NDepend Blog

Improve your .NET code quality with NDepend

Migrating from HTTP to HTTPS in a IIS / ASP.NET environment

September 5, 2017 5 minutes read

Google is urging more and more webmasters to move their sites to HTTPS for security reasons. We did this move last week for our IIS / ASP.NET website https://www.NDepend.com and we learned a few tricks along the way. Once you’ve done it once it becomes pretty straightforward, but getting the big picture and handling every detail well is not trivial. So I hope this post will be useful.

HTTPS and Google Analytics Referrals

One reason for moving to HTTPS is that Google Analytics referrals don’t work when the user comes from a HTTPS website. And since most of your referrers websites are likely to be already HTTPS, if you keep up with HTTP, your GAnalytics becomes blind.

Notice that once you’ve moved to HTTPS, you still won’t be able to track referrers that come from an HTTP url, which is annoying since most of the time you don’t have edit-access to these urls.

Getting the Certificate

You can get free certificates from LetsEncrypt.com, but they have a 3 month lease. The renewal process can certainly be automated, but instead we ordered a 2 year certificate from gandi.net for only 20 EUR for the two years. For that price you’ll get the minimum and won’t obtain a certificate with the Green Address Bar, which costs around 240 EUR / year.

When ordering the certificate, a CSR (Certificate Sign Request) will be requested. The CRS can be obtained from IIS as explained here for example, through the menu Generate Certificate Request. A few questions about who you are will be asked, the most important being the Common Name, which will be typically www.yourdomain.com  (or, better, use a wildcard, as in *.yourdomain.com). If the Common Name doesn’t match the web site domain, the user will get a warning at browsing time, so this is a sensitive step.

Installing the Certificate in IIS

Once you’ve ordered the certificate, the certificate shop will provide you with a .crt or .cer crypted content. This is the certificate. But IIS doesn’t deal with the .crt nor .cer formats, it asks for a .pfx file! This is misleading and the number one explanation on the web is this one on the Michael Richardson blog. Basically you’ll use the IIS menu Complete Certificate Request (that follows the first Generate Certificate Request). Now restart IIS or the server to make sure it’ll take care of the certificate.

Binding the Certificate to the website 443 Port in IIS

At that point the certificate is installed on the server. The certificate needs to be bound with your website port 443. First make sure that the port 443 is opened on your server, and second, use the binding IIS menu on your website. A binding entry will have to be added as shown in the picture below.

Once added just restart the website. Normally, you can now access your website through HTTPS urls. If not, you may have to tweak the DNS pointers somehow, but I cannot comment since we didn’t have a problem with that.

At that point, both HTTPS and HTTP are browsable. HTTP requests need to be redirected to HTTPS to complete the migration.

Important: Subtilty when updating your renewed certificate

When renewing your certificate you will obtain a new certificate with an extended expiration date but with the same common name (remember common name is like www.yourdomain.com). When importing the new certificate in your IIS server store, you will end up with two certificates with the same common name.

IIS Several certificate with same name in store

To bind your site with the new certificate, in the site binding form you will have to select the new certificate. However the old and new certificate are both shown with the same common name (www.ndepend.com in the screenshot below). This is awkward since there is no expiration date to tell you which one is the newer!!

IIS Several certificate with same name

Once you choose one, double-check from your browser that your site certificate date has been updated with the new one. To do so, as shown by the screenshot below click certificate and check the expiration date. Once checked you can then safely delete the old certificate from your store.

Check SSL certificate from chrome browser

301 redirection with Web.Config and IIS UrlRewriter

HTTP to HTTPS redirection can be achieved by modifying the Web.Config file of your ASP.NET website, to tell the IIS Url rewriter how to redirect. After a few attempts based on googling, our redirection rules look like:

