web.config rewrite not applying negate attribute - asp.net

I'm trying to configure a web config to redirect all http traffic to https. But I don't want this to apply when in the dev environment (e.g localhost). The below code I have tried but it's still re-writing to https when on localhost.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true" />
<add input="{HTTP_HOST}" matchType="Pattern" pattern="^127\.0\.0\.1(:\d+)?$" negate="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>

Related

Redirect to different domain while preserve subdomains and query parameters and also enforce https using web.config

Using the Web.config only, I need to redirect all traffic to a new domain, yet also:
1) preserve subdomains
2) preserve query parameters
3) if "http" and not "https" change to "https" while doing the above
I can easily handle enforcing HTTPS, and I have seen many references to redirects for domains, but have not found any that preserve the subdomains while changing to the root domain.
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="^(.*)$" />
<conditions trackAllCaptures="true">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true" />
<add input="{HTTP_HOST}" matchType="Pattern" pattern="^127\.0\.0\.1(:\d+)?$" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
'The above works to change http to https, but does not help with the need to change the domain. I have also seen this below which almost works:'
<rule name="redirect" enabled="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" negate="false" pattern="^(.*)\.foo\.com" />
</conditions>
<action type="Redirect" url="https://{C:1}.bar.com/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
...but removes the subdomain:
http://x.foo.com > https://.bar.com
Examples of what it needs to do:
http://x.foo.com > https://x.bar.com
https://y.foo.com > https://y.bar.com
https://x.foo.com/blah.aspx?param=blue > https://x.bar.com/blah.aspx?param=blue
http://y.foo.com/blah.aspx?param=blue > https://y.bar.com/blah.aspx?param=blue
Okay, I have come up with the following solution that does exactly what I have needed (see above requirements). I did this by adding two independent rule blocks: one to ensure HTTPS, and the other to do a redirect to the other domain if necessary. I sense that this does double the traffic if the visit needs both 1) HTTP to HTTPS and 2) direct to the new domain (from *.foo.com > *.bar.com) but at least it works. Not sure if it could be tweaked into one rule to save hits?
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="^(.*)$" />
<conditions trackAllCaptures="true">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true" />
<add input="{HTTP_HOST}" matchType="Pattern" pattern="^127\.0\.0\.1(:\d+)?$" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>
</rule>
<rule name="Redirect to new domain" enabled="true">
<match url="(.*)$" />
<conditions trackAllCaptures="true">
<add input="{HTTP_HOST}" negate="false" pattern="^(.*)\.foo\.com" />
</conditions>
<action type="Redirect" url="https://{C:1}.bar.com/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>

Rewrite rule to HTTPS and WWW except when on localhost

Removed previous post due to my carelessness and posted the live domain.
I've having trouble building a functioning Web.config rule that will direct traffic from http:// to https://www and http://www to https://www and https:// to https://www EXCEPT when on localhost or 127.0.0.1 while I'm doing some development.
Web.config
<rewrite>
<rules>
<clear />
<rule name="Redirect non-www OR non-https to https://www">
<match url=".*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="^example.com$" />
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://www.example.com/{R:0}" redirectType="Permanent"/>
</rule>
</rules>
Updated and working rule, maybe there is something wrong that someone could point out?
<rewrite>
<rules>
<clear />
<rule name="Enforce HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" />
<add input="{HTTP_HOST}" matchType="Pattern"
pattern="^localhost(:\d+)?$" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
appendQueryString="true" redirectType="Permanent" />
</rule>
<rule name="Redirect example.com to www.example.com"
enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" pattern="^[^www]" />
<add input="{HTTP_HOST}" matchType="Pattern"
pattern="^localhost(:\d+)?$" negate="true" />
</conditions>
<action type="Redirect" url="https://www.example.com/{R:1}"
appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>

