Typically running SSL on a .NET web site involves a setup procedure to create a certificate request on IIS, then using this to purchase a secure certificate from a trusted authority, then installing this on IIS. It also requires a unique IP address, which further adds to the cost and complexity of setting it up on a server with multiple web sites.

Furthermore, most basic secure certificates only cover the www and root domain, not other subdomains. A so-called 'wildcard' cert which supports all subdomains too can be purchased, but it's generally around 5-10 times the price.

Nowadays, Google and others are encouraging sites wherever possible to use SSL, and Google claims to boost secure sites in results.

Fortunately there is now another option for SSL. Cloudflare.com provides a free SSL service which can be used if you change your DNS to Cloudflare.

However, Kartris needs some coding to support this. Previously, when set to use SSL, Kartris would check pages to see if they were secure using Current.Request.IsSecureConnection(). Unfortunately if you just turn on Cloudflare SSL without the updates to Kartris, it will go into a loop, because this code will return FALSE (as the site itself on IIS is running with http, not https).

Therefore, Kartris introduced a new 'e' setting for external SSL. In this case, it will format URLs where appropriate with https, but not do any checks to see if a page is secure.

If you want to force http to redirect to https, you can use the Page Rules feature within Cloudflare to do this. One thing to consider is your payment gateway callbacks. You might find that the https redirect rules interfer with these so possibly at rule number one, you may want to exclude the callback from the Cloudflare cache, so it continues to work exactly as before. Then you can put some redirection rules after that - the free Cloudflare offering allows up to three page rules, which should be enough to handle most things.

Cloudflare page rules screenshot
Powered by tomeCMS