I have the following rewrite rule in my web.config when the production transform is applied.
<system.webServer>
<rewrite xdt:Transform="Insert">
<rules>
<rule name="Redirect-HTTP-TO-HTTPS" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" appendQueryString="true" />
</rule>
</rules>
</rewrite>
</system.webServer>
When I deploy a separate website with the staging transform to the same IIS instance, this rule doesn't get added to my web.config. Yet traffic to staging.example.com still get's caught by the rule.
It seems the production rule is still catching it?
Production url: example.com
Staging url: staging.example.com
How would I make this rule a little less greedy, so it doesn't redirect staging traffic.
You can add additional condition to your rule to ignore staging.example.com:
<rule name="Redirect-HTTP-TO-HTTPS" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" />
<add input="{HTTP_HOST}" pattern="^staging\.example\.com$" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" appendQueryString="true" />
</rule>
Keep in mind, that browsers often cache 301 redirects. After you applied this rule please clear your browser's cache or use incognito mode
Related
On IIS 10 with URL Rewrite Module 2.0 I need 2 rules
1) HTTP to HTTPS
2) WWW to non-WWW
First one created by Blank rule template.
For second one I use Canonical domain name template.
In my web.config rules likes like this:
<rewrite>
<rules>
<rule name="ForceHttps" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
<rule name="CanonicalHostNameRule1" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^cooltechunder\.com$" negate="true" />
</conditions>
<action type="Redirect" url="https://cooltechunder.com/{R:1}" />
</rule>
</rules>
</rewrite>
All cases works fine expect one starting with: http://www.
See this image for results I have:
https://i.imgur.com/h2l3Yw6.png
You wrote stopProcessing="true".
This means that, if the rule matches, subsequent rules will be skipped.
From the documentation:
A rule may have the StopProcessing flag turned on. When the rule action is performed (i.e. the rule matched) and this flag is turned on, it means that no more subsequent rules will be processed and the request will be passed to the IIS request pipeline. By default, this flag is turned off.
It seems to me that this is the situation you are describing that you did not want.
So, remove it.
Ok, My problem was different and related to bindings.
I have to specify 'Host Name' in bindings, as specific ports used by other websites also
And I forgot to add 'www' versions of bindings also.
Now my bindings looks like this: https://i.imgur.com/Lhdv4nS.jpg
Also I have changed rewrite code to more compact one:
<rewrite>
<rules>
<rule name="Https and non-www">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="^cooltechunder\.com$" negate="true" />
</conditions>
<action type="Redirect" url="https://cooltechunder.com/{R:1}" />
</rule>
</rules>
</rewrite>
There's lots of questions here about redirecting http to https so I figured it would be easy to reverse the process. However, everything I've tried hasn't worked.
I'm trying to combine the rule with my canonical host name rule (it's the first rule, at the top of the rewrite rules):
<rule name="CanonicalHostName" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="^ON$" />
<add input="{HTTP_HOST}" negate="true" pattern="^www\.example\.com|example-staging\.azurewebsites\.net$" />
</conditions>
<action type="Redirect" url="http://www.example.com/{R:1}" redirectType="Permanent" />
</rule>
The site is hosted on Azure and DNS is with CloudFlare if that makes any difference, I'm sure it shouldn't.
Any ideas what I'm doing wrong / might be preventing the https to http part of the rule working? (the host name part works fine)
CloudFlare
It seems the reason you cannot redirect away from SSL is because you are using CloudFlare. CloudFlare at a minimum uses flexible SSL. This means that the end user, browser shows the SSL lock but your server doesn't need SSL. See documentation here: https://www.cloudflare.com/ssl
Without CloudFlare the following example should work.
No CloudFlare
The following rule should work. You could still add your negate in if you want.
<rule name="HTTPS to HTTP redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="http://{HTTP_HOST}/{R:1}" />
</rule>
Full rewrite section for my working demo site.