IIS Rewrite Rule - How to include root documents

I have a simple IIS rule to redirect HTTPS to HTTP:
<rule name="HTTPS" enabled="true" stopProcessing="true">
<match url=".*\.(asp)$" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="on" />
<add input="{REQUEST_URI}" negate="true" pattern="^/ecards/user*" ignoreCase="true" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
The matching url will only work on .asp files, but how can I also get it to work for root directories?
E.g.
example.com
example.com/
example.com/test
example.com/test/
I don't want to just have the match URL as:
<match url="(.*)" />
Because then other non .asp files get rewritten.
One way to include directories in your rule is to exclude everything else.
Assuming that everything else has a file extension (e.g. .php, .css. .js, etc.) you can negate all input that has the . in the path.
I changed your code a bit to make a working demo locally (I don't have HTTPS locally to test so instead of redirecting to HTTP I set it to redirect to About.aspx) and the two rules are:
<rule name="HTTPS" enabled="true" stopProcessing="true">
<match url=".*\.(asp)$" ignoreCase="false" />
<action type="Redirect" url="/About.aspx" appendQueryString="true" redirectType="Permanent" />
</rule>
<rule name="NEWRULE" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{REQUEST_URI}" negate="true" pattern=".*\.(.)$" ignoreCase="true" />
<add input="{REQUEST_URI}" negate="true" pattern="^/About*" ignoreCase="true" />
</conditions>
<action type="Redirect" url="/About.aspx" appendQueryString="true" redirectType="Permanent" />
</rule>
So, based on your original code sample, a new rule that will work for you would be similar to this:
<rule name="IncludeDirectories" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{REQUEST_URI}" negate="true" pattern=".*\.(.)$" ignoreCase="true" />
<add input="{HTTPS}" pattern="on" />
<add input="{REQUEST_URI}" negate="true" pattern="^/ecards/user*" ignoreCase="true" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
Note: The above approach is rather aggressive. You could replace this condition:
<add input="{REQUEST_URI}" negate="true" pattern=".*\.(.)$" ignoreCase="true" />
with the following:
<add input="{REQUEST_URI}" negate="true" pattern=".*\.(php|css|js|jpg|gif|png)$" ignoreCase="true" />
Where you exclude specific extensions. You add as many as you want.
Edit: If you want to have specific pages still with HTTPS maybe the following rule will be helpful (haven't tested it though). The previous rule sends to HTTP all URLs except those that have /ecards/user where this one sends to HTTPS those that have /ecards/user. I believe there will be no conflict.
<rule name="HTTPS2Admins" enabled="true" stopProcessing="true">
<match url="/ecards/user(.*)" />
<conditions>
<add input="{HTTP}" pattern="on" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/ecards/user{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>

How do I redirect all but a single url to https in ASP.Net?

I have the following code in my web.config:
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
I would like to redirect everything EXCEPT for http://www.mysite.com/manual to https.
How would I modify the above to allow this?
It should be ok with adding the following code in your conditions tag
<add input="{REQUEST_URI}" negate="true" pattern="^/manual/*" ignoreCase="true" />

IIS url rewrite role except some urls

I got this rule in URL rewrite that rewrites every request to the site using HTTP to HTTPS
<rule name="Force HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
I need another rule or exception in this role to rewrite back or redirect specific urls to HTTP.
Is that possible?
You can add the exceptions for which you don't want to perform the redirect to HTTPS as extra conditions (not equal to that URL), like so:
<rule name="Force HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{REQUEST_URI}" negate="true" pattern="^/noredirect/forthis/page\.aspx$" ignoreCase="true" />
<add input="{REQUEST_URI}" negate="true" pattern="^/noredirect/forthis/page-as-well\.aspx$" ignoreCase="true" />
<add input="{REQUEST_URI}" negate="true" pattern="^/noredirect/forthis/page-as-well-too\.aspx$" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
Exception rule in Web.config, to not redirect the "NotSecurePage.ashx" to https:
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{REQUEST_URI}" matchType="Pattern" pattern="\bNotSecurePage.ashx\b" ignoreCase="true" negate="true" /> <!-- Crystal não suporta imagens https.. Criando exceção para imagens de barcode, utilizadas no crystal -->
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>

Resources