Why not just run the whole site in SSL? Google even rewards you a tiny tiny bit for it these days and you can't forget to add any custom code like this.
If you don't want to do that, throw the exact same code you have above in your main Layout template.
Why not just run the whole site in SSL? Google even rewards you a tiny tiny bit for it these days and you can't forget to add any custom code like this.
If you don't want to do that, throw the exact same code you have above in your main Layout template.
Is this true?
What do you think about doing a 301 urlrewrite from http to https. Is that a good idea?
No, I just mean that one could just run SSL on the server on the whole website out of the box. But this requires a SSL certificate is bought, setup and configured on the server.
Right. Obviously, I'm assuming you must first have SSL certificate enabled, then you will do the write over to https. It is actually my first time doing it and unless I'm missing something. So, you're saying the rewrite isn't necessary because the binding would automatically redirects itself to https?
I should be probably do a bit of research about this but that's why forums are for, you've got helpful people to help!
You will have to still make redirects if you want to send people who try to access the site on http instead of https. Otherwise, if someone is going to http://example.com and you have not configured IIS to accept non-SSL requests, they will just not see your website at all.
I recently did this on my personal site, the two things you need to update in your web.config are the following setting:
<add key="umbracoUseSSL" value="true" />
And the rewrite rule to redirect all http traffic to https:
Note that the above rewrite only works if the URL Rewriting plugin for IIS has been installed on the server.
You'll also need to update all your templates if they refer to (for example) fonts on a CDN, the easiest way to do that is to not give it the scheme (http or https). So instead of:
I have tried this on our site and the redirect from http to https works for the backend. However, visiting any page on the front-end, either with http or https, gives me a This webpage has a redirect loop error. If I remove the rewrite rule then everything is working fine.
That has the advantage that some pages can be HTTP and some pages can be HTTPS. That comes in handy in some situations, such as when some of the pages need to be iframes to external HTTP pages.
Thanks for that. That just gave me more to ponder about.
Just wondering, with the key, does that not only forces you to https for the back office only? meaning, if I'm already redirecting all http to https then do I still need to worry about this?
And with the rewriting, instead of using the web.config. Wouldn't you just use the Urlrewriting.Config in the Config folder? I mean, is there any reason to use one over the other?
Well using the key just tells Umbraco to do everything right in the first place, that way the url rewrite doesn't have to kick in all the time. It has a few other advantages which I can't remember off the top of my head.
You MIGHT be able to use urlrewriting.net but that thing is pretty outdated and not maintained any more. It's only still in the core for backwards compatibility reasons and because there's no good alternative that everybody can use. I prefer using the IIS plugin every time (also because there's more examples out there).
Also, please note that someone tried to use urlrewriting.net and had side-effects afterwards, so I don't know what the correct rewrite would be, see this comment and further: http://issues.umbraco.org/issue/U4-5728#comment=67-17577
Auto-redirect to HTTPS for some pages in MVC?
I want some pages to be always redirected to the HTTPS version (eg. login page)
I have a true/false property "useSSL" on my pages.
In Umbraco 4 (Web Forms), I have something like this in my Master.master.cs (that every page uses)
if(Node.GetCurrent().GetPropertyValue("useSSL", false)) Response.RedirectPermanent("https://" + Request.Url.Host + Request.RawUrl);How can I do this in Umbraco 7 (MVC)?
Why not just run the whole site in SSL? Google even rewards you a tiny tiny bit for it these days and you can't forget to add any custom code like this.
If you don't want to do that, throw the exact same code you have above in your main Layout template.
Code may need updating a bit, this should work:
And yes, you need the curly braces there as Razor requires them. :)
Why not just run the whole site in SSL? Google even rewards you a tiny tiny bit for it these days and you can't forget to add any custom code like this.
If you don't want to do that, throw the exact same code you have above in your main Layout template.
Is this true?
What do you think about doing a 301 urlrewrite from http to https. Is that a good idea?
