HTTPS made simple.... Let's encrypt for all

23 februar 2017 Allan Security, SSL

In the beginning of days Windows + IIS supported having only 1 website on a webserver that supported https. So that meant when hosting many websites on IIS it was not possible to offer https-support for all sites.

This changed quite a number of years ago, when IIS started supporting having multiple sites running https, BUT (and this was a big but) you could only install 1 certificate on the server for use with IIS. This could solve the issues for many companies though because it was possible to install a *.domain.tld certificate on a server and then just create various subdomains. This scenario didn't help much though for people buying hosting on servers where multiple domains were used.

Fast forward a couple of more years and IIS started supporting having multiple certificates registered with different IIS sites, and now everything was open.

 

My hosting provider wasn't quite ready to support it yet, because installing and handling SSL certificates usually required access to the IIS and the server itself for installing the certificate, which of course could not be allowed for servers running websites for multiple clients. So they needed to create an infrastructure to support it for the clients without giving full access. And they managed. The issue with their first solution though was that you had to upload both your public and private key (with no password) to their servers for it to work properly. So this means giving away your certificate to your hosting provider and hoping that they would take good care of it. At least it was possible though.

Fast forward again and my hosting provider found a better solution for managing https (and one that is even free for the customers). They started supporting letsencrypt.org. That means, my hosting provider allows me to pick a domain where I would like to have an https certificate installed, and then in the background the fix the rest.

So now my blog is running https using a letsencrypt certificate. And to ensure that https was used properly all I have to do was modify the web.config file for my website and add the following in the system.webServer section

<rewrite>
			<rules>
				<rule name="HTTP to HTTPS redirect" stopProcessing="true">
					<match url="(.*)" />
					<conditions>
						<add input="{HTTPS}" pattern="off" ignoreCase="true" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
				</rule>
			</rules>
			<outboundRules>
				<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
					<match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
					<conditions>
						<add input="{HTTPS}" pattern="on" ignoreCase="true" />
					</conditions>
					<action type="Rewrite" value="max-age=31536000" />
				</rule>
			</outboundRules>
		</rewrite>

 

This does 2 things

1. It redirects the browser to the https-version of my blog

2. It tells the browser to remember that the website should only be displayed using https and in case someone tries to strip the https it should failed (HSTS)

 

So in less then 20 minutes the security for the readers of my blog increased drastically.

ADVERTISEMENT

If you use another hosting provider that does not yet support letsencrypt.org I can highly recommend using UnoEuro

 

 

Tags : ,
Comments are closed