• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

SSL with Lets Encrypt, how to force SSL on entire site

A

Andrew_Newth

Basic Pleskian
Hi all, I have set up my first Let's Encrypt SSL certificate on my site and can access the site via SSL. What is the best way to force the use of https? Is there a way to set this from within plesk at the moment?

I have added a redirect to my web.config and this seems to work OK but want to make sure this is the best method.

here is the rewrite i used:

Code: 
<rewrite>
    <rules>
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
    <match url="(.*)"></match>
    <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true"></add>
    </conditions>
    <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}"></action>
</rule>   
    </rules>
</rewrite>

Any advice greatly appreciated.
 
Andrew,

Did you ever get an answer and does this mod work for you?

Also, how hard was it to transfer Wordpress over to HTTPS completely?
 
Hi there,

I'm not using Wordpress I'm using DNN. The above rewrite in the web.config works for me although I'm not sure why I need to use it.

If I have a site with SSL enabled I go to IIS settings in Plesk and select Require SSL to force client browsers to use SSL. But when I do this non SSL connections to the site just result in a 403 Forbidden error page instead of redirecting to the SSL version.

Does anyone know why this happens and how to get around it?
 
Hi Andrew,

The server is able to serve two flavours of your page, SSL and non-SSL. You might wish to serve some pages via SSL only and others that don't contain sensitive information via non-SSL (it's also less server intensive).

If you had mixed content you would code manually within your pages whether the page is served via SSL or not and redirect as appropriate.

If you wanted your entire site to be protected by SSL then you would need to ensure that you can redirect all visitors to https://

The rule below ensures that if someone arrives at your site by typing http://www.domain.com they are redirected to https://www.domain.com and the same applies to other pages under that domain /about.html etc

Without the rule below users are presented with the 403 (as you've discovered) because you've instructed the server to only serve secure content (https://)

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
 
Hi Pete,

Thanks for taking the time to answer my question. I was hoping that there would be a place in Plesk that would set up the redirect directly in IIS so the redirect in the web.config wasn't needed.

Grateful for the clarification.
 
Andrew_Newth said:
Hi Pete,

Thanks for taking the time to answer my question. I was hoping that there would be a place in Plesk that would set up the redirect directly in IIS so the redirect in the web.config wasn't needed.

Grateful for the clarification.
Click to expand...


Doesn't checking "SSL Support" under "Hosting Settings" take care of it?
 
Checking SSL Support only activates the use of the selected SSL in the dropdown. Plesk wouldn't assume to forward all HTTP traffic to HTTPS as this is not always desired.
 
Andrew_Newth said:
Hi Pete,

Thanks for taking the time to answer my question. I was hoping that there would be a place in Plesk that would set up the redirect directly in IIS so the redirect in the web.config wasn't needed.

Grateful for the clarification.
Click to expand...

You're welcome.

There is probably (I haven't looked) an IIS Addon from the IIS platform installer for this but it will most likely only add a rule to the web.config file in the same way as if you did it manually. I think MS IIS is trying to make the server more flexible by use of the web.config file in the same way you would use a .htaccess file on an Apache server. Would be a nice addition to Plesk though, maybe make a post in their wishlist topic? https://talk.plesk.com/forums/plesk-suggestions-and-feedback.676/
 
You must log in or register to reply here.

Similar threads

hansitheking
Resolved Let's Encrypt: Certs not auto-renewed if redirect to HTTPS is enabled for domain
Replies
7
Views
1K
mopanim
M
J
Resolved WordPress Network setup on Alias -- how to add alternative domains with Lets Encrypt SSL Certs?
Replies
3
Views
2K
joell
J
AndyM
Question How to apply an SSL Let's Encrypt certificate to a custom port?
Replies
4
Views
4K
AndyM
AndyM
W
Resolved SSL certificate error (multiple certificates)
Replies
9
Views
4K
webolot
W
Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
2K
Lenny
Lenny
Back
Top