Configure SSL

Secure Sockets Layer (SSL) is a protocol that provides communication security over the network. SSL is useful when you have sensitive information, such as login credentials or credit card information, transferred over the network.

If your site requires the use of SSL certificate, you must perform the following:

1. Obtain an SSL certificate from an issuing authority.
2. Install the SSL certificate on your IIS.
   For more information, see How to set up SSL on IIS and How to implement SSL in IIS.
3. Configure the http and https bindings for your site.
   In the IIS Manager, select your site and in the right pane, click Bindings…

   PREREQUISITES: Sitefinity CMS requires that you setup the http binding on port 80 and the https binding on port 443.

After you have setup and tested the certificate, you can configure any page – backend or frontend, to require the SSL certificate. We recommend that you require SSL on all frontend and backend login pages, where login credentials are transferred over the network.

Serving the entire website content under the https:// protocol is the most common scenario when configuring SSL for Sitefinity CMS. It is not only the industry-recommended way to go in order to serve content more securely over the Internet, but can also be a required step if your website needs to pass HIPPA, PCI and other compliance checks. Sitefinity CMS enables you to enforce the entire website traffic to be under https:// from a central place - the RequireHttpsForAllRequests setting. To enable RequireHttpsForAllRequests follow these steps:

1. Click Administration » Settings » Advanced.
2. In the treeview, click Security.
3. Select the RequireHttpsForAllRequests checkbox in the right-hand side of the configuration screen.
4. Click Save changes.

As a result the entire website (both frontend and backend) is served under https://. Even if somebody request a resource under http:// explicitly, it will be redirected internally and served under https://.

IMPORTANT: Enforcing SSL for the entire website via the RequireHttpsForAllRequests setting guarantees that any resource form the site is served under https://. Once this setting is enabled, you don't need to configure anything in addition, as the RequireHttpsForAllRequests is the central mechanism for enforcing SSL and overrides all other settings. If, however you want to serve only specific areas of your website under https:// while the rest remains under http://, you need to disable RequireHttpsForAllRequests and follow the instructions in the following paragraphs that describe enforcing partial SSL scenarios.

If your requirement is to have just the backend login page served under https://, while the rest of the site remains under http://, Sitefinity CMS enables you to specify that level of granularity. For this scenario, you must enable SSL only for the Authentication module via the Require Https setting. To achieve this, perform the following steps:

1. Navigate to Administration » Settings » Advanced » Authentication
2. Click on the Require Https checkbox.
3. Save the changes and restart the application

NOTE: The Require Https property enforces only the backend login page to be served under https://.

Some scenarios may require you to configure only selected pages to be served under the https:// protocol, while the rest to continue to be served under the http:// protocol.

Every page created in Sitefinity CMS can be configured to be served explicitly under https:// protocol. This behavior is controlled by the Require SSL property available in the page Advanced options. It is disabled by default. To enable it, perform the following steps:

1. For all the pages that you want to require SSL, perform the following:
   1. On Pages page, click the Actions link of the page that you want to require SSL.
   2. In the dropdown menu, click Titles & Properties.
   3. Expand Advanced options and select checkbox Require SSL.
   4. Click Save changes.

In the scenario where you configure only certain frontend pages to Require SSL, and you have some frontend pages that will be served under http:// protocol only, you need to configure Sitefinity CMS to allow for the transition between the two protocols. To enable frontend pages, that have not been explicitly configured to Require SSL, to be served under http:// only, perform the following steps:

1. Click Administration » Settings » Advanced.
2. In the treeview, click System » Site URL Settings.
3. Select Remove ssl when the page does not require it checkbox.
4. Click Save changes.

In case you want to enable SSL for the website frontend only, and keep the rest of the site served under http://, you must set the Require SSL property to true for all frontend pages. To automate the task you can execute the following code:

Additionally you must disable the Remove ssl when the page does not require it setting, to ensure that Sitefinity CMS will not allow serving pages under http://, when they have not been explicitly configured to Require SSL. This way you can enforce https:// protocol for the whole site frontend. For example, if Remove ssl when the page does not require it setting is disabled, even if someone adds a new page and forgets to enable RequireSSL, as long as users are navigating to that new page from an https:// page, the new page will get served under https://. To configure this behavior, perform the following:

1. Click Administration » Settings » Advanced.
2. In the treeview, click System » Site URL Settings.
3. Deselect Remove ssl when the page does not require it checkbox.
4. Click Save changes.

1. Open the IIS Manager and select your site.
2. In the central pane, click SSL Settings.
3. Deselect Require SSL checkbox and select Ignore radio button.
4. In the right pane, click Apply.
5. Open the web.config file.
6. Configure the wsFederation node in the following way:
   
7. Open the SecurityConfig.config file.
8. Under <securityTokenIssuers>, insert additional https binding in the following way:
   

   NOTE: The key above is an example. You must add the same key that is used in the other security token issuers.

   IMPORTANT: Do not remove the existing issuer binding to http://localhost

9. Click Administration » Settings » Advanced » ContentView » Controls » BackendPages » Views » BackendPagesEdit » Sections » SEOSection » Fields » SEOTitle » Validation.
10. Delete the regular expression: ^[\p{L}\-\!\(\)\=\@\d_\'\.\&\|\/\+\#\>\<]+$ and save your changes.
11. Click Administration » Backend Pages » OK, Continue.
12. Click the Actions link of the page that you want to secure.
13. In the dropdown menu, click Titles & Properties.
14. Expand Advanced options and select checkbox Require SSL.
15. Click Save changes.
16. Paste again the regular expression from Step 10 and save your changes.

NOTE: You might need to change the Relying Parties configuration, especially when you have Load Balancing configured, so that users avoid getting a Redirect Loop when they try to login to the backend. For more information, see Configure Security.

NOTE: To secure the backend login page you must follow the instruction for configuring the backend login page to require SSL, provided earlier in this article.

SSL offloading moves SSL encoding and decoding functions away from busy webservers to specialized devices that are better equipped to handle CPU-intensive SSL calculations. 
This allows the webservers to dedicate important CPU resources to other application processing tasks, which can improve performance. 

NOTE: If you are using Network Load Balancing, the load balancer can perform this function. For more information, see Load balancing.

The following chart illustrates a setup with an SSL offloader:

Configure Sitefinity CMS to know that SSL requests will be offloaded:

1. Navigate to Administration » Settings » Advanced » System » SSL Offloading.
2. Select EnableSslOffloading.
3. In HttpHeaderFieldName, enter the same HTTP header field name, as the one used by your SSL offloading device.
   The reverse proxy (load balancer) communicates with a webserver using only unencrypted  HTTP. Therefore, even if the request to the reverse proxy is encrypted HTTPS, you must specify the unencrypted HTTP header field name that will identify the originating protocol of the HTTP request.
   The default value is X-Forwarded-Proto, which is the most commonly used by SSL offloading devices.
4. In HttpHeaderFieldValue, leave the default value of https
   The HTTPS header value indicates that the traffic from the client to the reverse proxy is encrypted. If you do not set this value or the abovementioned header, it will indicate that traffic from the client to the reverse proxy is not encrypted.
5. Save your changes.

IMPORTANT: Your SSL offloading device must be set with the same HTTP header field name and HTTP value as the ones that you have entered in Sitefinity CMS. When the traffic must be encrypted between the reverse proxy and the client, before rerouting, the SSL offloading device must remove or replace any headers with above field name. Otherwise, a client can imitate the header field name and value with the malicious intent to present encrypted traffic as nonencrypted.