What is the difference between forcing SSL and only defining HTTPS bindings?

The Octopus Manager mentions “Force SSL: No”, which I am guessing corresponds to the “Octopus.WebPortal.ForceSsl” setting I found in the OctopusServer.config file. What is not clear to me is what is the difference between enabling this setting and simply not creating any HTTP bindings? We would like to ensure that the dashboard is only accessible over a secure connection.

Hi Daniel,

Thanks for getting in touch.

When you say “not creating any HTTP bindings”, do you mean IIS bindings ?
The Octopus server doesn’t use IIS, the Windows Service uses http.sys directly via the NancyFX framework. If ForceSsl is true and a request comes in that isn’t secure we’ll either redirect it to the https version of the URL (if it’s a GET) or throw a bad request.

Does that help ?

Regards

Damian

I was referring to the bindings created through the Octopus Manager. Maybe you don’t call them bindings? I don’t have it in front of me right now. I think what I’ve learned from your response is that ForceSsl will do what I want…or at least not do something I don’t want.

Oh OK I understand.

Yes ForceSsl is what you want.

Regards

Damian