If you believe this can be improved, please let me know. At least it works 🙂

  • <add input=”{HTTPS}” pattern=”off” ignoreCase=”true” /> is the main redirection rule that redirects HTTP requests to HTTPS (this is called 301 redirection). You’ll find many sites on the web to test that your 301 redirection works fine.
  • Make sure to double check that urls with GET params are redirected well. On our side, url=“https://{HTTP_HOST}{REQUEST_URI}” processes GET params seamlessly
  • <add input=”{URL}” pattern=”(.*)XYZ” negate=”true” ignoreCase=”true”/> is important to avoid HTTP to HTTPS redirection for a page named XYZ. Typically, if you have special pages with POST requests, they might be broken with the HTTPS redirection, and thus the redirection needs to be discarded for those.
  • <add input=”{HTTP_HOST}” matchType=”Pattern” pattern=”^localhost(:\d+)?$” negate=”true” /> avoid the HTTPS redirection when testing on localhost.
  • <add input=”{HTTP_HOST}” pattern=”^www.*” negate=”true”/> just transforms ndepend.com requests into www.ndepend.com,
  • and  <add input=”{HTTP_HOST}” pattern=”localhost” negate=”true”/> avoids this WWW redirection on localhost.

Eliminate Mixed Content

At this point you are almost done. Yet depending on the topology of your web site(s) and resources, it is possible that some pages generate a mixed content warning. Mixed content means that some resources (like images or scripts) of an HTTPS web page are served through HTTP. When mixed content is detected, most browsers show a warning to users about a not fully secured page.

You’ll find tools to search for mixed content on your web site, but you can also crawl the site yourself and use the Chrome console to get details about mixed content found.

Update Google SiteMap and Analytics

Finally make sure that your Google sitemap now references HTTPS urls, and update your Google Analytics for HTTPS:

I hope this content saves a few headaches. I am certainly not a SSL nor an IIS expert, so once again, if some part of this tutorial can be improved, feel free to comment!

Comments:

  1. Hi Patrick,

    Good Day. Thanks for your excellent article on switching between HTTPS and HTTP. I am new to certificates. I would like to understand why we need to switch between HTTPS to HTTP redirection when the request cross IIS server.

  2. Pretty! This was an incredibly wonderful post. Many thanks for supplying
    this information.

  3. Hi there to every body, it’s my first go to see of this weblog;
    this weblog contains remarkable and genuinely excellent material in favor
    of visitors.

  4. Right here is the perfect web site for anyone who really wants to understand
    this topic. You understand a whole lot its almost tough to argue with you (not that I really will need to…HaHa).
    You definitely put a fresh spin on a subject that has been discussed for years.

    Wonderful stuff, just great!

  5. I do not know whether it’s just me or if perhaps everyone else experiencing issues with your website.
    It seems like some of the written text within your content are running off the
    screen. Can somebody else please provide feedback and let me know
    if this is happening to them as well? This could be a issue with
    my internet browser because I’ve had this happen previously.
    Thank you

  6. If some one desires expert view about blogging after that i suggest him/her to pay a quick visit this web site, Keep up the good work.

  7. Hi Patrick,
    Good Day. Thanks for your excellent article on switching between HTTPS and HTTP. I am new to certificates. I would like to understand why we need to switch between HTTPS to HTTP redirection when the request cross IIS server.

  8. Wonderful website yօu һave here but I was wondering if
    уou knew of any forums that cover thе same topics discussed
    іn this article? Ι’d reɑlly love to be a рart of online community wһere I cɑn get comments from other knowledgeable people that share tһe same inteгest.
    If you have any recommendations, ρlease let me knoѡ. Cheers!

  9. Really when someone doesn’t know afterward its up to other visitors that they will
    assist, so here it takes place.

  10. Hi there, all is going perfectly here and ofcourse every one is sharing information, that’s truly excellent,
    keep up writing.

  11. This paragraph will assist the internet visitors for setting up
    new blog or even a weblog from start to end.

  12. This is a great tip especially to those new to the blogosphere.

    Simple but very precise information… Many thanks for sharing
    this one. A must read article!

  13. Nice answers in return of this difficulty with firm arguments and telling
    the whole thing about that.

  14. Why viewers still use to read news papers when in this technological
    world the whole thing is existing on web?

  15. Marvelous, what a website it is! This web site presents valuable information to us, keep it up.

  16. If some one needs expert view regarding blogging after that i recommend him/her to pay a
    visit this webpage, Keep up the nice work.

Comments are closed.