SSL with Lets Encrypt, how to force SSL on entire site

[Andrew_Newth]

Hi all, I have set up my first Let's Encrypt SSL certificate on my site and can access the site via SSL. What is the best way to force the use of https? Is there a way to set this from within plesk at the moment?

I have added a redirect to my web.config and this seems to work OK but want to make sure this is the best method.

here is the rewrite i used:

<rewrite>
    <rules>
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
    <match url="(.*)"></match>
    <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true"></add>
    </conditions>
    <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}"></action>
</rule>   
    </rules>
</rewrite>

Any advice greatly appreciated.

 

[ejschenck]

Andrew,

Did you ever get an answer and does this mod work for you?

Also, how hard was it to transfer Wordpress over to HTTPS completely?

 

[Andrew_Newth]

Hi there,

I'm not using Wordpress I'm using DNN. The above rewrite in the web.config works for me although I'm not sure why I need to use it.

If I have a site with SSL enabled I go to IIS settings in Plesk and select Require SSL to force client browsers to use SSL. But when I do this non SSL connections to the site just result in a 403 Forbidden error page instead of redirecting to the SSL version.

Does anyone know why this happens and how to get around it?

 

[PeteSDG]

Hi Andrew,

The server is able to serve two flavours of your page, SSL and non-SSL. You might wish to serve some pages via SSL only and others that don't contain sensitive information via non-SSL (it's also less server intensive).

If you had mixed content you would code manually within your pages whether the page is served via SSL or not and redirect as appropriate.

If you wanted your entire site to be protected by SSL then you would need to ensure that you can redirect all visitors to https://

The rule below ensures that if someone arrives at your site by typing http://www.domain.com they are redirected to https://www.domain.com and the same applies to other pages under that domain /about.html etc

Without the rule below users are presented with the 403 (as you've discovered) because you've instructed the server to only serve secure content (https://)

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>

 

[Andrew_Newth]

Hi Pete,

Thanks for taking the time to answer my question. I was hoping that there would be a place in Plesk that would set up the redirect directly in IIS so the redirect in the web.config wasn't needed.

Grateful for the clarification.

 

[Eddie Spoon]

Hi Pete,

Thanks for taking the time to answer my question. I was hoping that there would be a place in Plesk that would set up the redirect directly in IIS so the redirect in the web.config wasn't needed.

Grateful for the clarification.

Doesn't checking "SSL Support" under "Hosting Settings" take care of it?

 

[Andrew_Newth]

It doesn't seem to, at least not on my system. It just gives the 403 error for non ssl access to the site.

 

[PeteSDG]

Checking SSL Support only activates the use of the selected SSL in the dropdown. Plesk wouldn't assume to forward all HTTP traffic to HTTPS as this is not always desired.

 

[PeteSDG]

Hi Pete,

Thanks for taking the time to answer my question. I was hoping that there would be a place in Plesk that would set up the redirect directly in IIS so the redirect in the web.config wasn't needed.

Grateful for the clarification.

You're welcome.

There is probably (I haven't looked) an IIS Addon from the IIS platform installer for this but it will most likely only add a rule to the web.config file in the same way as if you did it manually. I think MS IIS is trying to make the server more flexible by use of the web.config file in the same way you would use a .htaccess file on an Apache server. Would be a nice addition to Plesk though, maybe make a post in their wishlist topic? https://talk.plesk.com/forums/plesk-suggestions-and-feedback.676/