I'm trying to use the URL Rewrite module of IIS to redirect my users to Another application/site on the IIS server, however I need to retain the custom HTTP headers included for authentication purposes, but they seem to get lost in the rewrite. Does anyone know if, and how, the rules must be setup in order to include those HTTP headers when sending the user on his/her merry way?
This is the rule, as per today:
<rewrite>
<rules>
<rule name="API Redirect">
<match url="/API/Tracker/\d{1,2}.\d{1,2}/(.*)" />
<action type="Rewrite" url="/Tracker/1.0/tracker.svc/{R:1}" appendQueryString="false" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
I was having problems with something similar. I kept losing some Cache-Control headers that I was attempting to use.
The below was able to help me out. I'm not sure how you would go about doing this if you wanted your headers to have dynamic values, but this worked for me.
I came to this while using IIS 8.5.
Go into your site, and in IIS > HTTP Response Headers
Then add the custom header that you would want to use and the value. Again, I'm not sure how you would go about doing this if you needed the header to have a dynamic value.
Have you tried to enable querystring?
appendQueryString="true"
Just wanted to share a solution that would apply a custom http header based on the current URL - not sure if this is exactly what you are looking for but it worked for me when I wanted to add a X-Robots-Tag to all requests to our admin-page.
In web.config, add this:
<location path="admin">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Robots-Tag" />
<add name="X-Robots-Tag" value="noindex"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
Related
i am getting an issue, Disclosing IIS version at the Server Response Header and Status Code is displaying "302". Can anyone please give me the solution, how to remove Server Header. I have created a IIS rewrite rule for removing the server header.
Unfortunately you can't easily remove the Server header. The best way that I'm aware of is to utilize rewrite rules.
The following outbound rewrite rule (outboundRule) that will remove the Server header:
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
As the Blog mentioned, URL rewrite rules are feasible for Http.Sys error. I advise you to remove the server header by using Request filtering. In IIS10.0(Windows2016 above), we can simply remove the Server header by configuring requrestFiltering in System.webServer section.
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<directoryBrowse enabled="true"/>
<security>
<requestFiltering removeServerHeader ="true" />
</security>
</system.webServer>
By this way, we don’t have to apply the complex outbound rewrite rules, and it still works when the server comes by HTTP error.
Feel free to let me know if the problem still exists.
I've did the necessary web.config (found in D:\home\site\wwwroot), this also have a rewrite rule to redirect all to https
<configuration>
<system.web>
<!-- <compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" enableVersionHeader="false" />-->
<httpRuntime enableVersionHeader="false" />
<!--<customErrors mode="RemoteOnly" defaultRedirect="https://concierge.digitaldesk.accenture.com"/>-->
</system.web>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true"/>
</security>
Based on https://securityheaders.com/
Raw Headers With Redirect
Raw Header Without the redirect
It suddenly shows the server name, i need to remove it also.
Please help!!
I think your problem is related to the settings "HTTPS only" from the web app TLS/SSL settings section in Azure Portal. If you have "HTTPS only" set to ON, the first request to HTTP ( not HTTPS ) doesn't hit your application code and your web.config doesn't apply. Microsoft is directly responding with 301 ( + Server Header ). The next request doesn't have the server name because the web.config rules are applying.
Try to disable "HTTPS only" and do the redirect with a rule in web.config or in application code. This should fix the problem.
To prove my analysis, with the "HTTPS only" set to ON, search in logs for requests to http: If you have application insights set up you can query the logs like this
requests
| where url startswith "http:"
| order by timestamp desc
If my analysis is correct you will not find any request there. But if you disable "HTTPS only" then you will also see the request to http
I can't reproduce this issue on my side. Both redirect and non-redirect request will be removed on my side. Did you missed to set disableServerHeader for original URL? And have you tried to clean browser cache because 301 redirection can be cached.
I think you could use outbound rule instead because IIS outbound rule will remove the value of response_server header all the time.
<outboundRules>
<rule name="Remove response">
<match serverVariable="RESPONSE_SERVER" pattern="(.*)" />
<action type="Rewrite" />
</rule>
</outboundRules>
This issue is not related to application configurations (custom), but more to do with IIS settings.
So I need the following to be in the web.config when i create a publish for my app.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
</configuration>
However, when debugging i only want the part and not the http redirect (If i try to debug my app with the rewrite in the web.config it does not start)
in previous asp.net, we could have multiple web.configs for debug and release and it would transform when published.
