How to Enable SSL

Question

0

How to Enable SSL

Andrew Lee posted 9 Years Ago

Hi All,

I can't seem to find how to enable SSL within the Rock. Coud someone advise?

Thank You!

Andrew

0
- Andrew Lee replied 9 Years Ago
This is great information guys -- exactly what I was needing! We have the SSL cert - and it works great when manually browsing to the site via HTTPS://xxxxx.

Thank you!
Edit Answer

This is great information guys -- exactly what I was needing!  We have the SSL cert - and it works great when manually browsing to the site via HTTPS://xxxxx.   Thank you!
This is great information guys -- exactly what I was needing!  We have the SSL cert - and it works great when manually browsing to the site via HTTPS://xxxxx.   Thank you!
This is great information guys -- exactly what I was needing!  We have the SSL cert - and it works great when manually browsing to the site via HTTPS://xxxxx.   Thank you!
Save Cancel
Trey Hendon III

9 years ago

Awesome! Yeah, the warning about making sure you can browse there manually first comes from a lesson learned the hard way with IIS and HTTPS Bindings in IIS. :)

Trey Hendon III · Accepted Answer · 2014-12-18T20:39-07:00

2

Trey Hendon III replied 9 Years Ago

Hi Andrew,

Generally we do this page-by-page, however, once the user is sent to a secured page [generally] they're kept in an https session. So, the quickest way to do this is to set the Page Properties to Require SSL.

Before following the next few steps, make sure you've got the SSL certificate installed correctly by trying to access the site mannually with the https prefix. If that works, then you should be safe to proceed.

To force the Internal Pages to SSL:

Login and navigate to: Admin Tools > CMS Configuration > Page Map
Expand: Internal Homepage > Admin Tools > Security
Click the Login page. (You should end up on the Internal Site's Login Page, as a logged in user seeing the Admin options in the bottom right.)
Click the Page Properties [Gear] Icon.
Click the Advanced Settings tab.
Check the Force SSL box and save.

Now, anytime a user accesses the Login page it will force them to a SSL session.

There are a few flaws with this method. The biggest one (and why I opted for a more advanced SSL redirect option for my staff pages) is that when a user comes back to the Internal pages and is already logged in, they by-pass the forced SSL and that's not good.

So, here are two other options to consider:

Check the Force SSL flag on EVERY page of the Staff pages and any critical pages on the public site (I recommend doing that in SQL for all the Internal pages).
Use IIS for the redirection (this is what I do).

For the IIS Redirection:

Setup a dummy site in IIS for the Internal site.
Give it only the http binding for the URL you're wanting to force to SSL.
Use the HTTP Redirect option to forward requests to: https://internal.yoururl.com$V$Q (NOTE: No trailing slash. Also, $V$Q are special characters for IIS to include the URL Params and their Values when redirecting.)
Check: "Redirect all requests to exact destination.
Uncheck: "Only redirect requests to content in this directory."
Status Code: Permanent (301)

Now, IIS will redirect any request to the https version of the page.

Hope those ideas help!
Trey

Edit Answer

Hi Andrew,

Generally we do this page-by-page, however, once the user is sent to a secured page [generally] they're kept in an https session. &nbsp;So, the quickest way to do this is to set the Page Properties to Require SSL.

Before following the next few steps, make sure you've got the SSL certificate installed correctly by trying to access the site mannually with the https prefix. &nbsp;If that works, then you should be safe to proceed.

To force the Internal Pages to SSL:

<ol>
	<li>Login and navigate to: Admin Tools &gt; CMS Configuration &gt; Page Map</li>
	<li>Expand: Internal Homepage &gt; Admin Tools &gt; Security</li>
	<li>Click the Login page. (You should end up on the Internal Site's Login Page, as a logged in user seeing the Admin options in the bottom right.)</li>
	<li>Click the Page Properties [Gear] Icon.</li>
	<li>Click the Advanced Settings tab.</li>
	<li>Check the Force SSL box and save.</li>
</ol>

Now, anytime a user accesses the Login page it will force them to a SSL session.