Hi Elvin
Yes, it's indeed true. It's not the biggest SEO impact but it counts in the whole picture so I also think it's worth considering installing SSL for use on the whole site. You can read more about it here http://googleonlinesecurity.blogspot.dk/2014/08/https-as-ranking-signal_6.html
I think the rewrite will work fine but why bother if the whole site could be setup to run SSL out of the box? :)
Just my 2 cents.
/Jan
Hey Jan,
That's good to know but what do you mean by running SSL out of the box? Is this something I haven't noticed about Umbraco?
Do share!:)
Elvin
Hi Elvin
No, I just mean that one could just run SSL on the server on the whole website out of the box. But this requires a SSL certificate is bought, setup and configured on the server.
For instance it can be bought from https://www.digicert.com/ssl-certificate.htm - But there are many other alternatives out there. Just try and Google for it :)
/Jan
Hi Jan,
Right. Obviously, I'm assuming you must first have SSL certificate enabled, then you will do the write over to https. It is actually my first time doing it and unless I'm missing something. So, you're saying the rewrite isn't necessary because the binding would automatically redirects itself to https?
I should be probably do a bit of research about this but that's why forums are for, you've got helpful people to help!
Elvin
Hi Elvin
Yup that is correct. If the server is configured to use SSL then you don't need to make any redirects in your code.
You only need the redirect stuff if you want to only have parts of your url's running https.
/Jan
Hi Jan,
Great! Makes things a lot easier.
Thanks for your input!
Cheers,
Elvin
You will have to still make redirects if you want to send people who try to access the site on http instead of https. Otherwise, if someone is going to
http://example.comand you have not configured IIS to accept non-SSL requests, they will just not see your website at all.I recently did this on my personal site, the two things you need to update in your web.config are the following setting:
And the rewrite rule to redirect all http traffic to https:
Note that the above rewrite only works if the URL Rewriting plugin for IIS has been installed on the server.
You'll also need to update all your templates if they refer to (for example) fonts on a CDN, the easiest way to do that is to not give it the scheme (http or https). So instead of:
You can make it:
Notice that "http:" has been removed. This way it will load over both https and also over http (if you ever decide to revert to http).
Hi Sebastiaan,
I have tried this on our site and the redirect from http to https works for the backend. However, visiting any page on the front-end, either with http or https, gives me a This webpage has a redirect loop error. If I remove the rewrite rule then everything is working fine.
Is there any other configuration that is needed?
I typically call a function to handle the redirect (rather than redirecting in the web.config): https://github.com/rhythmagency/rhythm.umbraco.extensions/blob/e7df4420dcb75e9216f67ef0cea915a4a867c36f/trunk/Rhythm.Extensions/Rhythm.Extensions/Utilities/NetUtility.cs#L68
That has the advantage that some pages can be HTTP and some pages can be HTTPS. That comes in handy in some situations, such as when some of the pages need to be iframes to external HTTP pages.
Hi Sebastian,
Thanks for that. That just gave me more to ponder about.
Just wondering, with the key, does that not only forces you to https for the back office only? meaning, if I'm already redirecting all http to https then do I still need to worry about this?
And with the rewriting, instead of using the web.config. Wouldn't you just use the Urlrewriting.Config in the Config folder? I mean, is there any reason to use one over the other?
Thanks,
Elvin
Well using the key just tells Umbraco to do everything right in the first place, that way the url rewrite doesn't have to kick in all the time. It has a few other advantages which I can't remember off the top of my head.
You MIGHT be able to use urlrewriting.net but that thing is pretty outdated and not maintained any more. It's only still in the core for backwards compatibility reasons and because there's no good alternative that everybody can use. I prefer using the IIS plugin every time (also because there's more examples out there).
Also, please note that someone tried to use urlrewriting.net and had side-effects afterwards, so I don't know what the correct rewrite would be, see this comment and further: http://issues.umbraco.org/issue/U4-5728#comment=67-17577
is working on a reply...