SSLRedirect is an ASP.NET HTTP module which enables SSL (Secure Sockets Layer) communications for native ASP.NET web applications and for ASP.NET based content management web solutions, such as DotNetNuke and Microsoft SharePoint Services. Once a SSL Certificate is installed, SSLRedirect acts as a firewall to ensure that user defined web pages (defined via Regular Expressions) are always SSL secured. SSLRedirect now supports the IIS7 Integrated Pipeline, enabling SSLRedirect to SSL secure any web application supported by the IIS7 web server, such as but not limited to native HTML applications (htm, html), classic ASP applications (asp) or PHP applications (php).
In the Microsoft Internet Information Server (IIS) web server, once a SSL Certificate is properly installed, native ASP.NET web applications and/or specific ASP.NET web pages can be SSL secured by selecting Properties/Directory Security and then editing the security requirements as follows:
One would assume that this is all that is required, however the above Require Secure Channel (SSL) definition only ensures that a specific web application or web page will not be accepted unless the HTTPS:// prefix is included. This definition does not force the user to enter the HTTPS:// prefix. The user can enter a HTTP:// prefix and the following IIS error response will be received:
In a SSLRedirect environment, the IIS Require Secure Channel (SSL) definition is typically left unchecked, and SSLRedirect will then act as a ASP.NET HTTP Module firewall and examine all incoming URLs. URLs that are defined via Regular Expressions as web applications and/or web pages which are to be SSL secured are transformed and redirected to the same URL with a HTTPS:// prefix. If an incoming URL has a HTTPS:// prefix and the web application and/or web page is not to be SSL secured then the URL is transformed and redirected to the same URL with a HTTP:// prefix. Such SSLRedirect dynamic transformation and redirection of URLs also allows a web application to be somewhat ignorant of which web pages are being SSL secured. A web application can be developed to always issue URL redirects to web pages with a HTTP:// prefix and SSLRedirect will properly manage the web page SSL security.
In the case of Microsoft Sharepoint and DotNetNuke, web pages are created dynamically from a backend SQL Server database. The complexity of having many dynamic and virtual web pages also makes it problematic to utilize IIS exclusively for defining which virtual web pages should be secured using SSL communications. In a Sharepoint or DotNetNuke environment, SSLRedirect also acts as a firewall to provide a framework for defining which web applications and/or dynamic/virtual web pages are to be SSL secured. SSLRedirect is defined as a HTTP Module in an ASP.NET web.config file. SSLRedirect selectively changes incoming URLs from HTTP:// prefixes to HTTPS:// prefixes (or vice versa) based on Regular Expression transformation definitions.
SSL is the basis for secure Internet communications, however SSL introduces additional overhead, so it is often desirable to secure a subset of all web pages within a web site, or within a collection of portals. SSLRedirect can easily be configured to secure selective web pages where only sensitive data is being exchanged. For example, in the case of DotNetNuke web sites, it may be desirable to secure the user registration page and the user login page and nothing more, yet for some web sites it may be desirable to secure an entire web site. When multiple portals are defined, it may be desirable to secure a subset of all the portals defined. Depending on such varying web site and portal security requirements, SSLRedirect can be configured to secure sensitive content, yet not introduce SSL overhead for web pages where sensitive content is not present.
Incoming URL transformation is not necessarily adequate to totally secure an ASP.NET web page. If web page output response HTML contain references to non-secure URLs, then mixed content (secure and unsecure) conflicts will occur, in which case SSLRedirect can filter outgoing HTML responses to ensure that all secure web pages also have secure references. Mixed content conflicts may pose little or no concern, depending upon which client browser is being used. For example, in a Microsoft Internet Explorer (IE) environment, a dialog box is presented by default when such conflicts occur, however with Mozilla Firefox, no such dialog box is presented. Outgoing response HTML transformation may or may not be necessary, and as such is optional within SSLRedirect.
SSL Redirect is defined as a HTTP Module in an ASP.NET web.config file (as illustrated below). SSL Redirect selectively changes incoming URLs from HTTP:// prefixes to HTTPS:// prefixes (or vice versa) based on Exclusion(s) and Inclusion(s) Regular Expressions within a web.config custom SSLRedirect configuration section.
In addition to the HTTPModule web.config defintion, SSLRedirect is declared and defined in the web.config via a custom SSLRedirect configuration section, as illustrated below:
SSLRedirect provides a comprehensive trace facility, which traces all SSL related redirection activity and all filterOutput transformations. The trace facility output is illustrated below:
SSL Redirect adheres to all best practice recommendations with respect to Microsoft Sharepoint, DNN and ASP.NET HTTP Module development.
SSL Redirect is certified with DNN versions 3 and 4. Current SSLRedirect release is SSLRedirect version 5.0, which incorporates a number of ASP.NET v2 and IIS7 features. SSLRedirect version 1 is also available for ASP.NET 1.1 and is offered on a no-charge basis for licensees of SSLRedirect.
SSL Redirect is shipped in the form of an InstallShield SETUP.EXE file. The SSL Redirect HTTP module ( SanibelLogic.SSLRedirect.DLL ), related documentation and sample configuration files are installed in the Windows Program Files/Sanibel Logic directory. SSL Redirect product documentation is available via a shortcut from the Windows Programs Files menu. SSL Redirect C# source code projects can be licensed separately in the form of a Software Development Kit (SDK).