iisexpress
One of the demos in my Mix 11 talk "An Overview of the MS Web Stack of Love" was showing how IIS Express and Visual Studio SP1 (as well as WebMatrix) can make working with SSL (Secure Sockets Layer) a heck of a lot easier.
我在Mix 11演讲“ MS Web Stack of Love的概述”中的一个演示演示了IIS Express和Visual Studio SP1(以及WebMatrix)如何使SSL(安全套接字层)的使用变得非常困难。更轻松。
If you've used Cassini before (that's the little built in Visual Web Developer Server) you've likely noticed that I doesn't support SSL. This makes working with real world sites a little challenging. If you want your Login pages and Account Management pages to use secure sockets, you'd typically have to do all your work with the full version of IIS, either installed on your own machine or using a shared server.
如果您以前使用过Cassini(这是Visual Web Developer Server中内置的功能),您可能会注意到我不支持SSL。 这使得在现实世界中的网站工作变得有些挑战。 如果要使“登录”页面和“帐户管理”页面使用安全套接字,通常必须使用完整版IIS(安装在自己的计算机上或使用共享服务器)完成所有工作。
Here's a few ways to enable SSL. The first is new in Visual Studio 2010 SP1 and will allow you to use SSL on local host over ports 44300 and higher. This means you'll be able to test and develop how your site will work over SSL, but not over port 443 proper. I'll show you that in the final step.
这是启用SSL的几种方法。 第一个是Visual Studio 2010 SP1中的新增功能,它将允许您通过端口44300及更高版本在本地主机上使用SSL。 这意味着您将能够测试和开发站点如何通过SSL进行工作,但不能通过适当的端口443进行工作。 我将在最后一步中向您展示。
If you watch the Mix video, you'll see towards the end where Damian Edwards educates me on this new SSL feature in VS2010SP1. I didn't know that VS2010SP1 (WebMatrix does also) installs some self-signed certificates and includes and option for turning on their use. However, as I pointed out in the video, that's only for high "strange" ports like 44300+, so my more complex example still has value if you want standard port numbers.
如果您观看Mix视频,您将看到Damian Edwards向我介绍VS2010SP1中的这一新SSL功能的过程。 我不知道VS2010SP1(WebMatrix也安装)会安装一些自签名证书,并且包含用于打开证书的选项。 但是,正如我在视频中指出的那样,这仅适用于较高的“奇怪”端口(如44300+),因此,如果您想要标准端口号,那么我更复杂的示例仍然有价值。
简单方法-带有IIS Express和VS2010或WebMatrix的本地SSL (The Easy Way - Local SSL with IIS Express and VS2010 or WebMatrix )
If you have IIS Express and VS2010SP1, you can do this now and follow along. Make a new ASP.NET Site in Visual Studio.
如果您具有IIS Express和VS2010SP1 ,则可以立即执行此操作并继续操作。 在Visual Studio中创建一个新的ASP.NET站点。
Right click on the Project in Solution and select Use IIS Express. You can also set IIS Express as the default from the Tools | Options | Projects and Solutions | Web Projects.
右键单击解决方案中的项目,然后选择使用IIS Express 。 您也可以从“工具” |“ IIS”将IIS Express设置为默认值。 选项| 项目和解决方案| 网络项目。
Next, click Yes, and VS will "make a new site" on IIS Express. What does that mean?
接下来,单击“是”,VS将在IIS Express上“创建一个新站点”。 这意味着什么?
Click yes and let's find out.
单击是,让我们找出答案。
Remember that IIS Express is really IIS. It's just "local personal not-a-service" IIS. That means that IISExpress puts its config files in C:\Users\YOU\Documents\IISExpress\config rather than in some machine-wide location.
请记住,IIS Express确实是IIS。 它只是“本地个人非服务” IIS。 这意味着IISExpress将其配置文件放在C:\ Users \ YOU \ Documents \ IISExpress \ config中,而不是放在机器范围内的某个位置。
My project is called "MvcApplication18" so I can open up my ApplicationHost.config and look for "MvcApplication18." You can too. There's my site, right there, in IISExpress's applicationHost.config:
我的项目称为“ MvcApplication18”,因此我可以打开ApplicationHost.config并查找“ MvcApplication18”。 你也可以在IISExpress的applicationHost.config中,有我的网站:
<site name="MvcApplication18" id="39">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\users\scottha\documents\visual studio 2010\Projects\MvcApplication18\MvcApplication18" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:15408:localhost" />
</bindings>
</site>
Note the binding section. I can see that my site will show up on http://localhost:15408.
请注意绑定部分。 我可以看到我的网站将显示在http:// localhost:15408上。
Go back to Visual Studio, click on your project and press F4 to bring up the properties dialog. You can also press Ctrl-W, then P, or select View | Property Window.
