Solved

Help needed with IIS 7.5 URL Rewrite Module 2.0 “Force HTTP to HTTPS” rule condition

Posted on 2013-01-13
9
1,777 Views
Last Modified: 2013-01-14
I currently have a typical "Force HTTP to HTTPS" URL rewrite code in place. This works perfectly for my entire website; including a couple well-written ASP.NET apps Im using. However, I have one ASP.NET app that's throwing a "Directory Not Found" exception if my "Force HTTP to HTTPS" rule is active (probably due to specifying full paths to files and directories instead of relative references, not sure).

I certainly dont have the experience modify the ASP.NET app code (since I didnt write the app). So, I was hoping someone could please see how to add a condition to ignore one folder (and respective ASP.NET app); while keeping everything else as-is.

Here's what I have currently:

web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Force HTTP to HTTPS" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll">
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
                </rule>
            </rules>
        </rewrite>
        <httpErrors errorMode="Custom" />
    </system.webServer>
    <system.web>
      <sessionState 
        mode="InProc"
        cookieless="true"
        timeout="1440" />
    </system.web>
</configuration>

Open in new window


I already tried adding the below line inside the conditions area above; but, it doesnt make any difference; and, still get the same error about the directory missing. If I remove the web.config file completely from the root of my website, I dont get that error anymore.

<add input="{REQUEST_URI}" pattern="^/photos$" negate="true" />

Open in new window


If someone have a better way to implement a "Force HTTP to HTTPS" rule; which is more ASP.NET application friendly, I would prefer to do that instead of writing a condition (maybe having an improved rule and condition might be best)?

I have tried asking for help in various Internet websites; unfortunately, nobody seems to know much about how to do this.  Either that, or they just didnt want to help.  It seems like there are many more skilled people on EE; which may be worth it.

Anxiously hoping for a solution...
0
Comment
Question by:mkanet2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 21

Expert Comment

by:masterpass
ID: 38773198
Try something like this:

<rule name="forcehttps" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true"/>
    </conditions>
    <action 
        type="Redirect" 
        url="https://{HTTP_HOST}/{R:1}" 
        appendQueryString="true" 
        redirectType="Permanent" />
</rule>

Open in new window

Hope this helps :)
0
 

Author Comment

by:mkanet2
ID: 38773259
Thanks for the quick reply.  Unfortunately, that rule seems to do pretty much the same thing my current rule does that I posted above; including the same error message about, "Directory Not Found" in my asp.net app, "/photos"  (http://mywebsiteUR.com/photos).  I even tried adding the below condition in an attempt to ignore the directory; but STILL getting the error.

<add input="{REQUEST_URI}" pattern="^/photos$" negate="true" />

Open in new window


So, it look like I still need a good way for the rule to NOT force https to my /photos directory (and everything within it).
0
 
LVL 21

Expert Comment

by:masterpass
ID: 38773303
Can you try something like this if you do not want https for photos folder.

<rule name="nohttps" enabled="true" stopProcessing="true">
   <match url="^photos/.*" />
   <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
   </conditions>
   <action type="None" />
</rule>
<rule name="forcehttps" enabled="true" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTPS}" pattern="off" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" />
</rule>

Open in new window

0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:mkanet2
ID: 38773345
Thanks.  Unfortunately, I am STILL seeing the same error for my /photos asp.net app.  There is something in my web.config that's causing my /photos app to produce that error.  If I remove the web.config file entirely, I dont get the error at all.

I included the exact error message (see attached screenshot of error).  Maybe, its possible to just modify the app itself to be "force-https" rule friendly?  I also attached the source code itself; which might be something relatively easy to fix.  I suspect it's using a full physical path references instead of relative path.

Otherwise, we would have to figure out which part of my web.config the /photos app doesnt like.

Error produced because /photo ASP.NET app did not like URL Rewrite module rule or condition.album.ashx.txt
0
 
LVL 21

Expert Comment

by:masterpass
ID: 38773378
Can you do the following steps and let me know the answer?

1. Try opening the same site in a different browser (possibly IE?)
2. modify <match url="^photos/.*" /> to <match url="^/photos/.*" /> and then try in IE and FF
0
 

Author Comment

by:mkanet2
ID: 38773394
Unfortunately, same problem in both IE and Firefox.  Below is the exact line-line code for my entire web.config.  It still produced the same "directory not found error" when this file is in the wwwroot directory.

Notice I have one added condition in order to only apply the "force https" rule only incoming 192.168.1.2 requests.  For the purpose of keeping things simple, I wont get into why I need it; just know that the force https rule wont work without that condition being there.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                 <rule name="nohttps" enabled="true" stopProcessing="true">
                    <match url="^/photos/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                    </conditions>
                    <action type="None" />
                 </rule>
                 <rule name="forcehttps" enabled="true" stopProcessing="true">
                     <match url="(.*)" />
                     <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                         <add input="{HTTPS}" pattern="off" />
                         <add input="{REMOTE_ADDR}" pattern="192.168.1.2" negate="true" />
                     </conditions>
                     <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" />
                 </rule>
            </rules>
        </rewrite>
        <httpErrors errorMode="Custom" />
    </system.webServer>
    <system.web>
      <compilation debug="true"/>
      <sessionState 
        mode="InProc"
        cookieless="true"
        timeout="1440" />
    </system.web>
</configuration>

Open in new window

0
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 38773965
This should work.. comment out your existing code and add this.
<httpErrors errorMode="Custom" lockAttributes="allowAbsolutePathsWhenDelegated,defaultPath"> 

<rule name="Redirect to HTTPS" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTPS}" pattern="^OFF$" />
  </conditions>
  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>

Open in new window

what is in your apphost.config?
0
 

Author Comment

by:mkanet2
ID: 38775158
Your code worked perfectly!  The only thing I had to add was    </httpErrors> after your first line.

I dont even have a apphost.config file.  Will I need that too?

Lastly, while I have your attention, below is my entire web.config.  I would like it to also force anyone who has their web browser open to keep their current connection to the server alive (as long as their web browser has any webpage from my website displayed in their web browser).

Thanks so much!

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
       <httpErrors errorMode="Custom" lockAttributes="allowAbsolutePathsWhenDelegated,defaultPath">
       </httpErrors>
        <rewrite>
            <rules>
                <rule name="Redirect to HTTPS" stopProcessing="true">
                  <match url="(.*)" />
                  <conditions>
                    <add input="{HTTPS}" pattern="^OFF$" />
                    <add input="{REMOTE_ADDR}" pattern="192.168.1.2" negate="true" />
                  </conditions>
                  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Open in new window

0
 

Author Comment

by:mkanet2
ID: 38775978
I hate to say this, but it looks like the real reason why I was getting the error was due to forcing my apps to no use cookies.  Apparently, my app needs to be able to save cookies.

    <system.web>
        <sessionState
           cookieless="true"
    </system.web>
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question