I am using IIS URLRewrite to add the HttpOnly option to all outgoing requests, except it is not add this for requests to for example my ./images/ folder where a cookie is set.
Result: Set-Cookie: ASPSESSIONIDQECSBATA=KGBFCMFABKMKPHBLFJHPNEJN; secure; path=/
My outbound rule:
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
How do I get the HttpOnly flag added to the cookie being set for my images folder?
Put the outbound rule at the server level. This will go in the applicationHost.config and apply it to all sites on that server.
Related
I have two domains baddomain.com and gooddomain.com which are pointing to the same hosting service. I have bought SSl certificate and now I want to redirect Bad one to the good one which has SSL installed. I wrote these rules and it works on Chrome but not in IE and firefox. Bad domain redirects to https instead of redirecting to good domain. Thanks.
<!--Redirect from bad domain to good one-->
<rule name="BadtoGood" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" pattern="baddomain.com" />
</conditions>
<action type="Redirect" url="https://gooddomain.com/{R:0}" redirectType="Permanent" />
</rule>
<!--Force https on good domain -->
<rule name="forceHTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" negate="false" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" />
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
</conditions>
<action type="Redirect" url="https://gooddomain.com/{R:0}" redirectType="Permanent" />
</rule>
The reason was that I had enabled force https through the website control panel and it was overriding the downstream settings in web.config.
In my case this was the path:
Plesk for windows > Websites and domains > Hosting setting
I am new IIS, but came up in a situation where not all of our clients use ssl on their website but there are a few who does. Hence the problem here is that after enabling redirection, when it redirects to ssl enabled pages, it works well but gives ssl warning on non ssl websites.
I want to add some redirect rules which:
1. Redirects with https on the domains only which I allow.
2. Redirects with http only for the sites not in allowed list.
Any help on this would be greatly appreciated.
Thanks,
Rastu.
As lex says, we could use url rewrite's condition to achieve your requirement.You could put this url rewrite rule insdie the web site.
Notice: Condition's HTTP_HOST should set the domain whcih doesn't enable the SSL.
<rules>
<rule name="HTTP to HTTPS on different SSL Port" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="true" negate="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{HTTPS}" pattern="off" />
<add input="{HTTP_HOST}" pattern="^www.domainwithoutusingSSL.com$" negate="true"/>
<add input="{HTTP_HOST}" pattern="^www.domainwithoutusingSSL2.com$" negate="true"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" />
</rule>
I have my .net mvc website hosted in liquid web cloud. I wanted to redirect all website users if they enter the following url http://example.com,http://www.example.com,https://example.com
to https://www.example.com ( i.e. consistent url not matter how they enter)
i tried the following code in web.config but no luck.
<rule name="Redirect Non WWW" stopProcessing="true" >
<match url="^(http\.)(.*)$" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="^https://www.example.com$" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://www.example.com/{R:0}" appendQueryString="true" />
</rule>
Domain is already registered as www.example.com and SSL is enabled on the domain.
You have used MatchAll and also set the condition that url should have https to start rediretion! Just change it to having http instead:
incorrect:
<add input="{HTTP_HOST}" pattern="^https://www.example.com$" />
correct:
<add input="{HTTP_HOST}" pattern="^http://www.example.com$" />
Since you're going to force a redirect to use HTTPS, (.*) will match all URLs and you can set the pattern to off.
<rule name="HTTP to HTTPS Redirection" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
Update:
There isn't any problem with method 1, but also adding this for those who visit this post later.
Method 2:
<rule name="HTTP to HTTPS Redirection" enabled="true">
<match url="(.*)" />
<action type="Redirect" url="https://www.example.com/{REQUEST_URI}" appendQueryString="true" redirectType="Permanent" />
</rule>
My site is asp.net.
I have a wordpress blog in the blog folder and everything works great.
My main web.config has a working rule that forces https on everything.
I have successfully added a rule in the web.config in the blog folder not to redirect to https.
My problem is that I want to exclude the wp-content/uploads/* folder from that rule.
i.e. I want the images in the upload folder to be allowed to load on https too.
(My reason is that I refer to them in my main site and the way it is, I get security messages that I have insecure content on my https pages)
My code is:
<rule name="Remove https" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{REQUEST_URI}" pattern="^wp-content/uploads/.*" negate="true" />
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}/blog/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
What am I doing wrong?
Thanks
Your code in problem dear plz try below code can this help you.
Something Wrong in your pattern of "^wp-content/uploads/.*" you try below code can this help you.
<rule name="Remove https" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{REQUEST_URI}" pattern="^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*)" negate="true" />
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}/blog/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
I got a copy of an https rewrite rule so that when certain keywords are in the url it automatically redirects to an https: on a specific port.
However, I would also like something that when I want to logout of the secure area and go back to the non ssl site that it's no longer on https. I have been unsucessful in doing this.
Can someone tell me what I need to do?
Here's the https rule I used.
<rewrite>
<rules>
<rule name="Secure Account Controller" enabled="true" stopProcessing="true">
<match url="^account" ignoreCase="true" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true" >
<add input="{HTTPS}" pattern="off"/>
<add input="{HTTP_HOST}" pattern="([^/:]*?):[^/]*?" />
</conditions>
<action type="Redirect" url="https://{C:1}:44300{URL}"/>
</rule>
</rules>
</rewrite>
** UPDATED **
This seems to have done it.. Not sure why the url in the browswer doesn't revert once it's finished.. but when I click on another page in the site... it's showing http
<rule name="Home Controller" enabled="true" stopProcessing="true">
<match url="^home" ignoreCase="true" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true" >
<add input="{HTTPS}" pattern="on"/>
<add input="{HTTP_HOST}" pattern="([^/:]*?):[^/]*?" />
</conditions>
<action type="Redirect" url="http://{C:1}:7224{URL}"/>
</rule>
UPDATED ** This seems to have done it.. Not sure why the url in the browser doesn't revert once it's finished.. but when I click on another page in the site... it's showing http