Question

We have an external service that is currently accessible via the http (port 80, non-SSL) and https (port 443, SSL) addresses.

What is the best way to limit connections to only the https address? Is it something we can do via IIS or does it have to be done via code.

Additional info: Regular ASP.NET web service (.asmx) running on IIS on Windows 2003 server. Service is built with C# on .NET 3.5.

Was it helpful?

Solution

Just to clarify Greg's point 1. IIS Manager > Site properties > Directory Security > Secure Communications > Require Secure Channel (SSL)

OTHER TIPS

  1. Require SSL on the application
  2. In a custom error page for the 403 redirect the browser to the incoming URL, changing http to https along the way.

Note: Keep port 80 open for this - or there won't be a server to listen for requests to redirect.

Is just not accepting any connections on port 80 an option? I'm a complete web server noob so I don't know if the server can operate without an unsecured listen port but if the server can operate only listen on port 443 that would seem to be simplest option.

Another option would be a redirect from the unsecure port to the secure one

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top