混合HTTP / HTTPS网站 [英] Mixed http/https site
问题描述
到目前为止,我的https部署已普遍涉及到整个网站的天真锁定为https,提供HTTP到HTTPS的重定向在Web服务器上。
So far, my https deployments have commonly involved a naive lockdown of the entire site with https and provide an http-to-https redirect on the web server.
我现在计划有一个ASP.NET MVC的网站(在云)将包含HTTP和HTTPS网页。因此,该网站将有2个概念(而不是物理)区提供安全和非安全请求。
I now plan to have a single ASP.NET MVC site (on the cloud) that will contain both http and https pages. So, the site will have 2 conceptual (not physical) zones providing for both secure and non-secure requests.
配置 - 明智的,我已经设置了输入端口为80和443,该网站同时接受请求。
Configuration-wise, I have set up input ports for both 80 and 443 and the site accepts both requests.
有什么办法,我可以翻转协议HTTPS对于去,在安全区域所属的任何行动电话?例如,什么样的事情,行动过滤器可以做到的。
Is there any way I can flip protocol to https for any call that goes to an action that belongs in the secure zone? For instance, the kind of things that action filters can do.
谢谢了。
编辑: 请注意,这个整体思路是避免使用,因为便携性问题和形式action属性绝对URL,因为用户不会看到https://开头在浏览器上保证视觉线索。的
P
推荐答案
您可能希望从微软的可在这里下载。
这有FilterAttribute,RequireSslFilterAttribute,可以让你轻松地标记在你的控制器Action方法需要SSL - 例如
This has a FilterAttribute, RequireSslFilterAttribute that allows you to easily tag Action methods in your controller that require SSL - e.g.
[RequireSsl(Redirect=true)]
public ActionResult LogOn()
{
return View();
}
可选redirect参数会导致如果需要请求重定向到相同的URL,但通过https而不是http。
The optional redirect parameter will cause the request to be redirected to the same URL but via https instead of http if required.
警告:由于丹尼尔指出,虽然,被你打这个动作它可能已经当数据被张贴到页面的非安全版本为时已晚的时候 - 这已经是潜在的损害,所以你仍然需要小心使用此,并在确保所有的敏感数据通过HTTPS传送。 (我只注意到丹尼尔你的评论,你显然明白这一点,我将离开这里警告为别人谁,虽然在此跌倒!)
WARNING: As Daniel points out though, by the time you hit this Action it may already be too late if data was posted to a non secure version of the page - it is already potentially compromised, so you still need to exercise care when using this and make sure all sensitive data is sent via https. (I just noticed your comment to Daniel, you obviously understand this, I'll leave the warning here for anyone else who stumbles upon this though!)
编辑:由于卢克指出,在MVC2此属性现在是核心框架的一部分,并更名为[RequireHttps]
As Luke points out, in MVC2 this attribute is now part of the core framework and is renamed to [RequireHttps]
这篇关于混合HTTP / HTTPS网站的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
