOptions>(options =>
        {
            options.Filters.Add(new HttpsRequiredAttribute());
        });

@danroth27 danroth27 added the TOC label May 19, 2016
@danroth27 danroth27 modified the milestones: 1.0.0-rc2, 1.0.0 May 22, 2016
@westonpace
Copy link

@Rick-Anderson That solution works great. For users of 1.0.0 onwards it is now...

        services.Configure<MvcOptions>(options => {
            options.Filters.Add(new RequireHttpsAttribute());
        });

@guardrex guardrex mentioned this issue Sep 4, 2016
Closed
@clement911
Copy link

that won't force https for static files though

@Rick-Anderson
Copy link
Contributor

@danroth27 any suggestions for forcing SSL on static files?

@clement911
Copy link

Actually I guess redirection at the mvc level might be sufficient since static files should get requested using the same base url as the page itself...
I'm using
services.AddMvc(options => { options.Filters.Add(new RequireHttpsAttribute()); });
but the problem is that it redirects the https:// (so the default port 443) even though my dev environment has an ssl port of 44372

@Rick-Anderson
Copy link
Contributor

localhost/IIS Express SSL will use 443xx and that all works fine with the code above. I've been using this approach for years.

@tdykstra tdykstra modified the milestones: Backlog, 1.0.0 Dec 5, 2016
@danroth27
Copy link
Member Author

We think we will handle this as part of #977

@webzest
Copy link

webzest commented Feb 5, 2017
edited
Loading

There is a very easy solution to set up Visual Studio 2017 RC2 to run on HTTPS.

  1. In the Solution Explorer, Right-Click on your Project's name and select Properties.
    1a. Click on the Debug area and Click on the Enable SSL Check Box.
    1b. Make a note of the SSL Port, in my case, it was listed as 44390.

  2. Open your Startup.cs file, navigate the ConfigureServices and add the following:

   //make sure the block of code is added below your services.AddMVC();
            services.Configure<MvcOptions>(options =>
            {
                options.SslPort = 44390;
                options.Filters.Add(new RequireHttpsAttribute());
            });
  1. Open your HomeController cs file and add [RequireHttps] right above the class declaration section
    namespace MyWorldTravel.Controllers
    {
        [RequireHttps]
        public class HomeController : Controller
        {
  1. Launch your Application. IT should always launch under HTPPS. This works in development and you might have to install the certificate at the outset. Remember to update the URL when you move to production.

@danroth27
Copy link
Member Author

We have content on this already here: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/accconfirm#require-ssl

@danroth27 danroth27 reopened this Mar 14, 2017
@danroth27
Copy link
Member Author

Actually, it would be better to pull this content out as another article and just link to it.

@danroth27 danroth27 modified the milestones: 2017-Quarter 1, Backlog Mar 14, 2017
@Rick-Anderson Rick-Anderson added the Pri0 Urgent priority label Mar 14, 2017
@Rick-Anderson Rick-Anderson mentioned this issue Mar 17, 2017
Merged
@snyk-bot snyk-bot mentioned this issue Jul 15, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rick-Anderson Rick-Anderson

Labels
Pri0 Urgent priority Pri1
Projects
None yet
Milestone
2017-Quarter 1
Development

Successfully merging a pull request may close this issue.

move require SSL to it's own doc dotnet/AspNetCore.Docs
7 participants
@jak-hammond @tdykstra @westonpace @danroth27 @clement911 @Rick-Anderson @webzest