IIS URL rewrite rule from http to https for sub-domain - iis-8

I have tried multiple IIS rewrite rules to redirect my sub-domain to https.
Question: How do I make my subdomain http://test.example.com to redirect to https://test.example.com. To provide more information the subdomain is not a folder but isolated website. Below rule didn't work for me.
<rule name="HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="^off$" ignoreCase="false" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
FYI: It works fine at my production website because there I could write a condition for www..

Related

IIS 8.5: Force all sites to use HTTPS

Wanting to know if there is a way to force all sites in IIS 8.5 to HTTPS instead of HTTP without having to create rewrite rules for each site we deploy to the box. We had one site get deployed to an internal server where the rules were not written in the config file and were just looking for a way to alleviate that miss in the future.
You can set this rule in applicationHost.config.
<rewrite>
<globalRules>
<rule name="http to https" enabled="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^Off$" />
</conditions>
<action type="Rewrite" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</globalRules>
</rewrite>

URL Rewrite Module - Redirect http to https to particular port

I am using URL Rewrite to redirect HTTP to HTTPS.
All the steps are done & working including the changes in web.config.
https://www.sslshopper.com/iis7-redirect-http-to-https.html
<rewrite>
<rules>
<rule name="RedirectToHTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
I am facing the below issue while redirecting.
I want to redirect the application to a port 90.
I have 2 applications, one is on default port & another is on 90 port.
So when somebody access -
http://xxx.xxx.x.xxx:90 then it is redirecting to :-
https://xxx.xxx.x.xxx
i want it to redirect to https://xxx.xxx.x.xxx:90
Any thought on how to do this?
It is not safe to use any other port with https. the default port for the https is 443.so it is recommended to use the default https port.
if you still want to use the different port with your HTTP binding then make sure your site binding is correct.
use the below rule to redirect the HTTP to https;
<rule name="redirect https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://192.168.3.66:90/{R:1}" />
</rule>
set the redirect URL based on requirement with https and port 90.

IIS 8 Redirect to HTTPS Based on URL Address

Assume my server ip address was : http://192.168.1.100 (NON SSL)
And my domain name was : https://helloserver.com (SSL)
If someone was to access my website via the domain helloserver.com the server should automcatically redirect it to HTTPS.
I've managed to get that done by applying the below rule
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent"
url="https://{HTTP_HOST}/{R:1}" />
</rule>
But however if someone access the website from the IP Address itself, it'll give a certificate error because the ip address doesn't have a certificate.
How can i modify the below rule in away that when the IP Address is used to access the website it would use HTTP instead of the redirected HTTPS rule
I'm guessing it has something to do with <match url="" /> condition.
Any idea's?
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="^helloserver.com$" />
</conditions>
<action type="Redirect" redirectType="Permanent"
url="https://{HTTP_HOST}/{R:1}" />
</rule>

IIS Url Rewrite Rules - www/SSL - web.config

I am trying to write some rewrite rules in the <system.webServer> section of the web.config file.
My aim is that any url missing the www section would be rewritten as www.myurl.com. I believe that this should actually be a 301 redirect? To add to this, I also want to make sure that I am using SSL with HSTS.
I need to make sure that I don't fix this rule to a single domain, for example, it needs to work for foo.com and bar.com along with any others that I might choose to support in the future (there could be quite a few when I start looking at country specific domains).
Here is what I have so far:
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Non WWW redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www|office365|bdf01)\." negate="true" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://www.{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
The above has 3 rules:
- HTTP to HTTPS
- Non-WWW to WWW
- HSTS
It looks as though my HTTP-HTTPS rule is working fine, but that is the only one.
The non-www redirect needs to be able to allow specific sub-domains. THe example above should not add the www. to the url's of office365.foo.com or bdf01.foo.com This part doesn't work - See example 1.
I'm not certain how best to test HSTS, but I am using a website called woorank to review the website and it says that HSTS is not enabled. Not sure if this is working, but appears not
I'm not really sure how the pattern matching works within these rules, so would be more than happy for links to resources that can help me understand this part better. Any help would be gratefully appreciated
Example 1
When I go to the home page of http://foo.com, I should be taken to https://www.foo.com, instead I am taken to https://foo.com. Likewise, If I navigate to http://office365.foo.com I should actually get https://office365.foo.com but I still get the same http:// address.

Preserving URL when using SSL Redirect for multiple websites pointing to same folder

I have multiple websites pointing to a central folder (IIS 7.5)
company1.domain.com/wo pointing to D:\inetpub\wo
company2.domain.com/wo pointing to D:\inetpub\wo
company3.domain.com/wo pointing to D:\inetpub\wo
All the websites work for both HTTP and HTTPS (if typed manually). However, the sites have to connect via HTTPS. I want to setup automatic SSL redirect to but am having issues. I created URL Rewrite rule but since this is only one webconfig file the URL redirects to only one website (not maintaining the URL).
How do I setup SSL redirect so that the URLs are preserved and all websites point to the same folder?
Any assistance will be greatly appreciated.
Thanks
You should include the host header when checking if HTTPS is enabled and then redirect to the https URL for the appropriate domain.
Here's an example:
<rewrite>
<rules>
<clear />
<rule name="Force HTTPS - www.domain1.com" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" negate="true" pattern="^ON$" />
<add input="{HTTP_HOST}" pattern="\.domain1\.com$" />
</conditions>
<action type="Redirect" url="https://www.domain1.com{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
<rule name="Force HTTPS - www.domain2.com" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" negate="true" pattern="^ON$" />
<add input="{HTTP_HOST}" pattern="\.domain2\.com$" />
</conditions>
<action type="Redirect" url="https://www.domain2.com{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
<!-- add more rules for other domains if needed -->
</rule>
</rules>
</rewrite>
You can add as many rules for domain names as you want.
EDIT: Sorry, I misread your question. In that case it's even simpler:
<rewrite>
<rules>
<clear />
<rule name="Force HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" negate="true" pattern="^ON$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
No need to check for the host header, just include the host name in the redirect. You only have to make sure that you have SSL certificates for all domain names.