0

I have a WCF (svs) web service, that is running on a Windows 2008 IIS web server.

The IIS server already has a SSL certificate installed and is hosting Classic ASP, and PHP over both HTTP and HTTPS.

I have installed the WCF service as a application on the IIS server (on the same domain) and it can serve requests using both HTTP and HTTPS perfectly.

However, I want this WCF service to ONLY serve HTTPS requests and responses.

What do I need to change within the WCF web.config to achieve this ?

UPDATE

Following on from my post above, I've managed to research the following which appears to work using the web.config file;

<system.serviceModel>
    <services>
     <service behaviorConfiguration="returnFaults" name="MyService.MonitorService">
      <endpoint binding="wsHttpBinding" bindingConfiguration=
            "TransportSecurity" contract="MyService.IMonitorSvc" />
     </service>
   </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="returnFaults">
          <!-- To avoid disclosing metadata information, set the values below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
        <wsHttpBinding>
           <binding name="TransportSecurity">
                 <security mode="Transport">
                  <transport clientCredentialType="None"/>
                  </security>
            </binding>
          </wsHttpBinding>
    </bindings>
    <protocolMapping>
        <add binding="basicHttpsBinding" scheme="https" />
    </protocolMapping>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>

Can anyone confirm that this is the correct approach for a WCF service, to enforce that all requests are made via HTTPS (SSL) ?

Basically using the above, would a user be able to make a HTTP request to the service or not ? Or would the service always enforce HTTPS

Thanks for the clarification.

neildt
  • 5,101
  • 10
  • 56
  • 107
  • Use the IIS URL Redirect to match all http:// requests and redirect to https:// ? – NWard Oct 09 '13 at 15:53
  • My preference is to NOT enforce HTTPS within IIS, since if I move the service to another domain, I need to configure IIS again, and it could be something that is forgotten to be done. I prefer to do it in the code/web.config somehow – neildt Oct 09 '13 at 15:53
  • The IIS URL Redirect just appends a node to your application's web.config file, so it should be easily portable. – NWard Oct 09 '13 at 18:35

1 Answers1

2

Use the Microsoft URL Rewrite module and then add the following into your web.config file:

<system.webServer>
    <rewrite>
        <rules>
            <clear />
            <rule name="Redirect to https" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                </conditions>
                <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

If this isn't acceptable (as you will have to remember to add this module in other deployments), then this answer points out how to write your own https redirector.

I'm not completely sure about it, but you might be able to use System.Web.HttpContext.Current.Request.IsSecureConnection to check within your actual code as well.

Community
  • 1
  • 1
Rob Church
  • 6,783
  • 3
  • 41
  • 46