3

I am trying to enable HTTPS everywhere in my MVC application. In my FilterConfig.cs I have added the following line:

filters.Add(new RequireHttpsAttribute());

However, when navigating to the site, all functionality is available via HTTP, and HTTPS can only be used if the user explicitly specifies this in their browser's address bar.

When this line of code is present in my local version of the app, it stops working, and I can no longer use HTTP (as I would expect).

I am hosting the application on Azure. Am I missing something?

Adam Drewery
  • 1,508
  • 1
  • 17
  • 25
  • Did you follow the instructions for enable SSL to a project listed here? http://azure.microsoft.com/en-us/documentation/articles/web-sites-dotnet-deploy-aspnet-mvc-app-membership-oauth-sql-database/#enable-ssl-for-the-project – rogerdeuce Mar 11 '15 at 16:40
  • Yeah, that only appears to enable SSL locally though. SSL appears to be enabled in Azure regardless of this setting, but not enforced, which is the behavior I'm trying to achieve. – Adam Drewery Mar 11 '15 at 16:56
  • You can add a URL redirect rule to redirect from `http://*` to `https://*`. It's literally the same. See http://stackoverflow.com/questions/1536120/rewriting-urls-from-https-to-http-in-iis7 or similar. – abatishchev Mar 11 '15 at 16:59
  • Are you output caching at all? – Haney Mar 11 '15 at 17:10
  • no output caching at all. – Adam Drewery Mar 11 '15 at 17:30
  • 1
    Not really helpful but it *should* work. I have a number of azure websites with the RequireHttpsAttribute and this redirects from HTTP to HTTPS. – AlexC Mar 11 '15 at 17:32
  • Yeah I've had it working before I'm sure! – Adam Drewery Mar 17 '15 at 13:20

3 Answers3

1

You could accomplish this by using the URLRewrite module. (Download is here)

Then you could just redirect all requests on port 80 to https using a rule in your web.config.

<rewrite>
<rule name="Redirect to HTTPS" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
        <add input="{HTTPS}" pattern="^OFF$" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" />
</rule>
</rewrite>

Note that you can change the redirectType to Permanent if you have search engine bots crawling your site and you are trying to maintain your SEO.

You can add this rule to your Release config so it is only enforced when you deploy to Azure. That way you can run locally on port 80 while you do your development.

mgnoonan
  • 7,060
  • 5
  • 24
  • 27
  • This seems like it's probably the best answer I'm going to get, although it's not ideal! I would much rather find out why the attribute isn't working. – Adam Drewery Mar 17 '15 at 13:22
  • Best I can offer there is to start with a blank MVC project, add the attribute and see if it works. If it does, try to figure out what the difference is. – mgnoonan Mar 18 '15 at 20:01
  • Yeah I'll give that a shot and report back. Cheers. :) – Adam Drewery Mar 20 '15 at 11:43
1

I was using AllowAnonymous and OverrideAuthorization attribute on a few of my controllers and it seemed that this overrode RequireHttpsAttribute, which I had registered with my GlobalFilterCollection.

odyth
  • 4,324
  • 3
  • 37
  • 45
0

Make sure you have an http endpoint and binding defined (in addition to the https endpoint and binding) in your csdef. Specifically:

<InputEndpoint name="HttpEndpoint" protocol="http" port="80" />

and

<Binding name="HttpEndpoint" endpointName="HttpEndpoint" />
user2324268
  • 21
  • 1