ASP.NET - rewriting all https requests to http - asp.net

My issue is precisely the one presented here, and I've decided to try rewrite all https requests to http. I've searched long and hard but there doesn't seem to be a definitive way to achieve this - see these questions (no solutions): Redirect https to http using rewrite rule in webconfig file ; https://stackoverflow.com/questions/15214717/iis-rewrite-https-to-http-whilst-keeping-existing-https-rules
I've added the rewrite module to IIS, and tried the following in web.config:
<rewrite>
<rules>
<clear />
<rule name="force http" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
But it still allows the user to access a non-https site with https (essentially accessing a different site).
How do I force all https requests to be http requests?
edit: I've also tried every suggested solution here with no luck. The url rewrite module is definitely successfully installed on IIS!
edit2: Tried the following without success:
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="force http" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="^(?:www)?\.test.site\.com$"
negate="true" ignoreCase="true" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}"
redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
I restarted IIS and the rewrite rules reflect in inetmgr. Loading https://test.site.com/ still loads with https.

A couple of things. First the rewrite needs to process when HTTPS is on and not off. Second, for the application that needs to run over HTTPS you will need to exclude it from the rewrite. The revised rewrite rule should look something like this:
<rewrite>
<rules>
<clear />
<rule name="force http" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="^example\.com$"
negate="true" ignoreCase="true" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}"
redirectType="Permanent" />
</rule>
</rules>
</rewrite>
This should keep https://example.com/login on https and all other URL's will get redirected to http. For example, https://test.example.com/login will be redirected to http://test.example.com/login. This rewrite rule needs to be placed on the site with the HTTPS binding for the rewrite to work properly.
Please be aware when using a 301 permanent redirect some browsers won't make the request out to the server on subsequent hits so after changing the rule a browser cache clear is required. The network tab may even lie and say the request is made but an external tool like Fiddler or Wireshark will let you know for sure.

Related

HTTP to HTTPS not working for my asp.net website

I tried almost all upvoted suggestions related to web.config changes for http to https redirection. Best way in asp.net to force https for an entire site?
But it's not working for me for my ASP.net site. I use GoDaddy shared hosting and have multiple sites in my account. I have ssl enabled only for one website and have to add it to filter so that other sites in the same account are not redirected to https. Here's my web.config:
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true" enabled="true">
<match url="singledomain.*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
I can access the site currently by both http and https. But it never redirects from http to https. Is the match condition correct, and if it is, what else could be the problem?
Found the solution here: https://stackoverflow.com/a/17066105/2535756
Posting the code here which worked:
<rewrite>
<rules>
<rule name="HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="(singledomain.com.*)" />
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
With GoDaddy, in my experience, there is a setting in the Plesk app that actually will force a re-direct from HTTP to HTTPS.You can find this under your IIS settings under the Directory Security Settings and checking the Require SSL/TSL box. This forces the users' browser to use HTTPS instead of HTTP.

IIS Redirect HTTP to HTTPS and WWW to non-WWW

On IIS 10 with URL Rewrite Module 2.0 I need 2 rules
1) HTTP to HTTPS
2) WWW to non-WWW
First one created by Blank rule template.
For second one I use Canonical domain name template.
In my web.config rules likes like this:
<rewrite>
<rules>
<rule name="ForceHttps" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
<rule name="CanonicalHostNameRule1" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^cooltechunder\.com$" negate="true" />
</conditions>
<action type="Redirect" url="https://cooltechunder.com/{R:1}" />
</rule>
</rules>
</rewrite>
All cases works fine expect one starting with: http://www.
See this image for results I have:
https://i.imgur.com/h2l3Yw6.png
You wrote stopProcessing="true".
This means that, if the rule matches, subsequent rules will be skipped.
From the documentation:
A rule may have the StopProcessing flag turned on. When the rule action is performed (i.e. the rule matched) and this flag is turned on, it means that no more subsequent rules will be processed and the request will be passed to the IIS request pipeline. By default, this flag is turned off.
It seems to me that this is the situation you are describing that you did not want.
So, remove it.
Ok, My problem was different and related to bindings.
I have to specify 'Host Name' in bindings, as specific ports used by other websites also
And I forgot to add 'www' versions of bindings also.
Now my bindings looks like this: https://i.imgur.com/Lhdv4nS.jpg
Also I have changed rewrite code to more compact one:
<rewrite>
<rules>
<rule name="Https and non-www">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="^cooltechunder\.com$" negate="true" />
</conditions>
<action type="Redirect" url="https://cooltechunder.com/{R:1}" />
</rule>
</rules>
</rewrite>