返回Visual Studio,单击您的项目,然后按F4弹出属性对话框。 您也可以按Ctrl-W,然后按P,或选择“视图” |“显示”。 属性窗口。
Since I'm using IIS Express and I have VS2010 SP1 installed, I have a new option, "SSL Enabled." If I click it, a new "SSL URL" shows up with a new port number chosen from that pool of ports I mentioned before.
由于我使用的是IIS Express,并且已安装VS2010 SP1,因此我有一个新选项“已启用SSL”。 如果单击它,将显示一个新的“ SSL URL”,并带有一个从我前面提到的端口池中选择的新端口号。
Go back over to your ApplicationHost.config if you want to see what really happened.
如果要查看实际情况,请返回到ApplicationHost.config。
<site name="MvcApplication18" id="39">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\users\scottha\documents\visual studio 2010\Projects\MvcApplication18\MvcApplication18" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:15408:localhost" />
<binding protocol="https" bindingInformation="*:44302:localhost" />
</bindings>
See that new binding? That was created for us when we clicked SSL Enabled = True.
看到新的绑定? 当我们单击SSL Enabled = True时,这为我们创建。
Run your site. Visit it with and without SSL. Don't forget the port number! You're now running under SSL locally, but you're reminded you are a bad person because this certificate is not trusted. Still, create an app, check a box and you've got local SSL.
运行您的网站。 使用和不使用SSL都可以访问它。 不要忘记端口号! 您现在在本地使用SSL运行,但是提醒您,您是一个坏人,因为此证书不受信任。 仍然,创建一个应用程序,选中一个复选框,您便拥有本地SSL。
Ok, how can we get this running in a slightly better way? I want:
好的,我们如何以更好的方式运行它? 我想要:
A friendly machine name, not localhost.
友好的计算机名称,而不是本地主机。
People to be able to talk to my instance of IIS Express from the outside.
人们可以从外部与我的IIS Express实例进行对话。
Actual SSL over port 443.
通过端口443的实际SSL。
My ASP.NET application to switch between SSL and not automatically when I'm logging in.
我的ASP.NET应用程序在登录时在SSL之间切换,而不是自动切换。
My self-signed certificate to be trusted so I don't get warnings.
我的自签名证书值得信任,因此我不会收到警告。
To use PowerShell at some point for no reason at all because that's bad-ass.
完全无缘无故地在某些地方使用PowerShell,因为那是很糟糕的。
Here we go.
开始了。
艰苦的
忍者之路-带有IIS Express的443本地SSL和命令行的亲切海牛 (The
Hard
Ninja Way - Local SSL over 443 with IIS Express and the Gracious Manatee that is The Command Line)
These steps may seem a little scary, but it's useful to know that they are happening (or have happened) already to make the Easy Way work for you. I'll show you how to do it yourself, then I'll show you an undocumented way to make part of The Hard Way even easier. It's important to know what's happening though and why when you start running random commands from an Administrator Command Prompt, right?
这些步骤似乎有些吓人,但了解它们已经(或已经发生)对于使Easy Way为您工作很有用。 我将向您展示如何自己做,然后再向您展示一种无记录的方式,使《艰难道路》的组成部分变得更加容易。 重要的是要知道发生了什么,为什么要从管理员命令提示符开始运行随机命令,对吗?
1.使IIS Express可以通过端口80对外提供服务 (1. Getting IIS Express to serve externally over Port 80)
My machine is called HANSELMAN-W500, so I'll use that name. You could update your hosts file and use a friendly name. To start, use your computer name. if you don't know the name of your computer, you're silly. Go to the command prompt and type "HOSTNAME" to find out.
我的机器叫做HANSELMAN-W500,所以我将使用该名称。 您可以更新主机文件并使用一个友好的名称。 首先,使用您的计算机名称。 如果您不知道计算机的名称,那就太傻了。 转到命令提示符,然后键入“ HOSTNAME”进行查找。
First, we need to tell HTTP.SYS at the kernel level that it's OK to let everyone talk to this URL by making an "Url Reservation." From an administrative command prompt:
首先,我们需要在内核级别告诉HTTP.SYS,可以通过进行“ URL保留”让每个人都可以与该URL进行通信。 在管理命令提示符下:
netsh http add urlacl url=http://hanselman-w500:80/ user=everyone
Next, as I want to be able to talk to IIS Express from outside (folks on my network, etc. Not just localhost) then I need to allow IIS Express through the Windows Firewall. I can do that graphically from Windows, or type:
接下来,由于我希望能够从外部(网络上的人们等,而不仅仅是本地主机)与IIS Express通讯,因此我需要允许IIS Express通过Windows防火墙。 我可以从Windows以图形方式执行此操作,或键入:
netsh firewall add portopening TCP 80 IISExpressWeb enable ALL
Finally, I need to make sure that my project will use Port 80. I can do that one of two ways. I can either edit the applicationHost.config manually and add the binding (my recommended way):
最后,我需要确保我的项目将使用端口80。我可以使用以下两种方法之一进行操作。 我可以手动编辑applicationHost.config并添加绑定(我推荐的方式):
<site name="MvcApplication18" id="39">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\users\scottha\documents\visual studio 2010\Projects\MvcApplication18\MvcApplication18" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:15408:localhost" />
<binding protocol="https" bindingInformation="*:44302:localhost" />
<binding protocol="http" bindingInformation="*:80:hanselman-w500" />
</bindings>
</site>
Or, I can do that from the command line too! Although it's a little scary. I can confirm my changes in ApplicationHost.config though if I mess up.
