IIS rewrite rule for basic auth on the querystring - asp.net

I am trying to automatically log in users to an Xwiki install via basic auth. This is because help is stored in the wiki, but we want the retrieval process to be transparent to the user.
We push the user off to a url (via an <a> tag) like:
http://username:password#xwiki.example.org/xwiki/bin/view/Main?basicauth=1
This works fine in every browser except Internet Explorer (see: http://support.microsoft.com/kb/834489. Unfortunately, 80% of our user base uses Internet Explorer and it is not an option to have them type in the credentials manually.
Currently, we have IIS 7.5 sitting in front of Xwiki and proxying all requests to the Tomcat instance on another server. This works fine. To solve my problem, I thought I could use a IIS rewrite rule to turn a url like this:
http://xwiki.example.org/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password
into this:
http://username:password#xwiki.example.org/xwiki/bin/view/Main?basicauth=1&_username=username&_password=password
The idea being that IIS would substitute the _username/_password querystring parameters into the URL and pass it off to Tomcat, and Xwiki would ignore the extra parameters.
I have created a URL rewrite rule like:
<rule name="BasicAuthRewrite" enabled="true">
<match url="https?://(.+)&?_username=(.+)&_password=(.+)" />
<action type="Rewrite" url="http://{R:2}:{R:3}#xwiki.example.org/{R:1}" />
</rule>
When I go 'Test pattern' in IIS and supply my url, all the backreferences ({R:x}) match up to the data I want. However, when I visit the URL in my browser, the rewrite rule fails to invoke.
Is there any way I can achieve my desired behaviour?

It is possible to do Basic authentication with URL rewrite on IIS. You should add the server variable HTTP_Authorization the value Basic followed by the username:password in base64. Remember to add the variable in the allowed variables
So for the user Aladdin with the password open sesame you the format would be Aladdin:open sesame and base64 encoded QWxhZGRpbjpvcGVuIHNlc2FtZQ==.
Which translates into
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
<rule name="SomeName" stopProcessing="true">
<match url="url/to/match" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="http://www.redirecturl.com/" appendQueryString="true" />
<serverVariables>
<set name="HTTP_Authorization" value="Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" />
</serverVariables>
</rule>

This should do:
<rule name="BasicAuthRewrite" stopProcessing="true">
<match url="(.*)" />
<conditions trackAllCaptures="true">
<add input="{QUERY_STRING}" pattern="basicauth=1&_username=(.+)&_password=(.+)" />
</conditions>
<action type="Rewrite" url="http://{C:1}:{C:2}#xwiki.example.org/{R:1}" appendQueryString="false" />
</rule>

Authorization cannot be delegated to ARR. Therefore, if the contents are highly sensitive in nature and require authorization, it is recommended that you do not enable cache.
ARR
But there is work around solution.
Solution

It appears this is not possible in IIS.

Related

How to remove querystring when using Umbraco rewrite

I have a rewrite rule as below to my Umbraco/ASP .Net site
<add name="Test" virtualUrl="^~/category/(.*)" destinationUrl="/category?cat=$1" rewriteUrlParameter="ExcludeFromClientQueryString" ignoreCase="true" />
The idea is if a user types
www.example.com/category/electronics
www.example.com/category/devices
www.example.com/category/food
www.example.com/category/beverages
Everything works as i would expect when they reach the page without any rules and plain URLs i.e.
www.example.com/category?cat=electronics
If i have the above rule it enabled it always adds/forwards the querystring parameter i.e cat= when you click a link on any of the pages above.
How could i stop forwarding/adding the parameter?
You could use below URL rewrite rule:
<rule name="add query string" stopProcessing="true">
<match url="^category/([^/]+)/$" />
<action type="Redirect" url="http://www.sample1.com/category?cat={R:1}" appendQueryString="false" />
</rule>
if you did not install URL rite module in iis you could install it from the below link:
https://www.iis.net/downloads/microsoft/url-rewrite

