Configure SSL

Secure Sockets Layer (SSL) is a protocol that provides communication security over the network. SSL is useful when you have sensitive information, such as login credentials or credit card information, transferred over the network.

Install the SSL certificate on your site

If your site requires the use of SSL certificate, you must perform the following:

  1. Obtain an SSL certificate from an issuing authority.
  2. Install the SSL certificate on your IIS. 
    For more information, see How to set up SSL on IIS and How to implement SSL in IIS.
  3. Configure the http and https bindings for your site.
    In the IIS Manager, select your site and in the right pane, click Bindings

    PREREQUISITES: Sitefinity CMS requires that you setup the http binding on port 80 and the https binding on port 443.

After you have setup and tested the certificate, you can configure any page – backend or frontend, to require the SSL certificate. We recommend that you require SSL on all frontend and backend login pages, where login credentials are transferred over the network.

Enforce SSL for the entire website

Serving the entire website content under the https:// protocol is the most common scenario when configuring SSL for Sitefintiy CMS. It is not only the industry-recommended way to go in order to serve content more securely over the Internet, but can also be a required step if your website needs to pass HIPPA, PCI and other compliance checks. Sitefinity CMS enables you to enforce the entire website traffic to be under https:// from a central place - the RequireHttpsForAllRequests setting. To enable RequireHttpsForAllRequests  follow these steps:

  1. Click Administration » Settings » Advanced.
  2. In the treeview, click Security.
  3. Select the RequireHttpsForAllRequests checkbox in the right-hand side of the configuration screen.
  4. Click Save changes.

As a result the entire website (both frontend and backend) is served under https://. Even if somebody request a resource under http:// explicitly, it will be redirected internally and served under https://.

IMPORTANT: Enforcing SSL for the entire website via the RequireHttpsForAllRequests  setting guarantees that any resource form the site is served under https://. Once this setting is enabled, you don't need to configure anything in addition, as the RequireHttpsForAllRequests is the central mechanism for enforcing SSL and overrides all other settings. If, however you want to serve only specific areas of your website under https:// while the rest remains under http:// ,you need to disable RequireHttpsForAllRequests and follow the instructions in the following paragraphs that describe enforcing partial SSL scenarios.

Configure the backend login page to require SSL

If your requirement is to have just the backend login page served under https://, while the rest of the site remains under http://, Sitefinity CMS enables you to specify that level of granularity.  For this scenario, you must enable SSL only for the Authentication module via the Require Https setting.To achieve this, perform the following steps:

  1. Navigate to Administration -> Settings -> Advanced -> Authentication
  2. Click on the Require Https checkbox.
  3. Save the changes and restart the application

NOTE: The  Require Https property enforces only the backend login page to be served under https://.

Configure only selected pages to require SSL

Some scenarios may require you to configure only selected pages to be served under the https:// protocol, while the rest to continue to be served under the http:// protocol.

Every page created in Sitefintiy CMS can be configured to be served explicitly under https:// protocol. This behavior is controlled by the Require SSL property available in the page Advanced options. It is disabled by default. To enable it, perform the following steps:

  1. For all the pages that you want to require SSL, perform the following: 
    1. On Pages page, click the Actions link of the page that you want to require SSL.
    2. In the dropdown menu, click Titles & Properties.
    3. Expand Advanced options and select checkbox Require SSL.
    4. Click Save changes.

In the scenario where you configure only certain frontend pages to Require SSL ,and you have some frontend pages that will be served under http:// protocol only, you need to configure Sitefinity CMS to allow for the transition between the two protocols. To enable frontend pages, that have not been explicitly configured to Require SSL, to be served under http:// only, perform the followign steps:

  1. Click Administration » Settings » Advanced.
  2. In the treeview, click System » Site URL Settings.
  3. Select Remove ssl when the page does not require it checkbox.
  4. Click Save changes.

Configure all frontend pages to require SSL

In case you want to enable SSL for the wbesite frontend only, and keep the rest of the site served under http://, you must set the Require SSL property to true for all frontend pages. To automate the task you can execute the following code:

Additionally you must disable the Remove ssl when the page does not require it setting, to ensure that Sitefinity CMS will not allow serving pages under http://, when they have not been explicitly configured to Require SSL. This way you can enforce https:// protocol for the whole site frontend. For example, if  Remove ssl when the page does not require it setting is disabled, even if someone adds a new page and forgets to enable RequireSSL, as long as users are navigating to that new page from an https:// page, the new page will get served under https://. To configure this behavior, perform the following:

  1. Click Administration » Settings » Advanced.
  2. In the treeview, click System » Site URL Settings.
  3. Deselect Remove ssl when the page does not require it checkbox.
  4. Click Save changes.