Redirect rule http to https not working when using full url

My azure cloud service has both http and https enabled in config files.
I tried adding this rule in my web.config
<rule name="RedirectHTTPToHTTPS" stopProcessing="true">
<match url="(.*)" ignoreCase="true" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
if I use http://mysite.kom ,it is correctly redirecting to https://mysite.kom
But if I type http://mysite.kom/other/default.aspx it is redirecting to http://mysite.kom/other/default.aspx instead of https://mysite.kom/other/default.aspx
I added GlobalFilters.Filters.Add(new RequireHttpsAttribute()); in my application_start event.But still "http://mysite.kom/other/default.aspx" is not getting redirected to "https://mysite.kom/other/default.aspx"
I tried all the similar questions in stackoverflow.I even moved the this rule to top of my rules config. Any suggestions to make this working
To resolve this , I added
if (!HttpContext.Current.Request.IsSecureConnection && !HttpContext.Current.Request.Url.Host.Contains("localhost"))
{
Response.Redirect("https://" + Request.ServerVariables["HTTP_HOST"]
+ HttpContext.Current.Request.RawUrl);
}
to Application_BeginRequest event inside my global.asax.cs file
Here is what I use:
<rewrite>
<rules>
<rule name="redirect HTTP to HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
While you aren't preserving the query string, it still seems like you have everything necessary to get http->https redirection. That makes me wonder if browser caching is causing you problems? I have had the issue before where I didn't think it was working because I hit the site before enabling http->https redirection and it turned out to be my browser serving up the page from cache.
I wrapped this in a site extension, and it uses the above rewrite rule, so I know it works:
http://www.siteextensions.net/packages/RedirectHttpToHttps/

