wcf webservice and URL forwarding with https

4
votes

I have been researching and trying to solve this issue for few days without success.

I have a WCF webservice deployed on IIS 8 on windows server 2012.

during development, I have been using the full url for the service in order to make the service calls.

example:

http://myserver.com/appservices/service1.svc/getdata

But now I need to do the following:

  1. I have a domain on godaddy, lets say somedomain.com, and I want to have a subdomain services.somedomain.com to use instead of the full url. So I want to have something like services.somedomain.com/getdata instead of writing the full url above. I was not able to do this. I tried to setup URL Forwarding on Godaddy for the subdomain services to forward to http://myserver.com/appservices/service1.svc, this works on the browser, but when using it on the mobile application or through fiddler I get a 301 error. (I tried both with and without masking). Is there a way to achieve that?

  2. I need to get an SSL certification for it. My question here is, for which domain should I get it? do I get it for the somedomain.com or for the subdomain services.somedomain.com or maybe for the original domain myserver.com. I'm a bit lost here, and I don't want to buy and ssl certificate on the wrong one

To give you an overall idea of the final result I'm hoping to get, I need to have the following:

somedomain.com points to a website deployed on iis

services.somedomain.com points to a wcf webservice deployed on the same iis, and it will be used for services that will be called from android/iphone. And this needs to have an SSL Certification

I have bought somedomain.com from godaddy

Thanks a lot for any hint/help I really appreciate it

4
wcfhttpssubdomainwindows-server-2012iis-8
Did you try configuring HTTP redirect on your IIS 8?Sergey Kalinichenko
where are you hosting? self-host? azure?Dennis
Http 301 is not an error it's a redirect. The browser automatically follows this redirects and so does the .Net WebClient. Maybe the iPhone/Android does not by default. Is it a REST Service? does it have to be services.somedomain.com/getdata or could it be services.somedomain.com/api/getdata too?codeworx
@Dennis I have my own dedicated server, and I'm the administrator. It's a windows server 2012.Y2theZ
@codeworx yes it's a REST Service. I prefer it to be services.somedomain.com/getdata but if that is not dooable, then I'm ok with services.somedomain.com/api/getdata. I'm more interested in making the subdomain work and have https. THanksY2theZ

4 Answers

3
votes

Now I have a better understanding of the situation from the above questions.

Firstly, as you own both the domains and you are the administrator of the Windows 2012 server, I would recommend that you add somedomain.com to your server directly, i.e do not redirect it. This is better as you only need to purchase the SSL certificate that you need. If you used a redirect, you would need a SSL certificate for both domains as otherwise your users would get security warnings as the original request would not match the certificate.

Also what you want is Url Rewrite, not Redirect. What's the difference? A redirect is a client-side request to have the web browser go to another website (using the 301 error code). A rewrite is a server-side rewrite of the URL before it reaches your service.

You can get started with Url Rewriting add the following to your Web.config file:

<system.webServer>
  <rewrite>
    <rules>
      <!-- My rules -->
    </rules>
  </rewrite>
</system.webServer>

We are going to add a few rules (assuming that you have services.somedomain.com on the same server).

  1. The first rule, rewrite http://services.somedomain.com/appservices/service1.svc/getdata to http://services.somedomain.com/getdata.

    <rule name="SubDomainAppService" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
        <add input="{HTTP_HOST}" pattern="^services\.somedomain\.com$" />
    </conditions>
    <action type="Rewrite" url="{HTTPS}services.somedomain.com/appservices/service1.svc/{R:1}" />
</rule>

    This will match where the regex pattern services.somedomain.com/getdata, capturing the remaining part of the url and internally rewrite it to services.somedomain.com/appservices/service1.svc/getdata. This rule also forces/rewrites the request to HTTPS.

  2. To force SSL for your website, you can do this by adding rewrite rule. This will rewrite any incoming request on HTTP to HTTPS. 

    <rule name="Redirect to HTTPS" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTPS}" pattern="^OFF$" />
  </conditions>
  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>

URL Rewriting is a complex topic, not even one I understand fully. A few resources that I read whilst answering this question:

Bonus:

For your DNS, domain, and SSL certificates I would recommend using a better provider like DNSimple. Read Troy Hunt's* post why he moved. A SSL certificate from DNSimple for sub-domain and wildcard is on their site.

* If you don't know who Troy Hunt is, read the rest of his articles on security. Especially his posts on hacking your API first.

2
votes

You need to configure your server so that it hosts two websites:

  1. somedomain.com with bindings:
    • protocol: http, hostname: somedomain.com, port: 80
    • protocol: http, hostname: www.somedomain.com, port: 80
  2. services.somedomain.com with bindings:
    • protocol: https, hostname: services.somedomain.com, port: 443
    • protocol: http, hostname: services.somedomain.com, port: 80

(the last binding will simply be used to redirect http traffic to https).

SSL:

You must install a SSL certificate in order to create SSL bindings in IIS. The SSL certificates contain information about the hostname(s) for which the certificate was issued. A certificate issued to foo.com cannot be used to identify bar.com. Make sure that you explain your needs to the certificate provider if you need to secure more than one hostname (in which case they would recommend UCC or wildcard certificates).

Also note that SSL host header configuration on IIS7 can only be done through appcmd command line.

Deployment:

Setup the two websites in separate directories (one contains the www content, the other contains the webservice files). Once the website and webservice files are separated you can choose to place the webservice files in the root.

URL Rewriting:

In case you want to eliminate service1.svc from the URLs, you can use URL rewriting. It requires URL Rewrite module installed. You can use the IIS manager GUI to create the rules. Here is an example of the web.config file generated for services.somedomain.com:

<system.webServer>
    <!-- other rules -->
    <rewrite>
        <rules>
            <rule name="http to https" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTPS}" pattern="^OFF$" />
                </conditions>
                <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Temporary" />
            </rule>
            <rule name="everything to service1.svc">
                <match url="(.*)" />
                <conditions>
                    <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
                </conditions>
                <action type="Rewrite" url="/appservices/service1.svc/{R:1}" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
1
votes

Since you ask several questions I hope to answer some of them:

  1. Check first if your sub domain services.domain.com is properly forwarded by godaddy. Ping to the sub-domain to check if it hits your own server. Than in IIS you add the web service with the host name services.domain.com. For the website you add a separate web site with the host name: domain.com

  2. You have several options for the SSL Certificate, but the cheapest one would be to get it for the sub-domain: services.domain.com. In the web.config you can add a redirect like below to make sure the service always uses the HTTPS connection. 

    <system.webServer>
<rewrite>
  <rules>
    <rule name="Redirect to HTTPS" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="^OFF$" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
  </rules>
</rewrite>

    enter code here

0
votes

  1. Define on GoDaddy both somedomain.com and services.somedomain.com as "A" records with the IP address of your servers, and configure them as two sites on your servers. Don't redirect - even if you got it working it will slow down your users and cost you an extra certificate.

  2. You need two certificates - one for somedomain.com and the other for *.somedomain.com. Note the wildcard - this will allow you to use the same certificate for additional sub-domains should you need them going forward.

  3. In a few months we expect to see free SSL - check out Let's Encrypt, so better not commit long term.

  4. You can probably avoid the URL rewrite by simply setting /appservices/service1.svc as your site's default, assuming all services.somedomain.com services are served via this entrypoint.