IIS HTTP to HTTPS relative redirect

I recently got a SSL certificate for my website and want to redirect all traffic to HTTPS. I got everything to go to https://mydomain.com but if someone enters http://mydomain.com/anotherpage it drops the other page and just takes the user to the home page.
My rule in my web.config file looks like this:
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
I also tried https://{HTTP_HOST}{REQUEST_URI} without any success. Can anyone tell me what I need to do to make the website redirect to the proper HTTPS version of the page? I have a feeling it has something to do with the pattern, but I can't seem to figure out the syntax.
I found a way to do this, and you don't need the Rewrite module for it. The following worked for me on Windows 8 (IIS 8.5):
Remove the HTTP binding from your site (leave HTTPS in place)
Add another site
Make sure that the new site has HTTP binding
Configure HTTP Redirect as shown:
Now all HTTP request will redirect to your HTTPS site and will preserve the rest of the URL.
Change it to:
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
I had the same problem where the R:1 was dropping my folders.
I fixed it like this.
<rule name="http to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
appendQueryString="false" redirectType="SeeOther" />
</rule>
I can't comment yet or I'd leave this as a comment under AndyH's answer. The solution was correct, though I hit a single further snag (likely tied to the use of Adobe's Coldfusion server). I wanted to share some further research I had to do for any other unfortunate soul who may run into it.
Once set up, the redirect would always end at this url:
https://xxx.xxx.com/jakarta/isapi_redirect.dll
The fix for this was found in an Adobe thread (https://forums.adobe.com/thread/1034854): I had to change an application pool's settings as follows:
Real site (HTTPS binding only, actually contains code and virtual directories)
Application pool's Advanced Settings: Enable 32-Bit Applications : False
Http_Redirect site (HTTP binding only, is a blank shell of a folder with no directories)
Application pool's Advanced Settings: Enable 32-Bit Applications : True
EDIT: Another detail, tied to query string preservation:
Per suggestion in this post (http://www.developerfusion.com/code/4678/permanent-301-redirect-with-querystring-in-iis/)
Add $S$Q at the end of the domain and make sure the box for Redirect all requests to exact destination is checked. Then it will save the query string as well.
I believe AndyH's answer to be the easiest and best way. I have found using the URL rewrite can also conflict with code that may redirect the user to another page. IT commonly broke in our environment. But Andy's solution worked flawlessly. I also think Andy's solution will put less overhead on the server as it doesn't need to examine every url hitting it for possible re-write conditions.
I found a workaround:
Consider what in IIS is consired a website: simply a set of rules, the path in which get files and its bindings.
Furthermore, there's available a function called "HTTP Redirect" (included standardly in IIS), that redirect an host to another, keeping all subdirectory (it makes a relative path). The workaround is to leave just the binding for HTTPS (port 443) in your website, and create another with the binding on HTTP (port 80) and set for this an HTTP redirect to your URL with https://.
For example, consider a website called mytest and its urls http://www.mytest.com/ and https://www.mytest.com/.
Set for it instead only binding on https://www.mytest.com/, and delete the http binding. Then create a new website with the same local path, called mytest http with just a binding over port 80 (http://www.mytest.com/) and set for this one an HTTP Redirect to https://www.mytest.com/.
Simple and clean, and that should be as fast as directly the https url for the user, because it's just an internal redirect. I hope that can work for you!
You can add the URL Rewrite module to IIS (IIS 7 or higher) which allows you to add create the redirect in a visual way. The module can be downloaded here.
This step-by-step tutorial worked wonders for me and explains that when using this module, all it actually does is add some code to your web.config file as such:
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
I have found that the
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
syntax will only work for the website's ROOT web.config file.
If the rewrite rule is applied to a virtual web.config file, then use..
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{URL}" />
The {URL} syntax will include the initial forward slash, the virtual path, and any URL parameters.