http to https rewrite too many redirect loops IIS 7

I have application which I have hosted in IIS 7.0.
Where I have to make sure that it works only on HTTPS and not on HTTP
so I have included below rule in my root config.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
</rewrite>
After adding this rule when i tried to access my application I get below error:
Page has resulted in too many redirects. Clearing your cookies for
this site or allowing third-party cookies may fix the problem. If not,
it is possibly a server configuration issue and not a problem with
your computer. Here are some suggestions: Reload this web page later.
Learn more about this problem.
We have our ASP.NET application hosted on AWS with Elastic Load Balancing, and the rule in the question with the accepted answer did not work for us, and kept causing infinite redirects.
This is the rule that finally worked for us:
<rewrite>
<rules>
<rule name="HTTPS Rule behind AWS Elastic Load Balancer Rule" stopProcessing="true">
<match url="^(.*)$" ignoreCase="false" />
<conditions>
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}{URL}" redirectType="Found" />
</rule>
</rules>
</rewrite>
Put below input condition:
<add input="{HTTPS}" pattern="on" />
Instead of:
<add input="{HTTPS}" pattern="off" />
My case, I needed to put like this:
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" />
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
I also faced that problem. All requests to the server were HTTP.
In my case problem was that I use Cloudflare DNS.
There is SSL/TLS setting that by default SSL/TLS encryption mode is set to Flexible.
Make sure to change the mode to Full.
Also as was mentioned by SNag we had a site that is sitting behind an ELB on Amazon. Attempting to apply a rewrite rule without the following input header was causing infinite redirects. This appears to be a result of needing the input type being HTTP_X_FORWARDED_PROTO as in the following: <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />.
From AWS documentation "Your application or website can use the protocol stored in the X-Forwarded-Proto request header to render a response that redirects to the appropriate URL." We are using the ELB with DNS entries to forward to the server with the site on it.
For IIS 10 (Windows Server 2016) I have followed instructions from here which generate a slightly different XML configuration for the rewrite:
<rewrite>
<rules>
<rule name="HTTP 2 HTTPS" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
</rewrite>
The pattern is off and the match is only *.
I am using Liquid Web Cloud Sites, and ran into the exact same issue.
I tried the solution here, but it didn't work for what I needed because of this condition:
<add input="{HTTPS}" pattern="off" />
As the OP has it, this means is, "match and implement this rule when HTTPS is off". And the accepted solution for this question just inverts this, and matches the rule when HTTPS is on. It solved the infinite loop issue, but only because my rule was incorrectly matched - I actually only want to change the request to HTTPS when HTTPS is off. Thus none of my HTTP requests were getting forwarded.
Interestingly, none of my HTTPS requests were getting forwarded either, and from this (and a few other tests I did) I determined that although the browser shows HTTPS, the server is treating it like an HTTP request. Thus the server always believes it is receiving an HTTP request, and always ignored the rule (which now specified only match requests where HTTPS is on - i.e. never).
Hours of research and tests later, I deduced that its a similar issue as described here, summarised here:
To reduce costs [many hosting providers install the] SSL certificate on the TMG Gateway and this gateway is simply rewriting the request to standard HTTP when passing it to the actual web server. So by the time the request hits IIS and your web application it is a standard plain HTTP request.
.
TLDR;
Eventually I spoke to the team at Liquid Web who pointed me in the direction of a help article buried in their own site which solved the issue. They suggested I use the following rewrite rule which fixed it:
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url=".*"/>
<conditions>
<add input="{HTTP_CLUSTER_HTTPS}" pattern="^on$" negate="true"/>
<add input="{HTTP_CLUSTER_HTTPS}" pattern=".+" negate="true"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{SCRIPT_NAME}" redirectType="SeeOther"/>
</rule>
</rules>
</rewrite>
</system.webServer>
I hope this might work for others in a similar situation.
Original liquidweb help article
If you use cloudflare for SSL , put it on Full mode
Cloudflare -> SSL/TLS -> Overview -> Full
Figure
I figured out something regarding this issue. Basically, if the incoming request is HTTPS do nothing.
<rule name="No Redirect if https" enabled="true" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{HTTPS}" pattern="^ON$" />
</conditions>
<action type="None" />
</rule>
<rule name="Redirect to https" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^\example\.com$" />
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{R:0}" />
</rule>

IIS rewrite rule to redirect https to http not working

There's lots of questions here about redirecting http to https so I figured it would be easy to reverse the process. However, everything I've tried hasn't worked.
I'm trying to combine the rule with my canonical host name rule (it's the first rule, at the top of the rewrite rules):
<rule name="CanonicalHostName" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="^ON$" />
<add input="{HTTP_HOST}" negate="true" pattern="^www\.example\.com|example-staging\.azurewebsites\.net$" />
</conditions>
<action type="Redirect" url="http://www.example.com/{R:1}" redirectType="Permanent" />
</rule>
The site is hosted on Azure and DNS is with CloudFlare if that makes any difference, I'm sure it shouldn't.
Any ideas what I'm doing wrong / might be preventing the https to http part of the rule working? (the host name part works fine)
CloudFlare
It seems the reason you cannot redirect away from SSL is because you are using CloudFlare. CloudFlare at a minimum uses flexible SSL. This means that the end user, browser shows the SSL lock but your server doesn't need SSL. See documentation here: https://www.cloudflare.com/ssl
Without CloudFlare the following example should work.
No CloudFlare
The following rule should work. You could still add your negate in if you want.
<rule name="HTTPS to HTTP redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="http://{HTTP_HOST}/{R:1}" />
</rule>
Full rewrite section for my working demo site.
<rewrite>
<rules>
<rule name="CanonicalHostNameRule1">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^www\.ashleymedway\.com$" negate="true" />
</conditions>
<action type="Redirect" url="http://www.ashleymedway.com/{R:1}" />
</rule>
<rule name="HTTPS to HTTP redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}/{R:1}" redirectType="Found" />
</rule>
</rules>
</rewrite>
Your redirect is still http:
url="http://www.example.com/{R:1}"
You can follow these instructions: Click Here
Additional information: Here

Resources