SSL - Entire Site
We've just launched a site using Sitefinity 5 which needs to have SSL enabled on every page. We set this up as normal in IIS but each time we browse to the SSL version Sitefinity redirects us back to the non SSL one.
Having done some reading I've seen various examples on how to run a script to set the requiressl property on every page in the site which doesn't seem like much of a fix as if our client adds a new page then the script will need to be run again which quite frankly goes against the purpose of having a CMS.
In Sitefinity 3.7 we were able to override the ProcessSslRedirect method within CmsHttpModule, is there an equivalent in v5? If not how can I set it up to work as described and avoid the need to run the script everytime a new page is created?Hi,
The Require SSL property is available from the Title and Properties menu for every page. The purpose of the script is to conveniently set it to true for all the available pages, so you do not have to go each individual page and manually enable it. After that, when your client creates a page, they will need to tick the Require SSL box:http://screencast.com/t/3Ses5AJCCw1A In addition to this you need to have the http and https bindings configured on IIS to use the default ports.
Kind regards,Hi
Thanks for your response.
The point is a non-technical content editor should not be concerned with having to check the requiesSSL checkbox.
We had the ability to force SSL across the entire site in Sitefinity 3.7 via CmsHttpModule but now this has been taken away and we have no equivalent.
It's possible to set caching for the entire site so we could really do with an equivalent for requiresSSL.
Hi,
I see your point. There is a way to enable Require SSL by default for all newly created pages.
An easy way to automate this process is to override the default PagesService and set RequireSSL when a page is saved. Let me elaborate on the recommended approach.
You can inherit form PagesService, and in SavePage method where the WcfPageContext is available, set the Item (page) RequireSsl to true, then pass control execution to base - this should deliver the same results as with the default service, with the only addition that each newly created page will be saved with RequireSsl = true;
using System; using System.Collections.Generic; using System.Linq; using System.Web; using Telerik.Sitefinity.Modules.Pages.Web.Services; using Telerik.Sitefinity.Modules.Pages.Web.Services.Model; namespace SitefinityWebApp public class PagesServiceCustom : PagesService, IPagesService public new WcfPageContext SavePage(WcfPageContext pageContext, string pageId, string providerName, bool duplicate) pageContext.Item.RequireSsl = true; return base.SavePage(pageContext, pageId, providerName, duplicate); <%@ ServiceHost Language="C#" Debug="false" Service="SitefinityWebApp.PagesServiceCustom" Factory="Telerik.Sitefinity.Web.Services.WcfHostFactory" %> Atanas,
Thanks for providing a way of doing this. I had lot of trouble searching the forums for this answer until I did the search on Google. One question though, wouldn't this always save the "Require SSL" to true even if the user explicitly chose to turn it off?
If that is so, what would your recommendation be on only setting the "Require SSL" to true when the page is being published the first time?
Thanks,
Brett
Hi Brett,
Unfortunately yes. This solution is for users who want their pages to be under SSL all the time. I had an idea to use revision history to check if the page was published for the first time or it had been published before and depending on that the current status of ssl setting to determine if the user wanted this page to be under ssl or not. However, that did not work as expected.
In your case, the best solution would be to run the ssl code to enable it for all current pages and instruct your users to keep this setting in mind. I will note this in our feedback that it would be good if this setting is configurable.
Thanks for the update. If this were to be added as a feature request, I'd like to see it enabled/disabled similar to how the allow/disallow comment setting is in the advanced settings fo the administrative section. Being able to just set true or false for the field would just automatically check/uncheck the box on the page.
Hi Brett,
Unfortunately this could not be logged as currently there is an easy solution to do it and there are not so many requests for it.
We hope you won't be disappointed. We are honest and don't want to give you false expectations.
Thank you for your understanding!
All the best,
DimBo
the Telerik team
I don't understand, if there is an easy solution to fix it. Why wouldn't it be added as a possible future feature?
If you mean the solution Atanas supplied (while helpful and can surely help some people), it isn't a complete solution. If a user didn't want the page as SSL for some reason and they published that page, their explicit indication to NOT require SSL would be ignored and SSL would be re-applied anyway.
Hello Brett,
First of all please accept my apologizes for the misunderstanding. You are absolutely right and this will be part of some of our next releases. We'll try to improve the way how SSL is configured. Although I can't promise you a specific date - I hope you will see it soon in the release notes of the product.
Thanks again for your patience and constructive feedback!
All the best,
DimBo
the Telerik team
Note, also, that the above solution does not address backend pages created via module builder, etc., so an admin will still need to go and reset those pages to be RequireSSL after creating them.
If you want all requests to always use HTTPS, another option is to use the IIS plug-in "URL Rewrite" to redirect HTTP requested URLs as HTTPS. URL Rewrite would insert code like the following into your web.config file:
<system.webServer> <rewrite> <rules> <rule name="Redirect to HTTPS" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="HTTPS" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://HTTP_HOST/R:1" redirectType="SeeOther" /> </rule> </rules> </rewrite></system.webServer>Resources: