I recently added a SSL certificate to my site. In my webconfig I added this code to force the https connection from anyway someone can type in a http connection
<httpRedirect enabled="false" destination="" exactDestination="false" childOnly="false" />
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
However there is a problem, if a user types in the URL https://example.com they will be hit with the message that their connection is not private and to leave my site.
I have two questions about this.
Is my certificate wrong and that's why my domain is not being accepted as https?
And is there a way i can force someone that goes to https://example.com to get redirected to https://www.example.com?
Take a look at your site on this website https://www.sslshopper.com/ssl-checker.html#hostname=
this might give you a better understanding as to what is part of SSL
Related
Wanting to know if there is a way to force all sites in IIS 8.5 to HTTPS instead of HTTP without having to create rewrite rules for each site we deploy to the box. We had one site get deployed to an internal server where the rules were not written in the config file and were just looking for a way to alleviate that miss in the future.
You can set this rule in applicationHost.config.
<rewrite>
<globalRules>
<rule name="http to https" enabled="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^Off$" />
</conditions>
<action type="Rewrite" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</globalRules>
</rewrite>
I am using URL Rewrite to redirect HTTP to HTTPS.
All the steps are done & working including the changes in web.config.
https://www.sslshopper.com/iis7-redirect-http-to-https.html
<rewrite>
<rules>
<rule name="RedirectToHTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
I am facing the below issue while redirecting.
I want to redirect the application to a port 90.
I have 2 applications, one is on default port & another is on 90 port.
So when somebody access -
http://xxx.xxx.x.xxx:90 then it is redirecting to :-
https://xxx.xxx.x.xxx
i want it to redirect to https://xxx.xxx.x.xxx:90
Any thought on how to do this?
It is not safe to use any other port with https. the default port for the https is 443.so it is recommended to use the default https port.
if you still want to use the different port with your HTTP binding then make sure your site binding is correct.
use the below rule to redirect the HTTP to https;
<rule name="redirect https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://192.168.3.66:90/{R:1}" />
</rule>
set the redirect URL based on requirement with https and port 90.
web Application deployed in IIS.Add port 443 for HTTPS.
And also create new SSL certificate for HTTPS.
finally,login in my application(its done).Once I refresh the browser.IIS 443 (Https)port automatically removed in IIS and application can't reached
It seems you don't set the url rewrite to redirect from http to https.
I suggest you could install the url rewrite module and add below url rewrite in the web.config to redirect all the request from http to https:
<rewrite>
<rules>
<rule name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" negate="false" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
</rewrite>
Details, you could refer to below article:
https://blogs.technet.microsoft.com/dawiese/2016/06/07/redirect-from-http-to-https-using-the-iis-url-rewrite-module/
I have added this code into my Configuration -> system.webServer section of web.config file to force users to use https:
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
But when I go to my website, it redirects page to this url:
http://http/
Notes:
I am using Orchard CMS version 1.10.x
When I use Orchard's SSL plugin to force all pages to use SSL, this happens again.
SSL Redirection is enabled in Orchard's settings.
SSL/TLS Certificate is correctly set in my Plesk control panel.
Website is currently secured using "Let's Encrypt". This issue happens when I use Cloudflare services too.
This happens on every web browser I've tested.
I use the same rewrite rules to redirect my pages to https using Orchard on a Plesk panel with Let's Encrypt certificates. This rule redirects every http call to https.
You have to disable the Orchard Secure Sockets Layer plugin since you make your own rules in web.config.
If you want to use the Orchard plugin, remove your rewrite rules and work with the plugin instead.
I am trying to write some rewrite rules in the <system.webServer> section of the web.config file.
My aim is that any url missing the www section would be rewritten as www.myurl.com. I believe that this should actually be a 301 redirect? To add to this, I also want to make sure that I am using SSL with HSTS.
I need to make sure that I don't fix this rule to a single domain, for example, it needs to work for foo.com and bar.com along with any others that I might choose to support in the future (there could be quite a few when I start looking at country specific domains).
Here is what I have so far:
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Non WWW redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www|office365|bdf01)\." negate="true" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://www.{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
The above has 3 rules:
- HTTP to HTTPS
- Non-WWW to WWW
- HSTS
It looks as though my HTTP-HTTPS rule is working fine, but that is the only one.
The non-www redirect needs to be able to allow specific sub-domains. THe example above should not add the www. to the url's of office365.foo.com or bdf01.foo.com This part doesn't work - See example 1.
I'm not certain how best to test HSTS, but I am using a website called woorank to review the website and it says that HSTS is not enabled. Not sure if this is working, but appears not
I'm not really sure how the pattern matching works within these rules, so would be more than happy for links to resources that can help me understand this part better. Any help would be gratefully appreciated
Example 1
When I go to the home page of http://foo.com, I should be taken to https://www.foo.com, instead I am taken to https://foo.com. Likewise, If I navigate to http://office365.foo.com I should actually get https://office365.foo.com but I still get the same http:// address.