Rewrite url with correct HTTP/HTTPS scheme - asp.net

I have the following rule in my web.config file. As you can see it takes all subdomains and redirects to 'www.'
I also have an HTTP module that does switching between HTTP and HTTPS on the OnPreRequestHandlerExecute event. From what I have read and understood, this occurs after the rewrite but I could be wrong.
This code actually works in Firefox, transferring to www. then HTTPS where necessary, however it doesn't work in either Chrome or IE, maintaining the HTTP scheme.
I would like to make some changes to the code below so that the scheme is carried over rather than just assume HTTP which is does at the moment.
<rewrite xdt:Transform="Insert">
<rules>
<rule name="Redirect to www">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" negate="true" />
</conditions>
<action type="Redirect" url="http://www.{HTTP_HOST}/{R:0}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>

Related

ASP.net URL Rewrite subdirectory to external URL

I need to URL Rewrite a subdirectory to an external domain.
Example: When visiting "https://example1.com/test", "https://example2.com/hello" should open. The URL should still be "https://example1.com/test".
I tried to solve this by adding a Rewrite rule in web.config, but it don't works. Here is the Rewrite rule I made:
<rule name="TestRule" stopProcessing="true">
<match url="^test(/.*)?$" />
<action type="Rewrite" url="https://example2.com/hello" appendQueryString="false" />
</rule>
In order to redirect the incoming request to another domain by using Rewrite action type (stay the old URL in the browser address bar), we need to install Application Request Routing module.
https://www.iis.net/downloads/microsoft/application-request-routing
By default, Rewrite action only forwards these requests to the same domain, therefore, we only can specify a URL path in the Rewrite URL field.
https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference#rewrite-action
Otherwise, Redirecting the incoming request to another domain will cause a 404 error.
After we installed the ARR extension, enable Reverse Proxy functionality following the below steps.
Here is an official example.
https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
Finally, please refer to the below configuration.
<rewrite>
<rules>
<rule name="Myrules" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{PATH_INFO}" pattern="/test.*" />
</conditions>
<action type="Rewrite" url="https://www.bing.com/maps" appendQueryString="false" logRewrittenUrl="false" />
</rule>
</rules>
</rewrite>
It will redirect the requests that has “/test” segment to the https://www.bing.com/maps.
If we want to complete the task without installing ARR extension, we have to use Redirect action type. The URL in the browser address bar will change while we access the qualified URL.
<rewrite>
<rules>
<rule name="Myrules" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{PATH_INFO}" pattern="/test.*" />
</conditions>
<action type="Redirect" url="https://www.bing.com/maps" appendQueryString="false" logRewrittenUrl="false" />
</rule>
</rules>
</rewrite>
Feel free to let me know if there is anything I can help with.

web.config rewrite http://www.name.it to https://www.name.com

I've searched similar question but i didn't find an answer to my specific problem.
I'm not good with regexp or rewrites so maybe what i want to do cannot be done.
I switched a site from http to https, and redirected all http requests to the relative https using the following rule, works perfectly.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
I also own www.mysite.it redirected through dns to www.mysite.com.
With the actived rewrite the requests get redirected to https://www.mysite.it, i don't have an ssl certificate for that and so it fails.
I would like to redirect the
http://www.mysite.it/whatever
requests to
https://www.mysite.com/whatever
The only other solution i can i find is to buy an ssl for the other domain but, being only a redirect, seems like a waste of money.
Thanks in advance for your help.
You could just hard code the url...
<action type="Redirect" url="https://www.name.com/{R:1}" redirectType="Permanent" />

