混合 http/https 站点
到目前为止,我的 https 部署通常涉及使用 https 对整个站点进行简单锁定,并在 Web 服务器上提供 http 到 https 的重定向。
我现在计划拥有一个 ASP.NET MVC 站点(在云上),其中包含 http 和 https 页面。 因此,该站点将有 2 个概念(非物理)区域,提供安全和非安全请求。
在配置方面,我已经为 80 和 443 设置了输入端口,并且该站点接受这两个请求。
对于任何前往属于安全区域的操作的调用,有什么方法可以将协议翻转为 https? 例如,动作过滤器可以做的事情。
非常感谢。
编辑: 请注意,整个想法是为了避免在表单操作属性上使用绝对 URL,因为可移植性问题以及用户将看不到 https:// 保证视觉提示在浏览器上。
P
So far, my https deployments have commonly involved a naive lockdown of the entire site with https and provide an http-to-https redirect on the web server.
I now plan to have a single ASP.NET MVC site (on the cloud) that will contain both http and https pages. So, the site will have 2 conceptual (not physical) zones providing for both secure and non-secure requests.
Configuration-wise, I have set up input ports for both 80 and 443 and the site accepts both requests.
Is there any way I can flip protocol to https for any call that goes to an action that belongs in the secure zone? For instance, the kind of things that action filters can do.
Thanks much.
edit: Please note that the whole idea of this is to avoid using absolute urls on the form action attribute because of portability issues and because the user will not see the https:// assurance visual cues on the browser.
P
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可能想查看 Microsoft 的 MVC futures 程序集 可在此处下载.
这有一个 FilterAttribute,RequireSslFilterAttribute,允许您轻松标记控制器中需要 SSL 的 Action 方法 - 例如,
可选的重定向参数将导致请求重定向到相同的 URL,但如果需要,则通过 https 而不是 http 。
警告:正如丹尼尔指出的那样,当您点击此操作时,如果数据已发布到页面的非安全版本,则可能已经为时已晚 - 它已经可能受到损害,因此在使用此操作时仍然需要小心并确保所有敏感数据均通过 https 发送。 (我刚刚注意到你对 Daniel 的评论,你显然明白这一点,我会在这里为其他偶然发现这一点的人留下警告!)
编辑:正如 Luke 指出的,在 MVC2 中,此属性现在是核心框架的一部分,并且重命名为 [RequireHttps]
You might want to take a look at the MVC futures assembly from Microsoft available for download here.
This has a FilterAttribute, RequireSslFilterAttribute that allows you to easily tag Action methods in your controller that require SSL - e.g.
The optional redirect parameter will cause the request to be redirected to the same URL but via https instead of http if required.
WARNING: As Daniel points out though, by the time you hit this Action it may already be too late if data was posted to a non secure version of the page - it is already potentially compromised, so you still need to exercise care when using this and make sure all sensitive data is sent via https. (I just noticed your comment to Daniel, you obviously understand this, I'll leave the warning here for anyone else who stumbles upon this though!)
EDIT: As Luke points out, in MVC2 this attribute is now part of the core framework and is renamed to [RequireHttps]
简而言之,答案是否定的,一旦请求通过 http 发出,它就已经可能受到损害。 您可以要求某些调用通过 HTTPS 进行(不知道如何做到这一点,因为我有一段时间没有使用 ASP.Net),如果不这样做,则发送错误。 关键是决定您希望应用程序何时进行跳转,即在登录期间并选择 HTTPS 作为这些表单的操作。 这就是你所说的“动作过滤器”吗?
The short answer is no, once the request has come via http, it has already been potentially compromised. You can require that certain calls come via the HTTPS (not sure how to do that as I have not done ASP.Net for awhile) and send an error if they do not. The key is to decide when you want the application to make the jump, ie during login and choose the HTTPS as the action for those forms. Is that what you meant by 'action filters'?