IHttpModule的ASP.NET中的HTTP和HTTPS之间切换 [英] IHTTPModule to switch between HTTP and HTTPS in ASP.NET
问题描述
我工作的一个网站,其中包含了需要通过SSL进行保护的部分。
I'm working on a web site which contains sections that need to be secured by SSL.
我在网站配置,使其运行正常时,它总是在SSL,我看到在IE7 / IE8 / Firefox / Safari / Chrome中的SSL挂锁
I have the site configured so that it runs fine when it's always in SSL, I see the SSL padlock in IE7/IE8/FireFox/Safari/Chrome
要实现SSL切换,我创建了一个实现IHttpModule的和有线专班的HttpApplication。preRequestHandlerExecute。
To implement the SSL switching, I created a class that implemented IHTTPModule and wired up HTTPApplication.PreRequestHandlerExecute.
我通过一些定制的逻辑来确定我的要求是否应该使用SSL,然后我重定向。我不得不面对两种方案:
I go through some custom logic to determine whether or not my request should use SSL, and then I redirect. I have to deal with two scenarios:
- 目前在SSL和请求不需要SSL
- 目前未SSL,但请求需要SSL
我最终做followng(其中CTX是HttpContext.Current和pathAndQuery是ctx.Request.Url.PathAndQuery)
I end up doing the followng (where ctx is HttpContext.Current and pathAndQuery is ctx.Request.Url.PathAndQuery)
// SSL required and current connection is not SSL
if (requestRequiresSSL & !ctx.Request.IsSecureConnection)
ctx.Response.Redirect("https://www.myurl.com" + pathAndQuery);
// SSL not required but current connection is SSL
if (!requestRequiresSSL & ctx.Request.IsSecureConnection)
ctx.Response.Redirect("http://www.myurl.com" + pathAndQuery);
的来回切换,现在工作得很好。然而,当我进入SSL模式,FireFox和IE8警告我说,我的要求并不完全加密。
The switching back and forth now works fine. However, when I go into SSL mode, FireFox and IE8 warns me that my request isn't entirely encrypted.
它看起来像我的模块是短暂的短路不知何故我的要求,将AP preciate任何想法。
It looks like my module is short circuiting my request somehow, would appreciate any thoughts.
推荐答案
我怀疑,当你确定哪些资源需要加密,哪些没有,你不包括图像,或者一些页眉和页脚为好,或甚至CSS文件,如果你使用的。
I would suspect, that when you determine which resources require encryption, and which not, you do not include the images, or some header and footers as well, or even CSS files, if you use any.
由于你总是扔掉SSL这样的内容,有可能发生的页面(主HTML)的那部分需要SSL,但对于图像此页面上的相应请求没有。
As you always throw away SSL for such a content, it may happen that part of the page (main html) requires SSL, but the consequential request for an image on this page does not.
浏览器警告您,该页面的某些部分没有使用SSL传递。
The browser is warning you, that some parts of the page were not delivered using SSL.
我将检查请求的是HTML,也只有这样,如果需要删除SSL。否则,保持它的方式是(最有可能的图像和如通过相对路径引用,不是一个完整的URL)。
I will check if the request is for HTML, and only then drop the SSL if needed. Otherwise, keep it the way it is (most probably images and such are referenced with relative paths, than a full blown url).
即,如果您有:
<html>
<body>
Some content...
<img src="images/someimage.jpg">
</body>
</html>
和你要求使用SSL这个页面,但你的评价的 requestRequiresSSL 的没有考虑到的图像以受保护的资源,它会形成一个HTTP,而不是HTTPS请求,你会看到警告
and you request this page using SSL, but your evaluation of requestRequiresSSL does not take into account the images as secured resources, it will form a http, not https request, and you will see the warning.
请确保当你请求的资源和评估的 requestRequiresSSL 的,要检查引用,如果这是一个图像:
Make sure when you request a resource and evaluate requestRequiresSSL, to check the referrer and if this is an image:
// SSL not required but current connection is SSL
if (!requestRequiresSSL && ctx.Request.IsSecureConnection && !isHtmlContent)
ctx.Response.Redirect("http://www.myurl.com" + pathAndQuery);
刚刚弄清楚如何确定isHtmlContent(如果你不从数据库等服务形象,但是从磁盘位置),只是检查资源文件名(的.aspx,的.asmx,.ashx的,html的,等等)。
Just figure out how to determine isHtmlContent (if you do not serve images from a database, etc., but from a disk location), just check the the resource filename (.aspx, .asmx, .ashx, .html, etc.).
这样的话,如果连接是加密的,但资源本身不是HTML,并没有设置为加密,你是不会放弃加密。
That way, if the connection is encrypted, but the resource itself is not html, and no set for "encryption", you are not going to drop the encryption.
这篇关于IHttpModule的ASP.NET中的HTTP和HTTPS之间切换的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
