I'm trying to add an outbound rewrite rule that removed index.aspx from a resolved url on a website. See my below update for the rule I have in place. See second update as to my findings with regards to a simple rule not working.
In both scenarios I get a 500 error and can't see anything in Event Viewer to help narrow down the problem. We have inbound rules already that work fine so it's specifically an issue when I add an outbound rule.
UPDATE
I've been reading online and have tried with the following outbound rule but keep getting a 500 internal server error?
<outboundRules>
<rule name="Remove index.aspx" preCondition="IsHTML">
<match pattern="(.*?)/?index\.aspx" />
<action type="Rewrite" value="{R:1}/" />
</rule>
<preConditions>
<preCondition name="IsHTML">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
UPDATE 2
I've noticed that this isn't a problem with the syntax of my outbound rule as even putting in the simplest of rules through the IIS interface breaks the website (causing a 500 error):
<outboundRules>
<rule name="test">
<match filterByTags="A" pattern="test.com" />
<action type="Rewrite" value="blah" />
</rule>
</outboundRules>
The URL rewrite module is installed as we have inbound rules that work correctly. The version of IIS is 7 if that helps.
Are you using GZIP compression? This conflicts with outbound rewrite rules and could be the cause of the error.
See: http://forums.iis.net/t/1165899.aspx for some advice on how to combine outbound redirect rules with compression.
Related
There is an open redirect vulnerability in one of the nuget packages we use, it allows redirects in the form of: https://example.com/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://www.google.com
The culprit here is the /find_v2/ endpoint taking the _t_redirect parameter.
Is there a way to block only redirects from the /find_v2/ endpoint? We use Find for other operations on the site, but the redirect is not one of them. So I can safely block all redirects from Find.
I have already tried several versions of the following code in my web.config:
<rewrite>
<outboundRules>
<rule name="Rewrite Location Header" preCondition="IsRedirection" enabled="true" stopProcessing="true">
<match serverVariable="RESPONSE_Location" pattern="http[s]{0,1}://localhost/find_v2/(.*)" />
<conditions>
</conditions>
<action type="Rewrite" value="http://{HTTP_HOST}/static/errors/GeneralError.html" />
</rule>
<preConditions>
<preCondition name="IsRedirection">
<add input="{RESPONSE_STATUS}" pattern="3\d\d" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
A few other notes:
I have successfully blocked ALL redirects from my site, but that is not a valid solution because our login page redirects back to the home page on successful login.
In the "match" node, I cannot seem to use the 'url' attribute. I'm not really sure why, but that's why I'm using the 'pattern' one.
Any help or advice would be greatly appreciated!
I have created below rules
<rule name="block js files">
<match url=".*\.(js)/*$"/>
<action type="Redirect" url="http://{SERVER_NAME}/notfound/{R:1}" redirectType="notFound"/>
</rule>
This will move the request for js files to some not found page. and this is working correctly.
But when its also blocking the requested js files from the application.
I think the js files requested from the application lies under outbound rules.
So I want to put my above rules in inbound section as I believe request from browser lies under inbound rules.
What should I update here?
Thanks
I think you could whitelist your domain from HTTP_REFERER. So that either you access the js from external or access it directly, IIS will redirect the request. At the same time, IIS won't block request that referrered from your domain. Of course, you could enable CORS header.
Besides, "notFound" is not a vaild redirectType. Are you looking for "Found" instead of "notFound"?
<rule name="block js files" enabled="true" stopProcessing="true">
<match url=".*\.(js)/*$" />
<action type="Redirect" url="http://{SERVER_NAME}/notfound/{R:1}" redirectType="Found" />
<conditions>
<add input="{HTTP_REFERER}" pattern="mydomain.com" negate="true" />
</conditions>
</rule>
I've got an outbound rule as shown below:
<outboundRules>
<rule name="ChangeReferencesToOriginalUrl" patternSyntax="ExactMatch" preCondition="CheckContentType">
<match filterByTags="None" pattern="http://oldDomain.com" />
<action type="Rewrite" value="http://newDomain.com/blog" />
</rule>
<preConditions>
<preCondition name="CheckContentType">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text/html|text/plain|text/xml|application/rss\+xml)" />
</preCondition>
</preConditions>
</outboundRules>
When the filterByTags value is set to "None", the scheme works as expected - all instances of the old URL are replaced. Of course, this is clumsier than using just the "A" or "Link" tags. However, when I specify those tags as shown in the documentation (https://www.iis.net/learn/extensions/url-rewrite-module/url-rewrite-module-20-configuration-reference#Tag_Filters), the rewrite scheme is ignored and no URLs are replaced.
I'm on an Azure web app, and I think I'm logging FRT properly. It doesn't even record a file for this event. For the sake of testing, I can definitely make it log a file by screwing up the rules :)
What gives? How does one debug this kind of problem?
I was trying to play with URL re-writing using the Rewrite Module 2.0 but I had no luck getting it to work. What I'm trying to do is re-write all calls to web app at port 80 to other applications hosted in IIS (or maybe on different servers on the network). Using the GUI provided by IIS I created the following rule:
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="site1/(.*)" />
<action type="Rewrite" url="http://localhost:7001/{R:1}" />
</rule>
</rules>
</rewrite>
Quiet simple, but unfortunately it does not work. On the other hand, when I change the action type to Redirect, it works fine.
What could be the problem?
I ran into this same issue yesterday, and it took me a long time to figure out.
The key here is that you've got an http:// prefix in your rewrite action; that makes this a special case that needs to be handled by Application Request Routing. The first step is to make sure that the Application Request Routing module is installed. You can find the module at https://www.iis.net/downloads/microsoft/application-request-routing. Once that is installed, go to your IIS web server (a level up from your web site), and open the Application Request Routing Cache feature. From the actions on the right, choose Server.Proxy.Settings, and make sure that the "Enable Proxy" checkbox is checked. This allows the URL rewrite task to be re-routed to Application Request Routing, and your reverse proxy should work for external requests.