There are a few flaws with this method. &nbsp;The biggest one (and why I opted for a more advanced SSL redirect option for my staff pages) is that when a user comes back to the Internal pages and is already logged in, they by-pass the forced SSL and that's not good.

So, here are two other options to consider:

<ol>
	<li>Check the Force SSL flag on EVERY page of the Staff pages and any critical pages on the public site (I recommend doing that in SQL for all the Internal pages).</li>
	<li>Use IIS for the redirection (this is what I do).</li>
</ol>

For the IIS Redirection:

<ol>
	<li>Setup a dummy site in IIS for the Internal site.</li>
	<li>Give it only the http binding for the URL you're wanting to force to SSL.</li>
	<li>Use the HTTP Redirect option to forward requests to: &nbsp;https://internal.yoururl.com$V$Q &nbsp;(NOTE: No trailing slash. &nbsp;Also, $V$Q are special characters for IIS to include the URL Params and their Values when redirecting.)</li>
	<li>Check: "Redirect all requests to exact destination.</li>
	<li>Uncheck: "Only redirect requests to content in this directory."</li>
	<li>Status Code: Permanent (301)</li>
</ol>

Now, IIS will redirect any request to the https version of the page. 
&nbsp; 
Hope those ideas help! 
Trey

<p>Hi Andrew,</p>

<p>Generally we do this page-by-page, however, once the user is sent to a secured page [generally] they're kept in an https session. &nbsp;So, the quickest way to do this is to set the Page Properties to Require SSL.</p>

<p>Before following the next few steps, make sure you've got the SSL certificate installed correctly by trying to access the site mannually with the https prefix. &nbsp;If that works, then you should be safe to proceed.</p>

<p>To force the Internal Pages to SSL:</p>

<ol>
	<li>Login and navigate to: Admin Tools &gt; CMS Configuration &gt; Page Map</li>
	<li>Expand: Internal Homepage &gt; Admin Tools &gt; Security</li>
	<li>Click the Login page. (You should end up on the Internal Site's Login Page, as a logged in user seeing the Admin options in the bottom right.)</li>
	<li>Click the Page Properties [Gear] Icon.</li>
	<li>Click the Advanced Settings tab.</li>
	<li>Check the Force SSL box and save.</li>
</ol>

<p>Now, anytime a user accesses the Login page it will force them to a SSL session.</p>

<p>There are a few flaws with this method. &nbsp;The biggest one (and why I opted for a more advanced SSL redirect option for my staff pages) is that when a user comes back to the Internal pages and is already logged in, they by-pass the forced SSL and that's not good.</p>

<p>So, here are two other options to consider:</p>

<ol>
	<li>Check the Force SSL flag on EVERY page of the Staff pages and any critical pages on the public site (I recommend doing that in SQL for all the Internal pages).</li>
	<li>Use IIS for the redirection (this is what I do).</li>
</ol>

<p>For the IIS Redirection:</p>

<ol>
	<li>Setup a dummy site in IIS for the Internal site.</li>
	<li>Give it only the http binding for the URL you're wanting to force to SSL.</li>
	<li>Use the HTTP Redirect option to forward requests to: &nbsp;https://internal.yoururl.com$V$Q &nbsp;(NOTE: No trailing slash. &nbsp;Also, $V$Q are special characters for IIS to include the URL Params and their Values when redirecting.)</li>
	<li>Check: "Redirect all requests to exact destination.</li>
	<li>Uncheck: "Only redirect requests to content in this directory."</li>
	<li>Status Code: Permanent (301)</li>
</ol>

<p>Now, IIS will redirect any request to the https version of the page.<br />
&nbsp;<br />
Hope those ideas help!<br />
Trey</p>