IIS Rewrite not working (but redirection does)

I was trying to play with URL re-writing using the Rewrite Module 2.0 but I had no luck getting it to work. What I'm trying to do is re-write all calls to web app at port 80 to other applications hosted in IIS (or maybe on different servers on the network). Using the GUI provided by IIS I created the following rule:
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="site1/(.*)" />
<action type="Rewrite" url="http://localhost:7001/{R:1}" />
</rule>
</rules>
</rewrite>
Quiet simple, but unfortunately it does not work. On the other hand, when I change the action type to Redirect, it works fine.
What could be the problem?
I ran into this same issue yesterday, and it took me a long time to figure out.
The key here is that you've got an http:// prefix in your rewrite action; that makes this a special case that needs to be handled by Application Request Routing. The first step is to make sure that the Application Request Routing module is installed. You can find the module at https://www.iis.net/downloads/microsoft/application-request-routing. Once that is installed, go to your IIS web server (a level up from your web site), and open the Application Request Routing Cache feature. From the actions on the right, choose Server.Proxy.Settings, and make sure that the "Enable Proxy" checkbox is checked. This allows the URL rewrite task to be re-routed to Application Request Routing, and your reverse proxy should work for external requests.
The idea came from this excellent blog post from 2009: http://ruslany.net/2009/04/10-url-rewriting-tips-and-tricks/
Stumbled across this old post when I was trying to solve the same issue.
SOLVED!
Using Rewrite URL feature in IIS Services Manager I created a friendly URL rule.
This worked ok and when I looked at the rule in the web.config file (www root) it showed 1 rule to redirect and 1 rule to rewrite.
I edited this to suit 1 match. Then I just duplicated this code editing the product ID for each. Example below:
<rule name="RedirectUserFriendlyURL1" stopProcessing="true">
<match url="^product\.php$" />
<conditions>
<add input="{REQUEST_METHOD}" pattern="^POST$" negate="true" />
<add input="{QUERY_STRING}" pattern="^id_product=\b35\b" />
</conditions>
<action type="Redirect" url="990mm-bohemia-cast-iron-electric-radiator"
appendQueryString="false" />
</rule>
The first rule looks for the string "product.php" in the URL and "id_product=35", it then redirects to "990mm-bohemia-cast-iron-electric-radiator" which currently does not exist. Then (see below)
<rule name="RewriteUserFriendlyURL1" stopProcessing="true">
<match url="^\b990mm-bohemia-cast-iron-electric-radiator\b" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="product.php?id_product=35" />
</rule>
This rule rewrites the "product.php?id_product=35" bit to `990mm-bohemia-cast-iron-electric-radiator", creating the new location for the redirect.
Do make sure MVC routing doesn't steal your request. To prevent that from happening, ignore the route you're trying to rewrite:
RouteTable.Routes.Ignore("blog/{*pathInfo}");
Inspired by: https://sitecore.stackexchange.com/questions/3645/how-to-setup-a-reverse-proxy-with-sitecore
Change the Rewrite URL to AbsolutePath instead putting http://...
it should be
<action type="Rewrite" url="{R:1}" />
It worked for me, but in my case, I have been rewrite to a fixed webpage.

IIS7 Url Rewrite not being used

I'm rebuilding part of an existing asp application, the new parts are build with MVC.
One of the old screens which I'm not touching at the moment needs to point to a new location. For that reason I've set up a URL redirect in IIS on machine level with the following regular expression:
^workflows/screen\.asp\?objectid=([0-9]+)(.*)
When using the tester I can see that it's a correct expression which catches the necessary items and I need to send the users to the following new URL:
http://domainname/newapppart/select/{R:1}
When testing it in my browser though it seems as if the rewrite rule is not even in place as I'm still send to the old page.
Query string is not included in main match string, you have to use Conditions to evaluate it.
<rule name="MyRule" stopProcessing="true">
<match url="^workflows/screen\.asp$" />
<conditions trackAllCaptures="true">
<add input="{QUERY_STRING}" pattern="objectid=([0-9]+).*" />
</conditions>
<action type="Rewrite" url="http://domainname/newapppart/select/{C:1}" appendQueryString="false" />
</rule>

