I have a configuration file. It contains RouteRules and in this element, you add Rules within the Rules tag using the add. Within the add element, it has a From parameter with a certificate line similar to the following:
<RoutingRules>
<Rules>
<add .... From="CN=*.domain.com, O=myorg, etc." />
</Rules>
</RoutingRules
This is the line I think I can update to include https only, but I am not sure.
From="CN=*.domain.com, O=myorg, etc."
Can I configure this rule to only allow https? I have seen posts that say in IIS you make it accept only https, but this does not seem to be what the customer wants. They believe I can update the config file and enable only https traffic.
Related
I am trying to write the outbound rules for URLs using the IIS Rewrite module. It is working fine for the static URLs, however, the outbound rule is not applying on the dynamically generaged URLs using the script. In some places in the application, the anchor tags with href () are generating using the jQuery script. The outbound rules are not applying on these type of URLs.
I am using the below pre condition to include the script files, still not working.
<preCondition name="ResponseIsTextAnything">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
</preCondition>
Appreciate your expertise suggestions here. Thank you.
I want to add re-write rules to my Azure app service, but if I even try create a web.config with a simple rewrite as shown below, the site returns an HTTP 500.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Test" stopProcessing="true">
<match url="test" />
<action type="Rewrite" url="/index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
What I did is create the web.config from scratch and FTP it into the wwwroot folder for the app service which is where I Ftp'd the rest of my web site files.
I have seen an old conversation about web.config files in Azure, but I'm not even sure if this is in regards to Azure app service - and things change so quickly in Azure that I thought I should ask separately anyways.
I have also seen this link about using web.config transforms. Maybe this is required?
This other link seems to indicate that updating web.config is possible, but their example results in an HTTP 500 for me as well.
I've looked through configuration options in the Azure portal for my app service and nothing seems to jump out at me.
>>”This other link seems to indicate that updating web.config is possible”
Yes, we could update the configuration of Web App by updating Web.config file directly. You could upload a new version of configuration file to wwwroot folder by FTP/WebDeply or any other ways provided by Kudu. Another easy way to edit files in wwwroot folder is using the App Service Editor, you could use it to edit the configuration file.
I can’t reproduce your problem on my side. Following are what I done.
Create a Web App using a Web App Plan with “Shared” SKU.
Create 2 file, a index.html file and a Web.config file. The content in Web.config is same as yours.
Upload these files to wwwroot folder of my web app using FTP.
Open a web browser and input a URL like this “http: // xxx.azurewebsites.net/test”. The web server will return the content of index.html. It proves that the rewrite is working fine.
>>”but their example results in an HTTP 500 for me as well.”
Firstly, please mark sure whether the rewrite is working fine or not. I suggest you view the index.html page directly and check whether the error code(500) comes from index.html page.
Sometimes we provide the wrong syntax for rewrite rule, it will return 500 (URL Rewrite Module Error). Have you enabled Detailed Error Logging and Web Server Logging for your web app. If yes, you could view the detail error message to get more useful information. For how to enable and view diagnostics logging, link below is for your reference.
Enable diagnostics logging for web apps in Azure App Service
Is there a way to configure browser (Firefox/Chrome) such that, if it encounters an HTTP URL (clicked or entered on address bar - eg: http://abc.xyz.com/... ), it modifies it to an https URL https://abc.xyz.com/...
Note that the site abc.xyz.com accepts both http:// and https:// schemes for the same URL. This site does not do any redirection for http:// links to enforce https scheme, and I do not want to access this site via http:// scheme.
I understand that this can be done with help of a web-server proxy (eg: Apache's mod_rewrite), but I am looking for a browser-only solution (say, via browser's "about:config" variables or some browser plugin, or some other method).
Adding abc.xyz.com to the browser's HSTS preloaded list seems like the best way to do this, but that can only by initiated and setup by abc.xyz.com site's admin. "HTTPS Everywhere" browser plugin comes close, but I could not find how to add my own/preferred sites in it's UI.
Found a way to do it, with "HTTPS Everywhere" Firefox plugin.
However note that "HTTPS Everywhere" has its own rulesets for numerous/popular sites (maintained elsewhere). This is only needed for custom sites, not yet supported by "HTTPS Everywhere".
Create a ruleset in a file such as below in Firefox profile directory as below (Windows 10) and restart the browser.
<!--
THIS_FILE: FIREFOX_PROFILE_DIRECTORY\HTTPSEverywhereUserRules\my_torrents.xml
FIREFOX_PROFILE_DIRECTORY: %APPDATA%\Mozilla\Firefox\Profiles\...
NOTE: To avoid un-necessary entries, check if custom hosts/sites are already supported in https://www.eff.org/https-everywhere/atlas/ , before adding it here
-->
<ruleset name="MY_HTTPS_RULESET">
<!-- for my Wiki server, always use HTTPS -->
<target host="192.168.1.210" />
<!-- for a site not yet supported by HTTPS Everywhere, but want this in HTTPS -->
<target host="torrasave.download" />
<!-- add more such custom entries -->
<!-- add more such custom entries -->
<rule from="^http:" to="https:" />
</ruleset>
I have URL Rewrite setup on an IIS 7.5 site: http://site1.com/
This acts as a reverse proxy to the second site: http://site2.com/
Here is the flow of events:
1. Browser does a GET on http://site1.com/somepath
2. This gets passed through to site2 because site1 is the URL Rewrite reverse proxy. This works well and the host is correctly set because I've done the mod that requires this.
