There is an open redirect vulnerability in one of the nuget packages we use, it allows redirects in the form of: https://example.com/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://www.google.com
The culprit here is the /find_v2/ endpoint taking the _t_redirect parameter.
Is there a way to block only redirects from the /find_v2/ endpoint? We use Find for other operations on the site, but the redirect is not one of them. So I can safely block all redirects from Find.
I have already tried several versions of the following code in my web.config:
<rewrite>
<outboundRules>
<rule name="Rewrite Location Header" preCondition="IsRedirection" enabled="true" stopProcessing="true">
<match serverVariable="RESPONSE_Location" pattern="http[s]{0,1}://localhost/find_v2/(.*)" />
<conditions>
</conditions>
<action type="Rewrite" value="http://{HTTP_HOST}/static/errors/GeneralError.html" />
</rule>
<preConditions>
<preCondition name="IsRedirection">
<add input="{RESPONSE_STATUS}" pattern="3\d\d" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
A few other notes:
I have successfully blocked ALL redirects from my site, but that is not a valid solution because our login page redirects back to the home page on successful login.
In the "match" node, I cannot seem to use the 'url' attribute. I'm not really sure why, but that's why I'm using the 'pattern' one.
Any help or advice would be greatly appreciated!
Related
I've moved my blog to a different domain, and am trying to set up some redirect rules to redirect traffic. I have added the following to the system.webServer section of my web.config...
<rewrite>
<rules>
<rule name="URL1" stopProcessing="true">
<match url="oldurl.aspx" ignoreCase="true" />
<action type="Redirect" url="http://newdomain.com/newurl" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
...but it doesn't redirect.
I've tried using URLs of the following forms in the url attribute of the <action> tag, but it doesn't make any difference...
^/oldurl.aspx
/oldurl.aspx
http://olddomain.com/oldurl.aspx
Anyone any ideas what I'm doing wrong? As far as I can see, I've done the same as all the blog posts and SO answers suggest.
Not sure if it's relevant, but the old blog used dasBlog.
I recently got a SSL certificate for my website and want to redirect all traffic to HTTPS. I got everything to go to https://mydomain.com but if someone enters http://mydomain.com/anotherpage it drops the other page and just takes the user to the home page.
My rule in my web.config file looks like this:
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
I also tried https://{HTTP_HOST}{REQUEST_URI} without any success. Can anyone tell me what I need to do to make the website redirect to the proper HTTPS version of the page? I have a feeling it has something to do with the pattern, but I can't seem to figure out the syntax.
I found a way to do this, and you don't need the Rewrite module for it. The following worked for me on Windows 8 (IIS 8.5):
Remove the HTTP binding from your site (leave HTTPS in place)
Add another site
Make sure that the new site has HTTP binding
Configure HTTP Redirect as shown:
Now all HTTP request will redirect to your HTTPS site and will preserve the rest of the URL.
Change it to:
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
I had the same problem where the R:1 was dropping my folders.
I fixed it like this.
<rule name="http to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
appendQueryString="false" redirectType="SeeOther" />
</rule>
I can't comment yet or I'd leave this as a comment under AndyH's answer. The solution was correct, though I hit a single further snag (likely tied to the use of Adobe's Coldfusion server). I wanted to share some further research I had to do for any other unfortunate soul who may run into it.
Once set up, the redirect would always end at this url:
https://xxx.xxx.com/jakarta/isapi_redirect.dll
The fix for this was found in an Adobe thread (https://forums.adobe.com/thread/1034854): I had to change an application pool's settings as follows:
Real site (HTTPS binding only, actually contains code and virtual directories)
Application pool's Advanced Settings: Enable 32-Bit Applications : False
Http_Redirect site (HTTP binding only, is a blank shell of a folder with no directories)
Application pool's Advanced Settings: Enable 32-Bit Applications : True
EDIT: Another detail, tied to query string preservation:
Per suggestion in this post (http://www.developerfusion.com/code/4678/permanent-301-redirect-with-querystring-in-iis/)
Add $S$Q at the end of the domain and make sure the box for Redirect all requests to exact destination is checked. Then it will save the query string as well.
