Require SSL but still keep asp.net custom errors

Question

I have asp.net custom errors and they are working great:

<customErrors mode="RemoteOnly" defaultRedirect="~/Error/Index/500">
  <error statusCode="403" redirect="~/Error/Index/403" />
  <error statusCode="404" redirect="~/Error/Index/404" />
  <error statusCode="500" redirect="~/Error/Index/500" />
  <error statusCode="502" redirect="~/Error/Index/502" />
  <error statusCode="503" redirect="~/Error/Index/503" />
  <error statusCode="504" redirect="~/Error/Index/504" />
</customErrors>

Also, the ssl certificate has been successfully installed and my site is accessible just fine from both http and https.

Issue came about when I got a requirement to require SSL. The http link to the site has already been distributed to 1000 users. So we need any traffic going to the http address to be gracefully redirected to the https home page.

Any solution I've tried to get the redirect working breaks the custom errors.

I have this test url that generates an error to test my custom error pages at ~/error/test. It shows my custom error page using the mvc layout.

No matter how I set it up, once I turn on Require SSL within the SSL Settings in IIS, if I turn on any http custom errors (so that the 403.4 redirect is enabled), it doesn't even try to show my custom 500 page. It shows the generic http 500 page.

I want 403.4 handled at http level with a redirect and 500 to be handled at the asp.net level with my custom error page. Which incidentally is not a page but a controller that uses the .net exception which is in a session variable.

How can I accomplish this?

Answer 1

The problem would appear to be the disconnect between the IIS "Requires SSL" feature and the existing links - all this does in IIS is cause it to reject requests that are not issued over HTTP, it does not perform any redirects.

403.4 is a custom IIS sub-status code that means "SSL Required" - if you request the site without SSL you'd get that error - i.e. it's blocking all requests that aren't issued under HTTPS.

The actual response issued is a standard 403 - Forbidden, there's no redirect involved, nor anything to tell the browser that it should be requesting the site over SSL - that's all in the HTML that is returned, and hopefully understood by the user. The error is being issued by IIS before the request is passed to your application to handle, which is why you're not seeing any of your custom errors - either way, if you were seeing your error pages, it would still be the 403 page.

You will therefore need to set-up some form of redirect instead if you need to support initial requests under HTTP.

There are a couple of ways to do this:

Use the UrlRewrite module - but note that this may be a separate install depending on your hosting server. Once that's installed you can do something like:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequireSsl" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTPS}" pattern="ON" negate="true" />
                </conditions>
                <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

This will ensure that all requests to the server (static files as well as MVC routes) are redirected to SSL.

Another option is the [RequireHttps] filter attribute which can be added to controllers, actions or the global filters collections, however this will mostly only affect MVC routes - static files could still be served without HTTPS.

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    [...]
    // Add RequireHttps to any existing filters to force all routes to SSL
    filters.Add(new RequireHttpsAttribute());
}

Note that both of these will only cause a client to perform a redirect on a GET requests, most clients will ignore a 301/302 for POST requests as you're not supposed to resubmit a form.

The [RequireHttps] option will only issue a redirect for GET requests, POST requests will return an Invalid Action exception: "Must Use HTTPS".