如何强制在 SSL 下浏览网站的某些部分? [英] How to force certain sections of the website to be browsed under SSL?

问题描述

在我们的网站上，某些部分或页面涉及敏感的用户或帐户信息.我想强制用户在 HTTPS 下浏览这些页面.而其他具有公共内容的页面应该在 HTTP 下可用.我打算在 IIS 上安装 url Rewrite 模块并编写规则来实现这一点.我不知道如何在 web.config 中编写重定向规则.

On our website certain sections or pages deal with sensitive user or account information. I want to force the users to browse those pages under HTTPS. Whereas other pages with public content should be available under HTTP. I was planning to install url Rewrite module on IIS and write rules to achieve this. I am not sure how to write the rules in web.config for redirection.

服务器:IIS 7.5

Server: IIS 7.5

SSL 下的页面示例:

Example of pages under SSL:

1. mywebsite.com.au/login

1. mywebsite.com.au/login

mywebsite.com.au/login/

mywebsite.com.au/login/

所有不属于上述指定 URL 模式的页面都应仅在 http 下浏览.

All the pages that do not come under the URL pattern specified above should be browsed under http only.

推荐答案

这里是我为实现 http->https 和 https->http 重定向而实现的重写规则.请注意，在 http->https 重定向中，您还必须将对 css、js 和图像文件的请求从 http 重定向到 https，否则浏览器可能会拒绝执行这些文件.

Here goes the rewrite rules I implemented to achieve the http->https and https->http redirection. Please note that on http->https redirection, you also have to redirect the request for css, js and images files from http to https otherwise the browser might decline to execute these files.

您也可以查看IIS论坛上的讨论.

<rewrite>
    <rules>
        <rule name="HTTPS to HTTP redirect" stopProcessing="true">
            <match url="(.*)" />
            <conditions>
                <add input="{HTTPS}" pattern="ON" />
                <add input="{URL}" pattern="^/login" negate="true" />
                <add input="{URL}" pattern="^/member" negate="true" />
                <add input="{URL}" pattern="^/(.*)(.js|.css|.png|.jpg|.woff)" negate="true" />
            </conditions>
            <action type="Redirect" redirectType="Permanent" url="http://{HTTP_HOST}/{R:1}" />
        </rule>
        <rule name="HTTP to HTTPS redirect login" stopProcessing="true">
            <match url="^login" />
            <conditions>
              <add input="{HTTPS}" pattern="OFF" />
            </conditions>
            <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/login/" />
        </rule>
        <rule name="HTTP to HTTPS redirect member" stopProcessing="true">
            <match url="^member/(.*)" />
            <conditions>
              <add input="{HTTPS}" pattern="OFF" />
            </conditions>
            <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/member/{R:1}" />
        </rule>
        <rule name="HTTP to HTTPS redirect resources" stopProcessing="true">
            <match url="http://(.*)(.css|.js|.png|.jpg|.woff)" />
            <conditions>
              <add input="{HTTPS}" pattern="ON" />
            </conditions>
            <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}{R:2}" />
        </rule>         
    </rules>
</rewrite>

这篇关于如何强制在 SSL 下浏览网站的某些部分?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！