I simply want to the all of the above code to be in the web.config when published, and only part to be in applied in web.config when i am debugging
This isn't a true answer to your question, but I've got what I think is a much better solution overall. For some time, I've found the fact that URL Rewrites have to go into the Web.config to be frustrating. As careful as you are, it's almost inevitable that you're going to overwrite the Web.config at some point, removing rewrites that have been added to it. This is especially the case if a developer doesn't know better and adds a rewrite directly through IIS, but never copies it over to the project's Web.config in source control (which happens more often than not).
As a result, I started creating a site in IIS just for redirects like this. It has nothing but a Web.config, and then I add the bindings that I'm redirecting from to it. For example, for a rewrite like this, you'd add the binding for the HTTP version of your domain to the redirect site and the HTTPS binding to the actual web application site. Then, you can create the rewrite rule on the the redirect "site", and never ever worry about accidentally overwriting it, because you never publish anything there. This would effectively side-step your issue here, entirely.
We have a definition in web.config to set Access-Control-Allow-Origin header for all requests to one predefined server. like this:
<customHeaders>
<add name="Access-Control-Allow-Origin"value="http://constantServer.com" />
<add name="Accept-Bytes" value="none" />
</customHeaders>
there are some cases we need to allow access to different server to a specific resource. we check the origin and set the Access-Control-Allow-Origin by code, like this:
Response.AddHeader("Access-Control-Allow-Origin", origin);
Response.AddHeader("Access-Control-Allow-Credentials", "true");
The problem is that the browser get multiple values for the Access-Control and its not allowed it.
We want to remove by code the header that was defined in the web.config in cases that we need to allow it for different origin.
I tried to remove it at the global.asax in the Application_PreSendRequestHeaders event, but i didnt find this header there.(its seems that this header is being added after this event)
Thanks
See this answer for more details on IHttpModule solution on how to change a header value. It was about the Server default header added by IIS, which I believe to be the harder case to handle.
This question provides a lot of other options in its answers, including installing and using URL Rewrite (direct link to corresponding answer).
You may by example change your code to only add the Access-Control-Allow-Credentials, then write a URL Rewrite rule for changing Access-Control-Allow-Originto origin.
<system.webServer>
...
<rewrite>
<outboundRules>
<rule name="handleCredentialCors" preCondition="credential">
<match serverVariable="Access-Control-Allow-Origin" pattern=".*" />
<action type="Rewrite" value="origin" />
</rule>
<preConditions>
<preCondition name="credential">
<add input="{RESPONSE_Access_Control_Allow_Credentials}" pattern="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
...
</system.webServer>
(Untested)
My bad, I have overlooked origin was a local variable, not a literal string.
Well, if you can infer that origin value from server variables (which in URL rewrite include request headers), URL Rewrite may still get the job done. It is able of extracting values then reusing them in the rewritten value. But the rule could be a bit more complex to write.
I am building an ASP.NET CMS-driven web application which will serve multiple websites under different domain names. Some of these will use www sub-domain, others will use custom sub-domains. There will be a variety of top-level country domains.
I'm looking for a generic IIS URL Rewrite rule that will redirect any URL which doesn't specify a sub-domain to its www equivalent.
When I say generic it means the rule cannot hard-code either domain name or top-level country domain. So the rule must redirect
http://anything.anywhere/any-path to http://www.anything.anywhere/any-path but leave http://sub.anything.anywhere/any-path.
The closest I've found is this which still hard-codes TLCD. Without much knowledge of the syntax of URL Rewrite I'm not sure how to handle any TLCD.
Thanks in advance.
Update:
Inspired by comment, I've had a go with regex, but haven't yet found a method that doesn't require me to hard-code a list of all possible TLCDs. I suspect this is the best I'll get. Can anyone refine or confirm this as the answer?
^([a-z]+[.](com|co.uk|de|fr|etc)+)*
I just did the exact same thing using a rewrite rule with two conditions, one to get the Scheme and one to determine if the www is missing. The scheme is necessary as the redirect has to be absolute, but if your not catering for HTTPS that could be hard-coded. Just bear in mind I've not had time to test the HTTPS part yet, but pretty sure it will work ok.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Root Redirect" stopProcessing="true">
<match url=".*" negate="false" />
<action type="Redirect" url="{C:1}://www.{HTTP_HOST}/{R:0}" />
<conditions trackAllCaptures="true">
<add input="{CACHE_URL}" pattern="^(.*)://" />
<add input="{HTTP_HOST}" pattern="^(?!www\.).*" />
</conditions>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>