Configure backend pages to require SSL

To configure only the Sitefintiy CMS administrative UI (backend) pages to require SSL, perform the following:
  1. Open the IIS Manager and select your site.
  2. In the central pane, click SSL Settings.
  3. Deselect Require SSL checkbox and select Ignore radio button.
  4. In the right pane, click Apply.
  5. Open the web.config file.
  6. Configure the wsFederation node in the following way:
  7. Open the SecurityConfig.config file.
  8. Under <securityTokenIssuers>, insert additional https binding in the following way:

    NOTE: The key above is an example. You must add the same key that is used in the other security token issuers.

    IMPORTANT: Do not remove the existing issuer binding to http://localhost

  9. Click Administration » Settings » Advanced » ContentView » Controls » BackendPages » Views » BackendPagesEdit » Sections » SEOSection » Fields » SEOTitle » Validation.
  10. Delete the regular expression: ^[\p{L}\-\!\(\)\=\@\d_\'\.\&\|\/\+\#\>\<]+$ and save your changes.
  11. Click Administration » Backend Pages » OK, Continue.
  12. Click the Actions link of the page that you want to secure.
  13. In the dropdown menu, click Titles & Properties.
  14. Expand Advanced options and select checkbox Require SSL.
  15. Click Save changes.
  16. Paste again the regular expression from Step 10 and save your changes.

NOTE: You might need to change the Relying Parties configuration, especially when you have Load Balancing configured, so that users avoid getting a Redirect Loop when they try to login to the backend. For more information, see Configure Security.

NOTE: To secure the  backend login page you must follow the instruction for configuring the backend login page to require SSL, provided earlier in this artcile.

Enable SSL support for Sitefinity CMS Analytics module

You can enable Secure Sockets Layer (SSL) protocol for the Analytics module in the following way:

Open the web.config file that is located in your project’s folder and perform the following:

NOTE: After you perform the procedure above, the Analytics module will not function on ASP.NET Development Servers.

PREREQUISITES: SSL offloading sends the process of encoding and decoding SSL requests to a separate device. Therefore, you must have an additional SSL offloading device that is specifically designed to perform SSL acceleration and termination.

SSL offloading moves SSL encoding and decoding functions away from busy webservers to specialized devices that are better equipped to handle CPU-intensive SSL calculations. 
This allows the webservers to dedicate important CPU resources to other application processing tasks, which can improve performance. 

We recommend to use SSL offloading, only in case you have a lot of HTTPS requests. If your servers are not busy, there is no point to offload them.

NOTE: If you are using Network Load Balancing, the load balancer can perform this function. For more information, see Load balancing.

The following chart illustrates a setup with an SSL offloader:

SSL

 

Configure Sitefinity CMS to know that SSL requests will be offloaded:

  1. Navigate to Administration » Settings » Advanced » System » SSL Offloading.
  2. Select EnableSslOffloading.
  3. In HttpHeaderFieldName, enter the same HTTP header field name, as the one used by your SSL offloading device.
    The reverse proxy (load balancer) communicates with a webserver using only unencrypted  HTTP. Therefore, even if the request to the reverse proxy is encrypted HTTPS, you must specify the unencrypted HTTP header field name that will identify the originating protocol of the HTTP request.
    The default value is X-Forwarded-Proto, which is the most commonly used by SSL offloading devices.
  4. In HttpHeaderFieldValue, leave the default value of https
    The HTTPS header value indicates that the traffic from the client to the reverse proxy is encrypted. If you do not set this value or the abovementioned header, it will indicate that traffic from the client to the reverse proxy is not encrypted.
  5. Save your changes.

IMPORTANT: Your SSL offloading device must be set with the same HTTP header field name and HTTP value as the ones that you have entered in Sitefinity CMS. When the traffic must be encrypted between the reverse proxy and the client, before rerouting, the SSL offloading device must remove or replace any headers with above field name. Otherwise, a client can imitate the header field name and value with the malicious intent to present encrypted traffic as nonencrypted.

Was this article helpful?

Next article

Secure cookies