IIS Http redirect

0
votes

I have couple of questions regarding IIS configuration.

When I enable HTTP redirect in IIS and use http://localhost/SubApp it's redirected to https://localhost/SubApp, but when it's http://localhost/service.svc it's not redirected to https://localhost/service.svc.

Also with redirect enabled URL like this https://localhost/test.html is not opened, I see message

Can’t reach this page. Make sure the web address https://localhost is correct.

Content of file very simple: <html><body>test html</body></html>.

However when HTTP redirect disabled I can open this URL. I have self-signed certificate.

Config for HTTP redirect is

<httpRedirect enabled="true" destination="https://localhost" exactDestination="false" childOnly="false" httpResponseStatus="Permanent" />

So, questions are:

  1. Why *.svc is not redirected to HTTPS protocol?
  2. Why https://localhost/test.html can't be opened with enabled http redirect?
  3. Does it all mean just use url rewrite module and get rid of redirect configuration?
2
http-redirectiis-10
check this link stackoverflow.com/questions/30533616/…zubair khanzada
@zubairkhanzada ok, thanks, so, url rewrite and iis http redirect is some blackboxAlexey Klipilin

2 Answers

1
votes

After tests we have found out that the only possibility to use HTTP redirect (from HTTP to HTTPS) is:

  1. Configure HTTP binding for the main site so port changed from 80 to 81. Also, port 81 is not visible from outside
  2. Add new website with HTTP binding to port 80, this site has empty WWWRoot
  3. Add HTTP redirect to this new empty website so it redirects to HTTPS of our main site.

In this case HTTP redirect works fine.

0
votes

My aim was three-fold

  1. to use a domain name in the address bar without www
  2. to auto-redirect from HTTP to HTTPS without fail or issue or the need to accept certificates in the browser of any kind
  3. simple failsafe security. if google can do it why can I?

The idea of using a 'smoky' port in the previous post was smart. While using port 80 I was constantly getting the blue IIS welcome page and the http protocol. The fake port seems to force the asp.net web page to actually read the redirection code in the web config. I changed all my http bindings to port 81. Added to that the rewrite url codes in the web.config shown below.

Another important thing to test is turning OFF the 'Required SSL' as one post indicated it may conflict with IIS Rewrite URL (any conflict that doesn't show an error can be a major headache). Prior to turning the IIS 'SSL Settings' 'Required' switch off and leaving just 'Ignore' as checked ANY combination of Rewrite URL from the hundreds of posts or walkthrough setups seemed to fail (eg this was specific to IIS10 Win 2016 but probably the same all previous IIS's).

It was also important during testing to ensure requests are outside your Lan if hosting from a Static IP. Just use your mobile hotspot and a number of browsers from your tablet (eg samsung, brave, mozilla, edge etc) to see responses of each. Part of the reason for this was based on the implementation of TLS1.2 and disabling of ALL other protocols and ciphers.

Finally don't forget to constantly delete cookies / history prior to testing page loads. In some cases a 'wipe cache partition' on an android removes any temporary files that may be causing an issue with the device (especially during testing).

This issue can be a nightmare as things that are supposed to work absolutely don't work, even though the logic is 'bulletproof logical'.

Even with all these things considered and tested, there is a good chance it won't work in some browsers... it just refuses to move from the h*tp://domain.com IIS welcome page... eg edge, brave, etc

Sa sample rewrite with 3 rules, as per instructions from a popular ssl site

<rewrite>
  <rules>
    <rule name="HTTP to HTTPS redirect www" stopProcessing="true">
      <match url="www.domain.com"/>
      <conditions>
        <add input="{HTTPS}" pattern="^OFF$"/>
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent"/>
    </rule>
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
      <match url="domain.com"/>
      <conditions>
        <add input="{HTTPS}" pattern="^OFF$"/>
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent"/>
    </rule>
    <rule name="Redirect Canonical HTTP to HTTPS" stopProcessing="true">
      <match url="domain.com"/>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"/>
    </rule>
  </rules>
  <outboundRules>
    <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*"/>
      <conditions>
        <add input="{HTTPS}" pattern="on" ignoreCase="true"/>
      </conditions>
      <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload"/>
    </rule>
  </outboundRules>
</rewrite>

even some page load code in C# asp.net may do nothing... but it was worth a try... maybe it is not possible in IIS land.

 protected void Application_BeginRequest(Object sender, EventArgs e)
{
    HttpContext context = HttpContext.Current;
        if (!context.Request.IsSecureConnection)
        {
            UriBuilder secureUrl = new UriBuilder(context.Request.Url);
            secureUrl.Scheme = "https";
            secureUrl.Port = 443;
            context.Response.Redirect(secureUrl.ToString(), false);
        }
}