November Happy Hour will be moved to Thursday December 5th.

How to serve EPiServer CMS over HTTPS

Vote:
 

What is the correct way to enforce EPiServer CMS to be served over HTTPS and redirect any HTTP requests to HTTPS in the latest version (9.7)?

I tried modifying uiUtil attribute in , but it didn't get me far. Also tried doing an IIS URL rewrite redirect, but it then broke down the edit mode:


    
    
      
    
    
  
#145704
Mar 10, 2016 12:25
Vote:
 

You can find documentation about SSL at the bottom

http://world.episerver.com/documentation/Items/Developers-Guide/Episerver-CMS/9/Security/Securing-edit-and-admin-user-interfaces/

and for redirect check out

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>


You can also do it for part of the site (not recommended though). Check out 

http://jondjones.com/how-to-make-your-episerver-website-run-via-https/

#145710
Edited, Mar 10, 2016 13:03
Vote:
 

Hello Daniel,

Thank you for your reply.

SSL information on the link you sent simply talks about how to create a self-signed certificate, so doesn't really relate to EPiServer or my question.

Redirect rule you have added seems even more generic than the one I had used. We only need to have EPiServer CMS served over HTTPS. Have you tested this rule on a project you worked on? Does it not break things for you in the edit mode?

#145762
Mar 11, 2016 9:31
Vote:
 

Ah! You mean only having https on ui for edit and admin? In that case I misunderstood your question. Thought you wanted it on whole site which would be recommended.

If you do want https on only edit and admin mode remember that login page is normally under /util which would be most important to protect. Haven't tried that no. Wouldn't recommend it either :)

#145765
Mar 11, 2016 9:39
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.