We have a ColdFusion developer who claims that solely by adding a few lines of code in the Application.cfm file of an application that he wants to be encrypted that he can force the IIS Web server to encrypt all communications involving that application. So for example, let's assume this developer's ColdFusion application resides at www.ThisIsIt.com/xyz/. He includes a conditional statement in his Application.cfm file (see below) to force a Web browser to preface the URL to his application with https.
<CFIF not cgi.server_port_secure>
<CFLOCATION URL="https://#cgi.server_name##cgi.script_name#" ADDTOKEN="no"/>
</CFIF>
Meanwhile within Internet Information Services (IIS) Manager, the xyz directory is NOT set to require SSL. If you visit https://www.ThisIsIt.com/xyz/, it will in fact be prefaced by https, but how can the content of his application as well as the communication between server and client Web browser be encrypted if the IIS Web server is not instructed/configured to encrypt the xyz directory, and why does the Web browser indicate an encrypted communication? Is this a mere trick or a legitimate means to encrypt a ColdFusion application?
答案 0 :(得分:2)
基于应用程序的规则通过检测未使用SSL并将用户重定向到安全HTTPS域来工作。需要配置有效的SSL证书,否则将显示安全消息。
此方法仅强制对ColdFusion脚本进行HTTPS访问。静态,非CFML文件,如CSS,JS,PDF(不关心application.cfm脚本的存在)可以直接访问,无需任何HTTPS重定向。
使用IIS为所有Web请求“强制”使用SSL的最佳方法是使用web.config规则。