URL Rewrite, ServerVariables, URL Parts, HTTP to HTTPS Redirect. Week 9

Last week I gave an intro to URL Rewrite; covering the basics and giving a real world example.  This week I dive in deeper and cover ServerVariables, the parts that make up the URL and another real world example of redirecting HTTP to HTTPS.

This is week 9 of a 52 week series on various web administration related tasks.  Past and future videos can be found here.

For reference, in the video I mentioned the following two blog posts:

37 Comments

  • Very helpful.
    Where can we learn more about the different rules?

    Thanks

  • hey Scott,

    Just wanted to say thanks for the series and keep up the good work. Very informative for an entry level .net developer like myself.

    thanks

  • How would you recommend handling the case where the provider must decide if the action to take is rewrite or a redirect?

    How would you recommend handling a case where a provider that is doing re-writes receives a url that does not need to be changed?

    Is there any way to get total control via a provider? That is: all urls will be passed to it and it will decide what, if any, action to take?

  • Andrew,
    There are two ways to approach that. You can double your rules and be specific with your conditions. Or, you can extend URL rewrite as much as you want. I'm on my phone and don't have a link handy but you can search for "extend URL rewrite" and you'll get some good code examples. You can tap into a database and\or perform any custom code you want.

  • Nice video! I was playing around with URL Rewrite and Server Variables in the past few weeks. I must say you have summarized the most important concepts into one vid of 12 minutes! Great! ;)

  • Hi Scott,

    Thanks so much for this series, definitely going to help me out a ton! I'm extremely new to site hosting and was tasked to create a wss3.0 site. After it was created and a ton of content was uploaded I was asked to install a cert and add SSL. When I did so I found that search returns query's back in http. Is there an easy way to convert the entire site along with all content to https?

    Thanks,

  • Hi gallupb,

    The switching back and forth between http and https is usually handled by the URLs within the page itself. If the form POST for your search page uses https://yourdomain.com/search.aspx (example) then it will switch to https each time.

    Https has some performance overhead on the client and server so generally you'll be better off if you keep to http for most pages and https for login and anything that needs to be secure. Of course if you're a bank then any of the signed in pages should e secure. :)

    To switch the whole site to https, you can use the example in the video but set the URL field to .*, which means that everything will redirect.

    Also, make sure that all absolute URLs within your site's HTML to start with https://, or to use a protocol relative URL (// rather than http:// [http://how-to-asp.net/protocol-relative-urls.aspx])

  • hi,

    good videos, i downloaded em all.good for beginners to start with, but can you release more than 1 video/week coz, 52 weeks sounds way too much to track.its gonna take more than an year for you to complete.

  • Is there a performance hit in IIS if there are too many rules in place?

    Also, I wanted to say thanks. I was an early adopter of URL Rewrite, so I did a lot of learning on my own. It's good to see some tips from a pro so I can clean up my current rules and make them more efficient. I have about 50 rules right now for managing sub-domains and cleaning up URLs to work with our enterprise CMS.

  • Hi AJ,

    There is some overhead, yes. Regex has the most perf hit. It will really depend on your traffic on the server. Most sites won't have a problem with the regex rules at all though, but extra busy servers can be impacted. The impact will be on CPU, not on the other resources.

    It's best to watch your resources and if CPU isn't a problem, then you're safe. The perf hit should be pretty easy to notice and track down if your server is under load.

    Move your most commonly used rules to the top and set to stop processing other rules (if you can). That will help too.

  • Hi Kevin,

    Thansk for the feedback. Glad to know that this is helpful to you. This is meant to be 1 per week for a year. This weekend will be the 10th week, so we're 20% into the year already. What you can do is follow me on twitter @scottforsyth, subscribe to my blog RSS or to me on YouTube. Then you'll be reminded each week when the videos are released.

  • Just wanna say that youre great!

  • Hi guys,

    RE: scott's week 9 lesson, for http to https redirect.
    I managed to get this working.
    Question is that when I type in the http address, it prompt for the username and password first before changing the url to https.

    If I type my password here, will that then be a clear text?

    Cheers
    Jon

  • Jon, that all depends on why it's prompting for the password. If it's prompting before a url rewrite redirect, then it sounds like it's because the web.config file can't be read. You likely have anonymous access turned off on purpose, or there's a permissions issue.

    In this case the password will not be encrypted over SSL. If it's windows auth, it's already a hash key which is better than plain text, but still not the desired result.

    If the password prompting isn't on purpose, then use something like process monitor (see week 20) to track that down. If it's on purpose, then a good solution is to move your URL Rewrite rules up to the global level. Or you can manually move it to a location tag within applicationHost.config (see week 18).

  • Thanks Scott,

    I am quite new with this so please bear with me.
    I do want the url to change to https before password, so that it will be encrypted over SSL.
    The auth has been set to windows auth as I disabled basic auth and yes there's permission set on the folders.

    I haven't looked at week18, but now that you know a bit of what i need will week 18 be relevant to set it up?

    Cheers
    Jon

  • Hi Jon, in that case I would move the rule up to the global level. Then it will run for anonymous users. You can either filter it to your site using {HTTP_HOST} for the domain name or {SERVER_ADDR} for the IP. Or you can view video 18 to see another trick to filter it for just 1 site but have the settings at the global level.

  • How can i make http protocl rewrite to https for access?Thank you!

  • Hi OWScott,

    Thanks for the video.

    I am able to implement this in server.

    But Firefox and Safari are unable to redirect it properly.
    Is this a known issue?