<rewrite>
<rules>
<rule name="CanonicalHostNameRule1">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^www\.ashleymedway\.com$" negate="true" />
</conditions>
<action type="Redirect" url="http://www.ashleymedway.com/{R:1}" />
</rule>
<rule name="HTTPS to HTTP redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}/{R:1}" redirectType="Found" />
</rule>
</rules>
</rewrite>
Your redirect is still http:
url="http://www.example.com/{R:1}"
You can follow these instructions: Click Here
Additional information: Here
I have 2 separate sites. One site is within a subfolder of the main site. I need to force HTTPS to both sites but keeping the query string intact as users can enter the site from internal pages.
The issue I am having is when I try to add the IIS rewrite rule for the subfolder site it redirects to the main site.
The main site rule seems to be overriding the subfolder rule.
Main site rule:
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
Subfolder rule (in its own web.config file):
<rule name="Force HTTP" enabled="true" stopProcessing="true">
<match url="(^subfoldersite/.*)" ignoreCase="true" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
I have tried without a subfolder rule but same thing happens
You may want to check out this question's answer, in case it applies to your situation:
Override an IIS rewrite rule for child site?
Too late for this answer but I hope it may help someone. I just fixed this issue for my hosting.
You may use below settings.
Main Website Rule:
<rules>
<rule name="Redirect to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
</rule>
</rules>
Subfolder Rule:
<rules>
<clear />
</rules>
I'm working on a website that uses IIS 7's URL rewriting feature to do a permanent redirect from example.com to www.example.com, as well as rewrites from similar domain names to the "main" one, such as from www.examples.com to www.example.com.
This rewrite rule - shown below - has worked well for some time now. However, we recently added HTTPS support and noticed that if users visit one of the URLs to be rewritten to www.example.com then HTTPS is dropped. For instance, if a user visits https://example.com they get redirected to http://www.example.com, whereas we would like them to be sent to https://www.example.com.
Here is the rewrite rule of interest (in Web.config):
<rule name="Canonical Host Name" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="^example\.com$" />
<add input="{HTTP_HOST}" pattern="^(www\.)?example\.net$" />
<add input="{HTTP_HOST}" pattern="^(www\.)?example\.info$" />
<add input="{HTTP_HOST}" pattern="^(www\.)?examples\.com$" />
</conditions>
<action type="Redirect" url="http://www.example.com/{R:1}" redirectType="Permanent" />
</rule>
As you can see, the action element's url attribute points directly to http://, so I get why https://example.com is redirected to http://www.example.com. My question is, how do I fix this? I tried (naively) to just drop the http:// part from the url attribute, but that didn't work.
Here's Scott's answer with Hasan's improvements. This should cover mixed SSL/non-SSL sites. The rule basically says "if the url does not have www.example.com", do a permanent redirect to it. Essentially... you are redirecting people who visit you without www or directly to your IP address.
<rewrite>
<rules>
<rule name="Canonical Host Name" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" pattern="^www\.example\.com$" negate="true" />
</conditions>
<action type="Redirect" url="{MapSSL:{HTTPS}}www.example.com/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="MapSSL" defaultValue="http://">
<add key="ON" value="https://" />
<add key="OFF" value="http://" />
</rewriteMap>
</rewriteMaps>
</rewrite>
Figured out the answer with some help from my colleagues.
I needed to use multiple rules with a condition on {HTTPS}. Note the {HTTPS} condition in the rules below.
<rule name="Canonical Host Name (HTTP)" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="OFF" />
<add input="{HTTP_HOST}" pattern="^example\.com$" />
</conditions>
<action type="Redirect" url="http://www.example.com/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Canonical Host Name (HTTPS)" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="ON" />
<add input="{HTTP_HOST}" pattern="^example\.com$" />
</conditions>
<action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
</rule>
I then repeated the rule pair above for the alternate domain names.
If you just want to redirect based on the currently used protocol (as per your last sample) then there's a much simpler solution that will halve the amount of rules you will need. The following is what I've learned from a collegue of mine.
As you've seen, the {HTTPS} argument will contain the value ON or OFF. You can map this value to https:// or http:// by feeding this value into a rewritemap.
Here's how this would work:
1- Create a rewritemap section for mapping the {HTTPS} value:
<rewriteMap name="MapProtocol" defaultValue="OFF">
<add key="ON" value="https://" />
<add key="OFF" value="http://" />
</rewriteMap>
It's up to you to decide if you want to only include the protocol, or the semicolon and forward slashes as well. It doesn't matter for the solution, but keep it in mind wherever you refer to it.
