2
votes

I am trying to configure Umbraco so all requests to the back office (www.mydomain.com/umbraco) get redirected to https and all non-backoffice requests are forwarded to http.

I can easily get the back office to use SSL by setting this web config appsetting key:

<add key="umbracoUseSSL" value="false" />

However, I am struggling to get all other pages to force http. The certificate is self signed so I don't want end users getting SSL errors. I have tried this rewrite rule in the web.config, but it has no impact.

<rule name="No-https" enabled="true" stopProcessing="true">
   <match url=".*" negate="false" />
   <conditions>
      <add input="{HTTPS}" pattern="on" />
      <add input="{URL}" pattern="umbraco" negate="true" />
   </conditions>
   <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" />
</rule>

My aim is that any request to https://www.mydomain.com is redirected to http://www.mydomain.com unless it matches the folder /umbraco.

If I have this rule, all http requests are redirected to https:

<rule name="Redirect to HTTPS" stopProcessing="true">  
   <match url="(.*)" />  
   <conditions>  
      <add input="{HTTPS}" pattern="^OFF$" />  
   </conditions>  
   <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />  
</rule>

But when I negate the rule, it no longer has any effect?

<rule name="Redirect to HTTP" stopProcessing="true">  
   <match url="(.*)" />  
   <conditions>  
      <add input="{HTTPS}" pattern="^OFF$" negate="true" />  
   </conditions>  
   <action type="Redirect" url="http://{HTTP_HOST}/{R:1}" redirectType="Permanent" />  
</rule>

Update. It looks like it isn't possible to process the redirect because the browser is giving the https error before the rewrite rule runs? Redirect from https to http when the SSL cert is no longer valid. Is there any way to redirect to http when using a self signed certificate?

2
It's not possible to redirect from HTTPS to HTTP before the user sees the certificate warning. This is explained in the SO link you posted.harvzor

2 Answers

1
votes

Try amending your rule to only match on the Umbraco path, something like this:

  <rule name="Force SSL" stopProcessing="true">
    <match url="^umbraco/(.*)" />
    <conditions>
      <add input="{HTTPS}" pattern="OFF" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" />
  </rule>

That way http requests for anywhere other than the umbraco path will not be redirected. For https > http requests try the following (untested)

  <rule name="Force Http" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
      <add input="{HTTPS}" pattern="ON" />
      <add input="{PATH_INFO}" pattern="^umbraco/(.*)" negate="true" />
    </conditions>
    <action type="Redirect" url="http://{HTTP_HOST}/{R:0}" />
  </rule>
0
votes

I would recommend looking into making /umbraco/ unavailable on your site, and making it HTTP only.

I would then setup a different site, perhaps umbraco.yoursite.domain which does require SSL and allowing that address to access Umbraco.

Also, have you considered using LetsEncrypt to get a proper SSL certificate for your site?