    Best Regards,
    Damodar

  • Hi Damodar,

    There aren't any known issues with different browsers. It's a client-side redirect which has been supported for years. My only guesses on possible causes would be that it worked in IE or Chrome and then they cached the redirect ... then after further troubleshooting you may have changed the rules so that they don't work. Then IE (for example) still appeared to work but really didn't because of caching.

    Try breaking the rule and making sure that it breaks in all browsers, then review the rule to ensure that everything is in place.

  • Hi OWScott,

    It is working fine in IE and not in Safari and Mozilla.

    What I am trying to do is add https for secure pages and http for other pages.
    In Firefox it's adding /%5C
    http://cruising.com.au/%5C%5Cwww.cruising.com.au%5Cwww.cruising.com.au/%5C%5Cwww.cruising.com.au%5Cwww.cruising.com.au/www.cruising.com.au/%5C%5Cwww.cruising.com.au% .... .
    when redirecting to http:\\www.cruising.com.au
    and
    https://\\www.cruising.com.au\pages/Secure/Summary.aspx
    when redirecting to Https://www.cruising.com.au/pages/Secure/Summary.aspx

    Best Regards,
    Damodar

  • Hi OWScott,

    I have modified web.config in test server now it's not redirecting HTTPS to HTTP it's looping in IE too.

    Any solution?

    Best Regards,

    Damodar

  • Hi Damodar,

    It sounds like it may be something in the action that it throwing it off. Can you post the URL Rewrite config from web.config so I can see what you have so far?

  • Hi OWScott,

    This is my test environment hosted in server.




















































    Best Regards,
    Damodar

  • Hi Damodar,

    The first two rules look correct. They should redirect to http. The Pages/Secure is also good that you have the to prevent the two rules from looping.

    The issue appears to be with the redirect. It should be something like this:



    It needs the protocol (https) and also the /. I believe that will do the trick.

  • Hi OWScott,

    I have modified that but still looping when trying to go from HTTPS to HTTP.

    Another thing I noticed is in

    If I change http:\\test.ozcruising.com.au\{R:0} IE And Chrome works fine not FF and Safari.

    Do you have any other suggestion or better code?

    I also want to implement if we have HTTPS in Pages\detail.aspx keep it in HTTPS.

    Best Regards,
    Damodar

  • Hi OWScott,

    I have added few comments but it's not displayed. So one more time!!!

    I have modified that but still looping when trying to go from HTTPS to HTTP.

    Another thing I noticed is in

    If I change to http:\\test.ozcruising.com.au\{R:0} IE And Chrome works fine not FF and Safari.

    Do you have any other suggestion or better code?

    I also want to implement if we have HTTPS in Pages\detail.aspx keep it in HTTPS.

    Best Regards,
    Damodar

  • Hi Damodar,

    That would explain the browser differences. http:// is the correct syntax so some browsers will let you get away with http:\\ but not all browsers.

    I believe the issue is that the rule in main is still running with the rule in pages in Pages/Secure. Try adding in the Pages/Secure location tag too.

    Rather than location tags, when you can do is update your url to something like: . That is another way to filter to just some folders rather than using location tags. However, both should work so it's just a matter of preference.

  • Hi Scott,

    Added in Pages/Secure location but still it's looping when going from https to http. Anyother solution?

    Best Regards,
    Damodar

  • It's probably the 1st and 3rd rules clashing. What I suggest is to turn off the global level rule (off-hours if needed) and see if that prevents it from looping. If so, then you know it's because of the two rules. Basically one directs to https while the other back to http.

    If you confirm that, then I would consider using the match url to filter the different paths rather than using location tags (details above in my previous comment). While what you have looks correct to me, it will give it a fresh start and allow you to hit it from another angle.

  • Hi Tim,

    Your rule looks good to me. It's plain and simple and it will redirect 100% of your site content to https. The {R:1} in the action url should cause it to retain the rest of the URL too (e.g. /Product.aspx).

    My guess is that there is another rule (url rewrite or something else) causing the https and non-https traffic to drop the URL. If you temporarily disable the https redirect rule does it still redirect?

  • Scott,
    Transpired it was a redirect in the source code of a couple of dll. Thanks again for all the information on the site.
    Request, noted a couple of discussion on securing IIS, but would also like to see services in 2008 covered as they sometimes appear overwhelming in comparison to other systems.

  • Hi Tim,

    Excellent. Glad you got that figured.

    What type of services are you thinking of? Web services or Windows Services? And are you trying to develop them or install, or something else?

  • Hi Ken,

    You're right on track. The 2nd rule shows as enabled="false" so that will prevent it from working. The other thing that you want is to set the match url to negate=”true”. That reverses the logic so that anything that isn't about-hr-net should redirect back to http.

  • Can you give me a rule that will redirect to https for only a sub-section of the main site?

    in other words - http://www.mycompany.com - no SSL

    but http://www.mycompany.com/secure - redirect to https://www.mycompany.com/secure

    Help?

  • Hi Iain,

    Something like this should do the trick:










    That will take anything with a path that starts with /secure (if you need to avoid /secure.aspx you'll need to make it a bit more specific) and if it's not already https, then it will redirect. It's also filtered to just the one domain but you can remove that if you only managed one domain on that site.

  • Hi,
    I am trying to redirect https://www.somewebsite.com to https://somewebsite.com. Can you please provide me the rewrite rules for it. Thanks.

  • Hi Nainil,

    Here is a link that explains how to do that (although it's for the other way around by removing the www)
    http://weblogs.asp.net/owscott/archive/2009/11/27/iis-url-rewrite-rewriting-non-www-to-www.aspx

    You can also use the "Canonical domain name" template when adding a new rule and it will create a similar rule.

    Here's the specific rule that only causes the redirect for https traffic:









Comments have been disabled for this content.