2- Refer to this map wherever you need. In this sample it's used in outbound-rules, but it'll also work in your scenario:
<rule name="Outbound-Rule Name" stopProcessing="true" preCondition="ResponseIsHtml">
<match filterByTags="A, Link, Script" pattern="YOUR PATTERN" />
<action type="Rewrite" value="{MapProtocol:{HTTPS}}{HTTP_HOST}/REST OF RELATIVE LINK HERE" />
</rule>
That's it, the URL Rewrite module should now automagically use the correct protocol for your links depending on if you're using https, or, of course, http.
Hope this helps!
Here's a cross-domain solution which works not only on example.com but also on any domain
<rewrite>
<rules>
<rule name="Canonical Host Name" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" pattern="^www\.([.a-zA-Z0-9]+)$" negate="true" />
</conditions>
<action type="Redirect" url="{MapProtocol:{HTTPS}}www.{HTTP_HOST}/{R:0}" redirectType="Permanent" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="MapProtocol" defaultValue="OFF">
<add key="ON" value="https://" />
<add key="OFF" value="http://" />
</rewriteMap>
</rewriteMaps>
</rewrite>
I'm trying to rewrite urls from the form:
https://example.com/about
to the form
http://example.com/about
using IIS7 URL rewriting:
<!-- http:// to https:// rule -->
<rule name="ForceHttpsBilling" stopProcessing="true">
<match url="(.*)billing/(.*)" ignoreCase="true" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="false" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
<!-- https:// to http:// rule -->
<rule name="ForceNonHttps" stopProcessing="true">
<match url="(.*)billing/(.*)" ignoreCase="true" negate="true" />
<conditions>
<add input="{SERVER_PORT}" pattern="^443$" />
</conditions>
<action type="Redirect" redirectType="Found" url="http://{HTTP_HOST}{REQUEST_URI}" />
</rule>
I'm at a loss; I've been browsing the web for examples and trying every syntax I can think of. The rewrite rules I specify simply don't appear to work at all for any https requests, as if all the https:// requests are flat out invisible to the rewrite engine.
rules work fine; see answer below.
Turns out that I had port :443 bound to a different website!
The above rewrite rules work fine for http:// to https:// rewriting and vice-versa -- though there might be more optimal or simple ways to do it.
Leaving this question here for future voyagers to find, as I didn't see many good examples of the https:// to http:// rewriting scenario on the web.
This post is a little old, but I wanted to answer. I am using ASP.Net MVC3, and Fabio's answer above didn't work for me. The easiest solution I came up with to handle the https redirect to http, while still allowing valid https pages to request secure content was just to add Whitelist rules above my https/http redirects:
<rule name="WhiteList - content folder" stopProcessing="true">
<match url="^content/"/>
<conditions logicalGrouping="MatchAll" trackAllCaptures="false"/>
<action type="None"/>
</rule>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)billing/(.*)" ignoreCase="true" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/billing/" redirectType="SeeOther" />
</rule>
<rule name="ForceNonHttps" stopProcessing="true">
<match url="(.*)billing/(.*)" ignoreCase="true" negate="true" />
<conditions>
<add input="{SERVER_PORT}" pattern="^443$" />
</conditions>
<action type="Redirect" redirectType="Found" url="http://{HTTP_HOST}{REQUEST_URI}" />
</rule>
please first consider binding https to your website for making below redirect module to work is essential (so bind your web app with a self-signed or valid certificate)
final part in web.config to redirect https to http:
<rewrite>
<rules>
<rule name="Force NonHTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}/{REQUEST_URI}" />
</rule>
</rules>
</rewrite>
if you need the equivalent IIS GUI in rewrite module see below image
source: look tech-net for more detail and step by step guide.
Your solution work, but the problem is: your second instruction kill first instruction for any links is not (.)billing/(.), including your css, js, and images.
You can use this https to http rule:
<rule name="HTTPS to HTTP redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{RequiresSSL:{R:1}}" pattern="(.+)" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{REQUEST_URI}" pattern="^(.+)\.(?!aspx)" negate="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="http://{HTTP_HOST}/{R:1}" />
</rule>