3. site2 responds with a 301 status and sets the HTTP Location header to http://site3.com/somenewpath
4. site1 responds to the browser with a 301 but replaces the host in the Location header with site1: http://site1.com/somenewpath
What I want to happen in step 4 is that site1 responds with http://site3.com/somenewpath in the HTTP Location header and does a straight pass through of this data. I feel that there must be an Outbound rule that can be applied to solve this but haven't been able to figure it out yet.
Could Application Request Routing be involved? Look at IIS -> Machine or Site -> Application Request Routing Cache -> Server Proxy Settings and uncheck the "Reverse rewrite host in response headers" checkbox. If you do this at the machine level, it'll take effect for all sites. If you do it on a particular site, it'll only take effect for that site, and other sites on the box will be unaffected.
As I said in the above comments, I believe the default behavior of the reverse proxy is to pass through the response untouched (assumes there are no outbound rewrite rules set). I haven't tested your scenario specifically with a 301 response from the server behind the proxy, though.
If a special outbound rule is in fact needed, this code will modify the HTTP location header of all 301 responses to http://site3.com/somepath
<outboundRules>
<!-- This rule changes the domain in the HTTP location header for redirect responses -->
<rule name="Change Location Header">
<match serverVariable="RESPONSE_LOCATION" pattern="^http://[^/]+/(.*)" />
<conditions>
<add input="{RESPONSE_STATUS}" pattern="^301" />
</conditions>
<action type="Rewrite" value="http://www.site3.com/{R:1}" />
</rule>
</outboundRules>
This rule is a slight modification of one posted in URL Rewrite Module 2.0 Configuration Reference
The accepted answer took me in the right direction, but had to do some more digging for newer versions of IIS that do not have the Server Proxy Settings mentioned above.
Credit to these URLs:
IIS AAR - URL Rewrite for reverse proxy - how to send HTTP_HOST
Prevent ARR with UrlRewrite from re-writing Location header for a 302 redirect
On the web server, open the Configuration Editor and go to the path system.WebServer -> proxy. Change the reverseRewriteHostInResponseHeaders to False. This will stop the Location header in the response headers from being rewritten.
The answers that I linked to refers to the preserveHostHeader setting, which did not fix the issue in my case. (My response from the server was 302 with the new Url in the location header)
Before I got to know this perfect solution I used HTML redirecting, which might come in handy if you are not able to change the server settings:
Just store the redirect_url in the <head> of an html document:
<head>
<meta http-equiv="Refresh" content="0; URL=https://example.com/">
</head>
I'm working on one multi-tenancy application, where each tenant will have access to 1 or more "sub applications" (different ASP.NET MVC websites).
http://v1.app1.domain.com
http://v1.app2.domain.com
http://v1.app3.domain.com
Later in time, I'll have new versions for each sub application and I will end with:
http://v1.app1.domain.com
http://v2.app1.domain.com
http://v3.app1.domain.com
http://v1.app2.domain.com
http://v2.app2.domain.com
http://v1.app3.domain.com
Some tenants will want to have access to the latest versions, and some will still be using old ones.
This is what I've done.
Now I would like to keep "the subdomain versions" hidden for them. They will only access the domain: app1.domain.com
This "internal smart proxy" will have the core to know which version this tenant has access.
Anyone knows how I can do this? In a way that all my internal urls (links, images, JS, css, etc...), AJAX,etc, will work correcly?
Or point me to some tutorials/blog/forums where i can find that can help me?
Thank you very much.
What you are trying to build is in essence an HTTP proxy. The difference to most other proxies is just that the actual URL is built on the server side.
There many different ways to do this. I'd choose one of the following:
Create an HTTP handler, in which case you could use this code project article as a starting point.
Use ASP.NET MVC. Create a "catch all" route and pipe that through one single action method.
Either way, you will have to
Analyze the HttpContext.Current.Request object and build a suitable outgoing URL
Use a HttpWebRequest to fetch the data from the actual website. Remember to mimic the original request header plus request content (usually POST parameters) if applicable.
Output the Response Header from the server and then output the data you just fetched.
Application Request Routing (ARR) could be a workable solution if you are using IIS 7 or 7.5.
You would have an additional web site defined in IIS acting as the proxy, which would be separate to the web site(s) your application uses.
The rules about which tenant is on which version would have to be written to a web.config for ARR to read. Is this acceptable? If you have a small number of tenants changing infrequently, you may be happy to edit this file by hand. If you need more automation, you could programatically generate this web.config file. Because this web.config is only for your ARR proxy site, editing it will not cause your application sites to restart.
A sample configuration might use the following IIS Sites:
proxy - binding for your public IP address. *.domain.com resolves to this address
v1app - binding for 127.0.0.101
v2app - binding for 127.0.0.102
IIS server-level settings: ARR cache -> Server Proxy Settings -> enable proxy. (Set the timeout here if your app needs long timeouts.)
And in your "proxy" site's web.config, the following rewrite rules:
<rewrite>
<rules>
<rule name="V1 tenants" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://127.0.0.101/{R:1}" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="app1.domain.com" />
<add input="{HTTP_HOST}" pattern="app3.domain.com" />
</conditions>
</rule>
<rule name="V2 tenants" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://127.0.0.102/{R:1}" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="app2.domain.com" />
</conditions>
</rule>
</rules>
</rewrite>
When a request comes in, it will hit your proxy site, then those rules will look at the hostname and redirect to the appropriate internal site.
If your ARR site is running on the same server as your content sites, you may want to remove the line
<add name="ApplicationRequestRouting" />
from C:\windows\system32\inetsrv\config\applicationHost.config, and add it as a module in your proxy site's web.config. This will apply ARR only to your proxy site, instead of the whole server.