ASP.NET / IIS7 Url Rewrite maps not working

I've followed the instructions Learn IIS's webpage for adding static redirects with a rewrite map for my asp.net application.
The following is the config:
<rule name="Redirect rule1 for Information" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{Information:{REQUEST_URI}}" pattern="(.+)" />
</conditions>
<action type="Rewrite" url="{C:1}" appendQueryString="true" />
</rule>
And
<rewriteMaps>
<rewriteMap name="Information">
<add key="/Information/CorporateSales.aspx"
value="/KB/Information/CorporateSales" />
<add key="/Information/ComputerRepair.aspx"
value="/KB/Information/ComputerRepair" />
</rewriteMap>
</rewriteMaps>
This was even originally created by the wizard in IIS's manager for using rewrite maps.
So the idea is that /Information/CorporateSales.aspx --> /KB/Information/CorporateSales with a 301 redirect (MOVED PERMANENTLY).
However I'm just getting the original aspx page (Which we're removing later) loading. I've even deleted the file incase it was defaulting to an existing resource, and with that i just get a plain 404 without the redirect.
Anyone have an idea?
Let me clarify something:
Rewrite module works, it's installed and running. My standard regex rules work nicely. But my rewrite map does not.
This article http://www.iis.net/learn/extensions/url-rewrite-module/using-rewrite-maps-in-url-rewrite-module and code below worked for me.
<rewrite>
<rules>
<rule name="Redirect rule1 for RedirectURLs">
<match url=".*" />
<conditions>
<add input="{RedirectURLs:{REQUEST_URI}}" pattern="(.+)" />
</conditions>
<action type="Redirect" url="{C:1}" appendQueryString="false" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="RedirectURLs">
<add key="/privacy.php" value="/privacy" />
</rewriteMap>
</rewriteMaps>
</rewrite>
I was having a similar problem and found this question. It took me a little while, but I was able to figure out what the problem was.
My rewriteMap contained the urls "/Default2.aspx" and "/Dashboard.aspx".
When I would go to Default2.aspx, I would get a 404 rather than get redirected to Dashboard.aspx as expected.
The issue I found was that on my machine, the application was running in a subdirectory. The rewriteMap paths would only work if I used the full path (including the application folder), e.g., "/TestSite/Default2.aspx".
So I could have added duplicate entries in my rewriteMap to account for application directories on developer machines, but that seemed messy. I looked at the other rewrite rules in the application that did not have this issue and I noticed that they were using the {REQUEST_FILENAME} variable, rather than {REQUEST_URI}. So I switched the rule to use {REQUEST_FILENAME} and remove the first slash from the urls in my rewriteMap.
Do you have Url rewriting installed as part of IIS7/7.5? This is not installed by default. Also, make sure your app pool is set to integrated pipline mode, no classic.
Edit
From this:
http://learn.iis.net/page.aspx/469/using-rewrite-maps-in-url-rewrite-module/
This only thing I see that you're doing is adding the 'stopProcessing' attribute. Have you tried removing that?
Previously I had same problem as you described.
Could you update your code to
<match url="(.*)" />
and I hope you aware,
<add input="{Information:{REQUEST_URI}}" pattern="(.+)" />
this condition will capture full URL except the domain.
example on this url:
www.example.com/Information/CorporateSales.aspx
it will check matching condition of
Information/CorporateSales.aspx on rewriteMap
and for sure it wont be match with this url
www.example.com/old/Information/CorporateSales.aspx
Did you reset the app pool and the iis site ?
In some cases it can take up to 72 hours (iirc) to propagate throughout the world.

Resources