或者,我也可以从命令行执行该操作! 虽然有点吓人。 如果我搞砸了,我可以在ApplicationHost.config中确认我的更改。
"c:\Program Files (x86)\IIS Express\appcmd.exe" set site /site.name:MvcApplication18 /+bindings.[protocol='http',bindingInformation='*:80:hanselman-w500']
Notice that I'm using the appcmd.exe that came with IIS Express. I don't want to mess up my actual IIS installation if I have one.
请注意,我正在使用IIS Express附带的appcmd.exe。 如果有,我不想弄乱我的实际IIS安装。
2.制作一个SSL证书,将其连接到IIS Express并使其受信任 (2. Making an SSL Cert, hooking it up to IIS Express and making it Trusted)
Let's make a SSL certificate of our own. Note the CN=. I'm making it my Computer Name, but you could make it nerddinner.com or whatever makes you happy. It should line up with whatever name you've been using so far.
让我们自己制作一个SSL证书。 注意CN =。 我将其命名为“计算机名”,但您可以将其命名为nerddinner.com或其他使您满意的名称。 它应该与您到目前为止使用的任何名称对齐。
makecert -r -pe -n "CN=HANSELMAN-W500" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
Now, a tricky part. Go find this certificate in the Certificate Manager. Run MMC.exe, go File | Add/Remove Snap In, then select Certificates. Pick the Computer Account. (This is why you can't just run certmgr.msc) and add it.
现在,一个棘手的部分。 在“证书管理器”中找到该证书。 运行MMC.exe,转到“文件| 添加/删除管理单元,然后选择证书。 选择计算机帐户。 (这就是为什么您不能只运行certmgr.msc并添加它的原因。
It'll likely be the certificate with an expiration data of 1/1/2036 under Personal Certificates. Double click on your certificate. Go to Details, and scroll down to Thumbprint. Copy that into the clipboard, as that identifies our new certificate.
在个人证书下,该证书可能是过期数据为1/1/2036的证书。 双击您的证书。 转到详细信息,然后向下滚动到指纹。 将其复制到剪贴板,以标识我们的新证书。
Remove all the spaces from that Thumbprint hash. You can remove those spaces with Notepad if you're Phil Haack, or in PowerShell if you're awesome:
从该Thumbprint哈希中删除所有空格。 如果您是Phil Haack,则可以使用记事本删除这些空格;如果您很棒,可以在PowerShell中删除这些空格:
C:\>"41 d8 50 95 11 0e 1d f6 8c 89 84 97 55 25 a8 60 59 35 23 0a" -replace " "
41d85095110e1df68c8984975525a8605935230a
Take the hash and plug it in to the end of THIS command:
取哈希并将其插入此命令的末尾:
netsh http add sslcert ipport=0.0.0.0:443 appid={214124cd-d05b-4309-9af9-9caa44b2b74a} certhash=YOURCERTHASHHERE
The AppId doesn't really matter, its just a GUID. This tells HTTP.SYS that we're using that certificate. Leave the Certificate Manager MMC running.
AppId并不重要,它只是一个GUID。 这告诉HTTP.SYS我们正在使用该证书。 保持证书管理器MMC运行。
Now, tell HTTP.SYS that we're cool with port 443 also (we told it that 80 was cool a minute ago, remember?):
现在,告诉HTTP.SYS,我们的端口443也很酷(我们告诉它80分钟前很酷,还记得吗?):
netsh http add urlacl url=https://hanselman-w500:443/ user=Everyone
Return to your applicationHost.config and add the 443 binding for your site:
返回到applicationHost.config并为您的站点添加443绑定:
<site name="MvcApplication18" id="39">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\users\scottha\documents\visual studio 2010\Projects\MvcApplication18\MvcApplication18" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:15408:localhost" />
<binding protocol="https" bindingInformation="*:44302:localhost" />
<binding protocol="http" bindingInformation="*:80:hanselman-w500" />
<binding protocol="https" bindingInformation="*:443:hanselman-w500" />
</bindings>
</site>
If I say "Show All Sites" from the IIS Express tray icon, I'll see my site(s) and the URLs they are bound to.