I believe AndyH's answer to be the easiest and best way. I have found using the URL rewrite can also conflict with code that may redirect the user to another page. IT commonly broke in our environment. But Andy's solution worked flawlessly. I also think Andy's solution will put less overhead on the server as it doesn't need to examine every url hitting it for possible re-write conditions.
I found a workaround:
Consider what in IIS is consired a website: simply a set of rules, the path in which get files and its bindings.
Furthermore, there's available a function called "HTTP Redirect" (included standardly in IIS), that redirect an host to another, keeping all subdirectory (it makes a relative path). The workaround is to leave just the binding for HTTPS (port 443) in your website, and create another with the binding on HTTP (port 80) and set for this an HTTP redirect to your URL with https://.
For example, consider a website called mytest and its urls http://www.mytest.com/ and https://www.mytest.com/.
Set for it instead only binding on https://www.mytest.com/, and delete the http binding. Then create a new website with the same local path, called mytest http with just a binding over port 80 (http://www.mytest.com/) and set for this one an HTTP Redirect to https://www.mytest.com/.
Simple and clean, and that should be as fast as directly the https url for the user, because it's just an internal redirect. I hope that can work for you!
You can add the URL Rewrite module to IIS (IIS 7 or higher) which allows you to add create the redirect in a visual way. The module can be downloaded here.
This step-by-step tutorial worked wonders for me and explains that when using this module, all it actually does is add some code to your web.config file as such:
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
I have found that the
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
syntax will only work for the website's ROOT web.config file.
If the rewrite rule is applied to a virtual web.config file, then use..
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{URL}" />
The {URL} syntax will include the initial forward slash, the virtual path, and any URL parameters.
I was trying to play with URL re-writing using the Rewrite Module 2.0 but I had no luck getting it to work. What I'm trying to do is re-write all calls to web app at port 80 to other applications hosted in IIS (or maybe on different servers on the network). Using the GUI provided by IIS I created the following rule:
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="site1/(.*)" />
<action type="Rewrite" url="http://localhost:7001/{R:1}" />
</rule>
</rules>
</rewrite>
Quiet simple, but unfortunately it does not work. On the other hand, when I change the action type to Redirect, it works fine.
What could be the problem?
I ran into this same issue yesterday, and it took me a long time to figure out.
The key here is that you've got an http:// prefix in your rewrite action; that makes this a special case that needs to be handled by Application Request Routing. The first step is to make sure that the Application Request Routing module is installed. You can find the module at https://www.iis.net/downloads/microsoft/application-request-routing. Once that is installed, go to your IIS web server (a level up from your web site), and open the Application Request Routing Cache feature. From the actions on the right, choose Server.Proxy.Settings, and make sure that the "Enable Proxy" checkbox is checked. This allows the URL rewrite task to be re-routed to Application Request Routing, and your reverse proxy should work for external requests.
The idea came from this excellent blog post from 2009: http://ruslany.net/2009/04/10-url-rewriting-tips-and-tricks/
Stumbled across this old post when I was trying to solve the same issue.
SOLVED!
Using Rewrite URL feature in IIS Services Manager I created a friendly URL rule.
This worked ok and when I looked at the rule in the web.config file (www root) it showed 1 rule to redirect and 1 rule to rewrite.