http to https rewrite too many redirect loops IIS 7

I have application which I have hosted in IIS 7.0.
Where I have to make sure that it works only on HTTPS and not on HTTP
so I have included below rule in my root config.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
</rewrite>
After adding this rule when i tried to access my application I get below error:
Page has resulted in too many redirects. Clearing your cookies for
this site or allowing third-party cookies may fix the problem. If not,
it is possibly a server configuration issue and not a problem with
your computer. Here are some suggestions: Reload this web page later.
Learn more about this problem.
We have our ASP.NET application hosted on AWS with Elastic Load Balancing, and the rule in the question with the accepted answer did not work for us, and kept causing infinite redirects.
This is the rule that finally worked for us:
<rewrite>
<rules>
<rule name="HTTPS Rule behind AWS Elastic Load Balancer Rule" stopProcessing="true">
<match url="^(.*)$" ignoreCase="false" />
<conditions>
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}{URL}" redirectType="Found" />
</rule>
</rules>
</rewrite>
Put below input condition:
<add input="{HTTPS}" pattern="on" />
Instead of:
<add input="{HTTPS}" pattern="off" />
My case, I needed to put like this:
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" />
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
I also faced that problem. All requests to the server were HTTP.
In my case problem was that I use Cloudflare DNS.
There is SSL/TLS setting that by default SSL/TLS encryption mode is set to Flexible.
Make sure to change the mode to Full.
Also as was mentioned by SNag we had a site that is sitting behind an ELB on Amazon. Attempting to apply a rewrite rule without the following input header was causing infinite redirects. This appears to be a result of needing the input type being HTTP_X_FORWARDED_PROTO as in the following: <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />.
From AWS documentation "Your application or website can use the protocol stored in the X-Forwarded-Proto request header to render a response that redirects to the appropriate URL." We are using the ELB with DNS entries to forward to the server with the site on it.
For IIS 10 (Windows Server 2016) I have followed instructions from here which generate a slightly different XML configuration for the rewrite:
<rewrite>
<rules>
<rule name="HTTP 2 HTTPS" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
</rewrite>
The pattern is off and the match is only *.
I am using Liquid Web Cloud Sites, and ran into the exact same issue.
I tried the solution here, but it didn't work for what I needed because of this condition:
<add input="{HTTPS}" pattern="off" />
As the OP has it, this means is, "match and implement this rule when HTTPS is off". And the accepted solution for this question just inverts this, and matches the rule when HTTPS is on. It solved the infinite loop issue, but only because my rule was incorrectly matched - I actually only want to change the request to HTTPS when HTTPS is off. Thus none of my HTTP requests were getting forwarded.
Interestingly, none of my HTTPS requests were getting forwarded either, and from this (and a few other tests I did) I determined that although the browser shows HTTPS, the server is treating it like an HTTP request. Thus the server always believes it is receiving an HTTP request, and always ignored the rule (which now specified only match requests where HTTPS is on - i.e. never).
Hours of research and tests later, I deduced that its a similar issue as described here, summarised here:
To reduce costs [many hosting providers install the] SSL certificate on the TMG Gateway and this gateway is simply rewriting the request to standard HTTP when passing it to the actual web server. So by the time the request hits IIS and your web application it is a standard plain HTTP request.
.
TLDR;
Eventually I spoke to the team at Liquid Web who pointed me in the direction of a help article buried in their own site which solved the issue. They suggested I use the following rewrite rule which fixed it:
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url=".*"/>
<conditions>
<add input="{HTTP_CLUSTER_HTTPS}" pattern="^on$" negate="true"/>
<add input="{HTTP_CLUSTER_HTTPS}" pattern=".+" negate="true"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{SCRIPT_NAME}" redirectType="SeeOther"/>
</rule>
</rules>
</rewrite>
</system.webServer>
I hope this might work for others in a similar situation.
Original liquidweb help article
If you use cloudflare for SSL , put it on Full mode
Cloudflare -> SSL/TLS -> Overview -> Full
Figure
I figured out something regarding this issue. Basically, if the incoming request is HTTPS do nothing.
<rule name="No Redirect if https" enabled="true" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{HTTPS}" pattern="^ON$" />
</conditions>
<action type="None" />
</rule>
<rule name="Redirect to https" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^\example\.com$" />
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{R:0}" />
</rule>

ASP.NET - rewriting all https requests to http

My issue is precisely the one presented here, and I've decided to try rewrite all https requests to http. I've searched long and hard but there doesn't seem to be a definitive way to achieve this - see these questions (no solutions): Redirect https to http using rewrite rule in webconfig file ; https://stackoverflow.com/questions/15214717/iis-rewrite-https-to-http-whilst-keeping-existing-https-rules
I've added the rewrite module to IIS, and tried the following in web.config:
<rewrite>
<rules>
<clear />
<rule name="force http" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
But it still allows the user to access a non-https site with https (essentially accessing a different site).
How do I force all https requests to be http requests?
edit: I've also tried every suggested solution here with no luck. The url rewrite module is definitely successfully installed on IIS!
edit2: Tried the following without success:
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="force http" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="^(?:www)?\.test.site\.com$"
negate="true" ignoreCase="true" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}"
redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
I restarted IIS and the rewrite rules reflect in inetmgr. Loading https://test.site.com/ still loads with https.
A couple of things. First the rewrite needs to process when HTTPS is on and not off. Second, for the application that needs to run over HTTPS you will need to exclude it from the rewrite. The revised rewrite rule should look something like this:
<rewrite>
<rules>
<clear />
<rule name="force http" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="^example\.com$"
negate="true" ignoreCase="true" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}"
redirectType="Permanent" />
</rule>
</rules>
</rewrite>
This should keep https://example.com/login on https and all other URL's will get redirected to http. For example, https://test.example.com/login will be redirected to http://test.example.com/login. This rewrite rule needs to be placed on the site with the HTTPS binding for the rewrite to work properly.
Please be aware when using a 301 permanent redirect some browsers won't make the request out to the server on subsequent hits so after changing the rule a browser cache clear is required. The network tab may even lie and say the request is made but an external tool like Fiddler or Wireshark will let you know for sure.

Conditional https redirect on IIS 7

I have the following rule on the site to redirect http to https. We just found out though that our app got submitted with just an http for the api. Until we can get this updated I need the site to ignore calls to the /api folder and only redirect everything else. I'm sure there's a way to say something like if URL does not contain /api/ then redirect.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
Add an entry similar to <add input="{R:0}" pattern="/api(/|$)(.*)" negate="true" /> so that the whole file is:
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{R:0}" pattern="/api(/|$)(.*)" negate="true" />
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
Example URL: http://site.com/api/function
So, if the URL after the site matches any of the following it will stop processing (and thus not push the user to https)
/api
/api/anything
Any https URL
We run into the same kind of thing with a large application run in IIS behind a reverse proxy. The URL rewrite addon for IIS (that you appear to be using) is a bit of a pain, but it does the job really well and tolerates the MVC framework.
As you mentioned, simply putting a rewrite block in an API directory won't work because with MVC there are no directories. You would think MS would have a better solution for this -- but they don't. It makes things all the more challenging.
If you place a separate Web.config file in the /api application or directory you can override whatever rules apply for the site as a whole.
Check out Tip #1 in this article, and if you have the time read them all:
http://weblogs.asp.net/jgalloway/archive/2012/01/17/10-things-asp-net-developers-should-know-about-web-config-inheritance-and-overrides.aspx
John Galloway's blog is a fantastic resource for all things IIS and ASP.NET.

Resources