问题
I'm using MVC5 in some IIS servers on Amazon EC2, behind a Amazon Elastic Load Balancer. IIS servers runs only HTTP protocol, and ELB converts to HTTPS.
IIS server doesn't know if user is accessing thru HTTPS, so I have a rewrite rule checking "X-Forwarded-Proto" header to redirect user to HTTPS.
Unfortunately, when a login is required, MVC/IIS redirects user to a logon page in HTTP.
If I check my website in a tool like http://www.redirect-checker.org/ I get these type of results:
http://example.com/
301 Moved Permanently (my URL rewrite rule)
https://example.com/
302 Found (Login-required redirect -> why to HTTP?)
http://example.com/Account/Logon?ReturnUrl=%2F
301 Moved Permanently (again my URL rewrite rule)
https://example.com/Account/Logon?ReturnUrl=%2F
200 OK
Am I missing something?
Can I configure login-redirect to keep protocol, eliminating one of these redirects?
Better yet, can I somehow precede login-redirect rule and make it force HTTPS, in order to have only one redirect?
Thanks a lot!
Appendix: I checked that commands like "RedirectToAction" send address like "/Index2", not the whole "http://example.com/Index2". This is fine, so it keeps the user protocol.
回答1:
Assuming you're using ASP.NET forms authentication, have a look in your web.config for your Authentication configuration and add requireSsl="true" to the <forms> element, as below:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" requireSSL="true" />
</authentication>
来源:https://stackoverflow.com/questions/42305843/mvc-https-redirection-when-behind-a-load-balancer