<p>Hi Andrew,</p>

<p>Generally we do this page-by-page, however, once the user is sent to a secured page [generally] they're kept in an https session. &nbsp;So, the quickest way to do this is to set the Page Properties to Require SSL.</p>

<p>Before following the next few steps, make sure you've got the SSL certificate installed correctly by trying to access the site mannually with the https prefix. &nbsp;If that works, then you should be safe to proceed.</p>

<p>To force the Internal Pages to SSL:</p>

<ol>
	<li>Login and navigate to: Admin Tools &gt; CMS Configuration &gt; Page Map</li>
	<li>Expand: Internal Homepage &gt; Admin Tools &gt; Security</li>
	<li>Click the Login page. (You should end up on the Internal Site's Login Page, as a logged in user seeing the Admin options in the bottom right.)</li>
	<li>Click the Page Properties [Gear] Icon.</li>
	<li>Click the Advanced Settings tab.</li>
	<li>Check the Force SSL box and save.</li>
</ol>

<p>Now, anytime a user accesses the Login page it will force them to a SSL session.</p>

<p>There are a few flaws with this method. &nbsp;The biggest one (and why I opted for a more advanced SSL redirect option for my staff pages) is that when a user comes back to the Internal pages and is already logged in, they by-pass the forced SSL and that's not good.</p>

<p>So, here are two other options to consider:</p>

<ol>
	<li>Check the Force SSL flag on EVERY page of the Staff pages and any critical pages on the public site (I recommend doing that in SQL for all the Internal pages).</li>
	<li>Use IIS for the redirection (this is what I do).</li>
</ol>

<p>For the IIS Redirection:</p>

<ol>
	<li>Setup a dummy site in IIS for the Internal site.</li>
	<li>Give it only the http binding for the URL you're wanting to force to SSL.</li>
	<li>Use the HTTP Redirect option to forward requests to: &nbsp;https://internal.yoururl.com$V$Q &nbsp;(NOTE: No trailing slash. &nbsp;Also, $V$Q are special characters for IIS to include the URL Params and their Values when redirecting.)</li>
	<li>Check: "Redirect all requests to exact destination.</li>
	<li>Uncheck: "Only redirect requests to content in this directory."</li>
	<li>Status Code: Permanent (301)</li>
</ol>

<p>Now, IIS will redirect any request to the https version of the page.<br />
&nbsp;<br />
Hope those ideas help!<br />
Trey</p>

Save Cancel

Michael Garrison

9 years ago

I also use the IIS redirection- it works quite well. Andrew, is this the information you're looking for or are you looking for more basic stuff like where to purchase a certificate, etc?
Trey Hendon III

9 years ago

This is another option for URL redirecting as well: http://blog.nancyfx.org/permament-redirect-to-https-with-iis/
Ken Roach

5 years ago

I'm a newbie to SSL. Are these steps (...the "two other options" / IIS redirection) still relevant if the entire site can be forced to use SSL using Home > CMS Configuration > Sites > Edit > Require Encryption? Why wouldn't I just turn this on for both the internal site and the external site?
Jeremy Hoff

5 years ago

Ken - the simplest approach these days is to install the excellent, and free, "Acme Certificates" plugin and go from there. In all but a handful of cases it'll take care of everything. https://www.rockrms.com/rockshop/plugin/74
Ken Roach

5 years ago (edited 5 years ago)

Thanks Jeremy. I tried that but it failed for me on 3essentials VPS. I think because we have a subdomain type URL (porirua.elim.org.nz). I manually generated the cert using the CertifyTheWeb tool (https://certifytheweb.com/), and then manually moved the cert from Personal into Trusted, then bound the site to the cert.
Jim Michael

5 years ago (edited 5 years ago)

To answer your first question... no, you no longer need redirection tricks and all that. As long as your IIS Rock site is listening on both 80 and 443 AND the Rock site(s) have Require Encryption set, all traffic will be automatically redirected to https.

Question

0

How to Enable SSL

2

0