Weird IIS7 http redirection behavior - asp.net

I have a web server running Windows Server 2008 with IIS7. I have a bunch of websites which are all bound to the same IP address, but with different host header values. Most of the host headers are something like www.sitename.com.
I also have a corresponding website entry for each which listens for the host "sitename.com" and does a redirect to "www.sitename.com" within IIS7 (to cater for non-www requests). Now this is all pretty straight forward, but I've noticed the when setting up the Http Redirection, some wierd things happen:
Firstly, the "redirect" website entries must be pointed at a different physical directory than the site it's trying to redirect to, otherwise the redirection settings get set for both sites at once.
Secondly, sometimes whilst setting up Http Redirection on an individual site, Http Redirection gets set at a server level, and all sites start redirecting to that one URL.
How does this happen? Under what circumstances could setting Http Redirection on an individual site affect all sites? This is scary!!!

You need to point each of the websites to different physical location so that Http Redirection module can make a webconfig file for each of them.

Related

500 URL ReWrite Module Error IIS 8

I have a few websites that use to be on a server using iis7 as the host.  I have moved these websites to a new server that is IIS8 and the database has been upgraded from SQL 2005 to SQL 2014.
Another part of this change is it now runs through a DMZ reverse proxy that redirects to an internal server.
This works fine in Chrome or Edge. But Firefox and IE I get a 500 URL Rewrite Module Error.  Not much more information in the error other than that.
I have other sites on the reverse proxy that work with no issue.  But all of the ones that work are .net 4.0 or higher.  The sites I  am having issue with are both 3.5 framework.
I have tried setting the app pool framework on the dmz to match the internal server.
There are currently 2 inbound rules one converts http to https and the other is the proxy rule. There is 1 Outbound rule which is also part of the revers proxy. The reverse proxy currently takes the https traffic and uses http internally and then the outbound sends it back as https. This is that same on all of the site on this server that currently work without any issues.
Some more information. I turned of error tracing and the fuller error I received is
Outbound rewrite rules cannot be applied when the content of the HTTP response is encoded ("gzip").
This is because the responses that are coming from the back end server are using HTTP Compression, and URL rewrite cannot modify a response that is already compressed. This causes a processing error for the outbound rule resulting in the 500.52 status code.
There are two ways to work around this: either you turn off compression on the backend server that is delivering the HTTP responses (which may or may not be possible, depending on your configuration), or we attempt to indicate to the backend server the client does not accept compressed responses by removing the header when the request comes into the IIS reverse proxy and by placing it back when the response leaves the IIS server
There are a number of step needed to complete this fix you can find them and all the information you need at https://blogs.msdn.microsoft.com/friis/2016/08/25/iis-with-url-rewrite-as-a-reverse-proxy-part-2-dealing-with-500-52-status-codes/
It is a 3 part post and the second post in the series was the solution.

Can I forge the HTTP HOST-header param in order to fake a request to a non-mapped subdomain?

Scenario: I want a staging environment at a customer's site. The customer owns www.example.com. I want to map the site to staging.example.com reachable from the outside, but I haven't got time to wait for the bureaucracy surrounding either the purchase of the new subdomain or opening of secondary HTTP ports.
Assumption: If I spoof the HTTP Header param Host to be staging.example.com on the client side, but actually make the request to the IP of www.example.com, IIS will redirect the request to the configured site for staging.example.com. Am I right?
So is there any client tool that can help me with that? I'm fairly famailiar with Fiddler, but it seem to override my rewrites of the host parameter. Also I would need to configure it to do it for every request, not just one, to make it trivial to test.
Are there simpler solutions to this problem?
I'm not entirely sure what you're asking.
Inside Fiddler, by clicking Tools > HOSTS and you can send all traffic targeting one site, e.g. dev.example.com to the IP of your choice. The target site (namely dev.example.com) doesn't need to exist at all in this case. Your client (e.g. the browser) has no idea that Fiddler is retargeting the traffic, it just thinks that it is talking to dev.example.com.
If you have the Fiddler book, check out the Retargeting Traffic section for many other ways to retarget traffic.

ASP.NET HTTPS/SSL Caching and Dynamic Pages

I have an IIS6 ASP.NET 2/3.5 site that ALWAYS seems to be caching anything that goes through a https request. HTTP requests always work the same, but i see old/invalid data on https requests.
I see this a lot with pages where i'm doing http rewriting--but in general, it almost seems like the site has one set of values it shows to http requests and another to https requests-- without having any backend code that renders differently based upon the scheme.
Any ideas? Does IIS have a weird ssl caching option i'm not aware of?
The ports were set up wrong in IIS-- although the domain was correct because i was using port 443 it got forwarded to another site (because of host headers setup).

IIS bindings - example.com and www.example.com

I simply want both example.com and www.example.com to go to the same website. Currently we have just added a binding to each. This creates a problem for WCF which then breaks because it says it can only accept one http address.
Is there a better way to configure a site to accept addresses with or without 'www'?
this has to be changed in the dns using a host or a record.
You shouldn't be hosting a site on the root domain. Better approach here is to redirect traffic to the root (.example.com) to the correct site (www.example.com) using an HTTP 302.
The WCF service should only receive traffic on its single binding. Use DNS, HTTP redirection, or some Traffic management application/appliance to get traffic from multiple points to the correct one.

Where is origin of HttpContext.Current.Request.Url.Host?

Why does HttpContext.Current.Request.Url.Host return a different URL than the URL used in the Web browser? For example, when entering "www.someurl.com" in the browser, the HttpContext.Current.Request.Url.Host variable is equal to "www.someotherurl.com".
HttpContext.Current.Request.Url.Host is the contents of the Host header that the ASP.net application receives. (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more info about HTTP headers like Host).
Usually the header that ASP.NET sees is identical to the Host header sent by the browser. However, it's possible they won't match if software or hardware is sitting in between the browser and your ASP.net code and is rewriting the Host header.
For example, large-scale budget hosters like GoDaddy do this so they can support multiple top-level domains on a single IIS website, even on their cheaper hosting plans. Instead of creating a separate IIS website (which adds to server load and hence cost), GoDaddy remaps requests for http://secondsite.com/ to a virtual directory on your "main" hosted site, e.g. http://firstsite.com/secondsite). They will change both the Host: header as well as the URL.
BTW, you can easily verify that this is what's happening by dumping the contents of HTTP Request Headers that your app is receiving.
Anyway, if you want to figure out who is changing the Host header, start with the people who host your web app (or the team which is responsible for your load balancer and/or reverse proxy), since they're likely the ones responsible for rewriting your Host header.

Resources