I edited this to suit 1 match. Then I just duplicated this code editing the product ID for each. Example below:
<rule name="RedirectUserFriendlyURL1" stopProcessing="true">
<match url="^product\.php$" />
<conditions>
<add input="{REQUEST_METHOD}" pattern="^POST$" negate="true" />
<add input="{QUERY_STRING}" pattern="^id_product=\b35\b" />
</conditions>
<action type="Redirect" url="990mm-bohemia-cast-iron-electric-radiator"
appendQueryString="false" />
</rule>
The first rule looks for the string "product.php" in the URL and "id_product=35", it then redirects to "990mm-bohemia-cast-iron-electric-radiator" which currently does not exist. Then (see below)
<rule name="RewriteUserFriendlyURL1" stopProcessing="true">
<match url="^\b990mm-bohemia-cast-iron-electric-radiator\b" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="product.php?id_product=35" />
</rule>
This rule rewrites the "product.php?id_product=35" bit to `990mm-bohemia-cast-iron-electric-radiator", creating the new location for the redirect.
Do make sure MVC routing doesn't steal your request. To prevent that from happening, ignore the route you're trying to rewrite:
RouteTable.Routes.Ignore("blog/{*pathInfo}");
Inspired by: https://sitecore.stackexchange.com/questions/3645/how-to-setup-a-reverse-proxy-with-sitecore
Change the Rewrite URL to AbsolutePath instead putting http://...
it should be
<action type="Rewrite" url="{R:1}" />
It worked for me, but in my case, I have been rewrite to a fixed webpage.
I'm attempting to write a rewrite rule for the following scenario.
User attempts to load this picture:
domain.com/images/folder/picture.jpg
and instead, I need it to load:
cdn.domain.com/images/folder/picture.jpg.
Here's what I have that isn't working:
<rule name="CDN rewrite for Images">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="domain.com" />
<add input="{REQUEST_URI}" pattern="^/images/folder/(.*)$" />
</conditions>
<action type="Rewrite" url="cdn.domain.com/images/folder/{C:1}" />
</rule>
UPDATE: Adding additional info. Most pictures are being served up from Joomla so while the root of the domain is something like domain.com, most images are input with a src="/images/folder/picture.jpg" Not quite sure how this is affecting the rewrite, but none of the options on cheesemacfly's answer below, are working...
UPDATE2: While cheesemacfly was unable to help me in my particular circumstances, I awarded him the bounty and marked his answer as the accepted one because he went above and beyond to try to help me in chat. Hopefully his answer will help someone with rewrites on IIS.
EDIT:
To be able to rewrite (and not only redirect) urls to outside websites, you need to install the Application Request Routing module and enable the proxy mode.
To do so:
Download and install the module
Open your IIS management console (inetmgr)
Select Your server node
Double click on Application Request Routing Cache:
Click on Server Proxy Settings on the Actions pane (right of the screen)
Check the box Enable proxy and click on Apply
The second step is about setting up your rules.
If you want your rewrite to be based on the path then use the following code:
<rewrite>
<rules>
<rule name="Rewrite to cdn domain">
<match url="^images/folder/(.+)$" />
<action type="Rewrite" url="http://cdn.domain.com/images/folder/{R:1}" />
</rule>
</rules>
</rewrite>
Or if you keep the same folder architecture on the second website you can simplify as follow:
<rewrite>
<rules>
<rule name="Rewrite to cdn domain">
<match url="^images/folder/(.+)$" />
<action type="Rewrite" url="http://cdn.domain.com/{R:0}" />
</rule>
</rules>
</rewrite>
If you want to catch only the files ending with a specific extension (let's say images):
<rewrite>
<rules>
<rule name="Forward to cdn domain">
<match url="^images/folder/.+\.(?:jpg|bmp|gif)$" />
<action type="Rewrite" url="http://cdn.domain.com/{R:0}" />
</rule>
</rules>
</rewrite>
Please refer to: http://www.iis.net/learn/extensions/url-rewrite-module/iis-url-rewriting-and-aspnet-routing (section "Which Option Should You Use?")
TIP:
The best way to test your pattern is to use the IIS test pattern tool.
At the root of your website -> URL Rewrite -> Create a blank rule -> click on test pattern:
If you don't get the expected result, you can debug your rewrite using the Failed Request Tracing tool
NOTE: Changing the rule to be a redirect instead of a rewrite fixes the problem. Ideally you want it to be a redirect but I have spent many hours trying to get the rewrite to work, and so far no solutions yet.