The idea came from this excellent blog post from 2009: http://ruslany.net/2009/04/10-url-rewriting-tips-and-tricks/
Stumbled across this old post when I was trying to solve the same issue.
SOLVED!
Using Rewrite URL feature in IIS Services Manager I created a friendly URL rule.
This worked ok and when I looked at the rule in the web.config file (www root) it showed 1 rule to redirect and 1 rule to rewrite.
I edited this to suit 1 match. Then I just duplicated this code editing the product ID for each. Example below:
<rule name="RedirectUserFriendlyURL1" stopProcessing="true">
<match url="^product\.php$" />
<conditions>
<add input="{REQUEST_METHOD}" pattern="^POST$" negate="true" />
<add input="{QUERY_STRING}" pattern="^id_product=\b35\b" />
</conditions>
<action type="Redirect" url="990mm-bohemia-cast-iron-electric-radiator"
appendQueryString="false" />
</rule>
The first rule looks for the string "product.php" in the URL and "id_product=35", it then redirects to "990mm-bohemia-cast-iron-electric-radiator" which currently does not exist. Then (see below)
<rule name="RewriteUserFriendlyURL1" stopProcessing="true">
<match url="^\b990mm-bohemia-cast-iron-electric-radiator\b" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="product.php?id_product=35" />
</rule>
This rule rewrites the "product.php?id_product=35" bit to `990mm-bohemia-cast-iron-electric-radiator", creating the new location for the redirect.
Do make sure MVC routing doesn't steal your request. To prevent that from happening, ignore the route you're trying to rewrite:
RouteTable.Routes.Ignore("blog/{*pathInfo}");
Inspired by: https://sitecore.stackexchange.com/questions/3645/how-to-setup-a-reverse-proxy-with-sitecore
Change the Rewrite URL to AbsolutePath instead putting http://...
it should be
<action type="Rewrite" url="{R:1}" />
It worked for me, but in my case, I have been rewrite to a fixed webpage.
I've followed the instructions Learn IIS's webpage for adding static redirects with a rewrite map for my asp.net application.
The following is the config:
<rule name="Redirect rule1 for Information" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{Information:{REQUEST_URI}}" pattern="(.+)" />
</conditions>
<action type="Rewrite" url="{C:1}" appendQueryString="true" />
</rule>
And
<rewriteMaps>
<rewriteMap name="Information">
<add key="/Information/CorporateSales.aspx"
value="/KB/Information/CorporateSales" />
<add key="/Information/ComputerRepair.aspx"
value="/KB/Information/ComputerRepair" />
</rewriteMap>
</rewriteMaps>
This was even originally created by the wizard in IIS's manager for using rewrite maps.
So the idea is that /Information/CorporateSales.aspx --> /KB/Information/CorporateSales with a 301 redirect (MOVED PERMANENTLY).
However I'm just getting the original aspx page (Which we're removing later) loading. I've even deleted the file incase it was defaulting to an existing resource, and with that i just get a plain 404 without the redirect.
Anyone have an idea?
Let me clarify something:
Rewrite module works, it's installed and running. My standard regex rules work nicely. But my rewrite map does not.
This article http://www.iis.net/learn/extensions/url-rewrite-module/using-rewrite-maps-in-url-rewrite-module and code below worked for me.
<rewrite>
<rules>
<rule name="Redirect rule1 for RedirectURLs">
<match url=".*" />
<conditions>
<add input="{RedirectURLs:{REQUEST_URI}}" pattern="(.+)" />
</conditions>
<action type="Redirect" url="{C:1}" appendQueryString="false" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="RedirectURLs">
<add key="/privacy.php" value="/privacy" />
</rewriteMap>
</rewriteMaps>
</rewrite>
I was having a similar problem and found this question. It took me a little while, but I was able to figure out what the problem was.
My rewriteMap contained the urls "/Default2.aspx" and "/Dashboard.aspx".
When I would go to Default2.aspx, I would get a 404 rather than get redirected to Dashboard.aspx as expected.
The issue I found was that on my machine, the application was running in a subdirectory. The rewriteMap paths would only work if I used the full path (including the application folder), e.g., "/TestSite/Default2.aspx".
So I could have added duplicate entries in my rewriteMap to account for application directories on developer machines, but that seemed messy. I looked at the other rewrite rules in the application that did not have this issue and I noticed that they were using the {REQUEST_FILENAME} variable, rather than {REQUEST_URI}. So I switched the rule to use {REQUEST_FILENAME} and remove the first slash from the urls in my rewriteMap.
Do you have Url rewriting installed as part of IIS7/7.5? This is not installed by default. Also, make sure your app pool is set to integrated pipline mode, no classic.
Edit
From this:
http://learn.iis.net/page.aspx/469/using-rewrite-maps-in-url-rewrite-module/
This only thing I see that you're doing is adding the 'stopProcessing' attribute. Have you tried removing that?
Previously I had same problem as you described.
Could you update your code to
<match url="(.*)" />
and I hope you aware,
<add input="{Information:{REQUEST_URI}}" pattern="(.+)" />
this condition will capture full URL except the domain.
example on this url:
www.example.com/Information/CorporateSales.aspx
it will check matching condition of
Information/CorporateSales.aspx on rewriteMap
and for sure it wont be match with this url
www.example.com/old/Information/CorporateSales.aspx
Did you reset the app pool and the iis site ?
In some cases it can take up to 72 hours (iirc) to propagate throughout the world.