如果我从IIS Express托盘图标中说“显示所有站点”,我将看到我的站点及其绑定的URL。
Now I can visit https://hanselman-w500, but again I get a certificate error.
现在,我可以访问https:// hanselman-w500 ,但是再次出现证书错误。
Go back to the CertMgr MMC, and drag your self-signed SSL Certificate from Personal into Trusted Root Certificates.
返回到CertMgr MMC,并将您的自签名SSL证书从“个人”拖动到“受信任的根证书”中。
Suddenly my local SSD site is legit! Very cool.
突然我的本地SSD站点合法了! 很酷。
3.使ASP.NET通过URL重写规则强制SSL (3. Getting ASP.NET to force SSL with an URL Rewrite Rule)
One of the things Cassini (Visual Studio Web Developer Server) can't do is UrlRewriting. I want my app to force SSL when I hit /account/logon or /account/register. I'll add this to the first node of system.webServer in my app's web.config:
卡西尼(Visual Studio Web开发服务器)无法做的一件事是UrlRewriting。 我希望我的应用在点击/ account / logon或/ account / register时强制使用SSL。 我将其添加到应用程序的web.config中的system.webServer的第一个节点:
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="^account/logon$|^account/register$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
I could also use the RequireHttps attribute on my controllers if I like.
如果愿意,我也可以在控制器上使用RequireHttps属性。
附录Z:一种完全未记录的方法,使部分操作更容易使用,后果自负。 (Appendix Z: A totally undocumented way to make part of this easier that you use at your own risk)
There's a command line helper deep inside of the IIS Express directory that I never mentioned to you. We never spoke! I don't know you. Who is this? Stop calling! ;)
在IIS Express目录的深处有一个命令行帮助程序,我从未向您提到过。 我们从来没有说话! 我不认识你这是谁? 别打了;)
C:\Program Files (x86)\IIS Express>IisExpressAdminCmd.exe
Usage: iisexpressadmincmd.exe <command> <parameters>
Supported commands:
setupFriendlyHostnameUrl -url:<url>
deleteFriendlyHostnameUrl -url:<url>
setupUrl -url:<url>
deleteUrl -url:<url>
setupSslUrl -url:<url> -CertHash:<value>
setupSslUrl -url:<url> -UseSelfSigned
deleteSslUrl -url:<url>
Examples:
1) Configure "http.sys" and "hosts" file for friendly hostname "contoso":
iisexpressadmincmd setupFriendlyHostnameUrl -url:http://contoso:80/
2) Remove "http.sys" configuration and "hosts" file entry for the friendly
hostname "contoso":
iisexpressadmincmd deleteFriendlyHostnameUrl -url:http://contoso:80/
From the command line with this utility, I can quickly setup my hosts file and my HTTP.SYS Url ACLs with one command:
通过使用此实用程序的命令行,我可以使用以下命令快速设置主机文件和HTTP.SYS Url ACL:
C:\Program Files (x86)\IIS Express>IisExpressAdminCmd.exe setupFriendlyHostnameU
rl -url:http://daddyisawesome:80/
Command 'setupFriendlyHostnameUrl' completed.
And remove them:
并删除它们:
C:\Program Files (x86)\IIS Express>IisExpressAdminCmd.exe deleteFriendlyHostname
Url -url:http://daddyisawesome:80/
Command 'deleteFriendlyHostnameUrl' completed.
At this point you just need to update the IISExpress applicationHost.config with the correct binding. You can also use IISExpressAdminCmd setupSslUrl with SSL ports that are already reserved. However, I really think The Hard Way is best because you can really see what's going on, and you have more control.
此时,您只需要使用正确的绑定更新IISExpress applicationHost.config。 您还可以将IISExpressAdminCmd setupSslUrl与已保留的SSL端口一起使用。 但是,我真的认为“艰难之路”是最好的选择,因为您可以真正看到正在发生的事情,并且您拥有更多的控制权。
让它停止! (Make It Stop!)
How do I undo it all? Delete the Certificate in CertMgr, and from an Administration Console:
我该如何撤消这一切? 从管理控制台中删除CertMgr中的证书:
netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete urlacl url=http://hanselman-w500:80/
netsh http delete urlacl url=https://hanselman-w500:443/
If you have existing SSLCerts registered with HTTP.sys, the adjust these commands.
如果您已经在HTTP.sys中注册了现有的SSLCert,请调整这些命令。
Enjoy! Thanks to CarlosAG for his help with this post.
请享用! 感谢CarlosAG在本文中的帮助。
翻译自: https://www.hanselman.com/blog/working-with-ssl-at-development-time-is-easier-with-iisexpress
iisexpress
178
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