<rule name="Rewrite to images.cdn.com" enabled="true" stopProcessing="true">
<match url="images/(.+)$" ignoreCase="true" />
<action type="Redirect" url="http://images.cdn.com/{R:1}" />
</rule>
I've followed the instructions Learn IIS's webpage for adding static redirects with a rewrite map for my asp.net application.
The following is the config:
<rule name="Redirect rule1 for Information" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{Information:{REQUEST_URI}}" pattern="(.+)" />
</conditions>
<action type="Rewrite" url="{C:1}" appendQueryString="true" />
</rule>
And
<rewriteMaps>
<rewriteMap name="Information">
<add key="/Information/CorporateSales.aspx"
value="/KB/Information/CorporateSales" />
<add key="/Information/ComputerRepair.aspx"
value="/KB/Information/ComputerRepair" />
</rewriteMap>
</rewriteMaps>
This was even originally created by the wizard in IIS's manager for using rewrite maps.
So the idea is that /Information/CorporateSales.aspx --> /KB/Information/CorporateSales with a 301 redirect (MOVED PERMANENTLY).
However I'm just getting the original aspx page (Which we're removing later) loading. I've even deleted the file incase it was defaulting to an existing resource, and with that i just get a plain 404 without the redirect.
Anyone have an idea?
Let me clarify something:
Rewrite module works, it's installed and running. My standard regex rules work nicely. But my rewrite map does not.
This article http://www.iis.net/learn/extensions/url-rewrite-module/using-rewrite-maps-in-url-rewrite-module and code below worked for me.
<rewrite>
<rules>
<rule name="Redirect rule1 for RedirectURLs">
<match url=".*" />
<conditions>
<add input="{RedirectURLs:{REQUEST_URI}}" pattern="(.+)" />
</conditions>
<action type="Redirect" url="{C:1}" appendQueryString="false" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="RedirectURLs">
<add key="/privacy.php" value="/privacy" />
</rewriteMap>
</rewriteMaps>
</rewrite>
I was having a similar problem and found this question. It took me a little while, but I was able to figure out what the problem was.
My rewriteMap contained the urls "/Default2.aspx" and "/Dashboard.aspx".
When I would go to Default2.aspx, I would get a 404 rather than get redirected to Dashboard.aspx as expected.
The issue I found was that on my machine, the application was running in a subdirectory. The rewriteMap paths would only work if I used the full path (including the application folder), e.g., "/TestSite/Default2.aspx".
So I could have added duplicate entries in my rewriteMap to account for application directories on developer machines, but that seemed messy. I looked at the other rewrite rules in the application that did not have this issue and I noticed that they were using the {REQUEST_FILENAME} variable, rather than {REQUEST_URI}. So I switched the rule to use {REQUEST_FILENAME} and remove the first slash from the urls in my rewriteMap.
Do you have Url rewriting installed as part of IIS7/7.5? This is not installed by default. Also, make sure your app pool is set to integrated pipline mode, no classic.
Edit
From this:
http://learn.iis.net/page.aspx/469/using-rewrite-maps-in-url-rewrite-module/
This only thing I see that you're doing is adding the 'stopProcessing' attribute. Have you tried removing that?
Previously I had same problem as you described.
Could you update your code to
<match url="(.*)" />
and I hope you aware,
<add input="{Information:{REQUEST_URI}}" pattern="(.+)" />
this condition will capture full URL except the domain.
example on this url:
www.example.com/Information/CorporateSales.aspx
it will check matching condition of
Information/CorporateSales.aspx on rewriteMap
and for sure it wont be match with this url
www.example.com/old/Information/CorporateSales.aspx
Did you reset the app pool and the iis site ?
In some cases it can take up to 72 hours (iirc) to propagate throughout the world.