混合http / https网站 [英] Mixed http/https site

问题描述

到目前为止，我的https部署通常涉及使用https的整个网站的天真锁定，并在Web服务器上提供http-to-https重定向。

So far, my https deployments have commonly involved a naive lockdown of the entire site with https and provide an http-to-https redirect on the web server.

我现在计划有一个ASP.NET MVC网站（在云上），将包含http和https页面。因此，网站将有2个概念（而不是物理）区域提供安全和非安全请求。

I now plan to have a single ASP.NET MVC site (on the cloud) that will contain both http and https pages. So, the site will have 2 conceptual (not physical) zones providing for both secure and non-secure requests.

在配置方面，我已经设置了两个输入端口80和443，网站接受这两个请求。

Configuration-wise, I have set up input ports for both 80 and 443 and the site accepts both requests.

有没有什么办法，我可以翻转协议到任何调用，到属于安全区域的操作的任何调用。例如，动作过滤器可以做的事情。

Is there any way I can flip protocol to https for any call that goes to an action that belongs in the secure zone? For instance, the kind of things that action filters can do.

非常感谢。

：请注意，这样做的整体想法是避免在表单操作属性上使用绝对网址，因为可移植性问题，并且用户不会在浏览器上看到https：// assurance视觉提示。

edit: Please note that the whole idea of this is to avoid using absolute urls on the form action attribute because of portability issues and because the user will not see the https:// assurance visual cues on the browser.

P

推荐答案

请参阅Microsoft的此处下载的MVC期货组合。

You might want to take a look at the MVC futures assembly from Microsoft available for download here.

这里有一个FilterAttribute，RequireSslFilterAttribute，允许你轻松地标记控制器中需要SSL的Action方法，例如

This has a FilterAttribute, RequireSslFilterAttribute that allows you to easily tag Action methods in your controller that require SSL - e.g.

[RequireSsl(Redirect=true)]
public ActionResult LogOn()
{
  return View();
}

可选的redirect参数会将请求重定向到相同的URL，如果需要，可以通过https而不是http。

The optional redirect parameter will cause the request to be redirected to the same URL but via https instead of http if required.

警告：正如Daniel指出的那样，在您执行此操作时，如果数据发布到非安全版本的网页 - 它已经潜在的危害，所以你仍然需要谨慎使用这一点，并确保所有敏感数据通过https发送。 （我只是注意到你对丹尼尔的评论，你明显明白这一点，我会留下警告这里的任何人谁绊倒这虽然！）

WARNING: As Daniel points out though, by the time you hit this Action it may already be too late if data was posted to a non secure version of the page - it is already potentially compromised, so you still need to exercise care when using this and make sure all sensitive data is sent via https. (I just noticed your comment to Daniel, you obviously understand this, I'll leave the warning here for anyone else who stumbles upon this though!)

编辑：指出，在MVC2这个属性现在是核心框架的一部分，并重命名为[RequireHttps]

As Luke points out, in MVC2 this attribute is now part of the core framework and is renamed to [RequireHttps]

这篇关于混合http / https网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！