HTTPS | George Birbilis @zoomicon

HowTo: URL rewrite to redirect HTTP to HTTPS for non-local address

2023/03/31 George Birbilis Leave a comment

Below is an answer on how to redirect from HTTP to HTTPS using the URL Rewrite module for IIS, but ignoring local addresses used when debugging one’s app. Just contributed at https://stackoverflow.com/a/75898224/903783.

Needed it for an ASP.net MVC app I’m maintaining, since due to updated policy that the authenticating organisation had decided for the SSO (Apereo CAS) configuration, we couldn’t redirect anymore back to a non-HTTPs URL (had the user used plain HTTP to access our app that is), after signing in succesfully via the SSO.

Combined URL Rewrite based answers from How to redirect HTTP to HTTPS in MVC application (IIS7.5) and from the question’s page on StackOverflow, and added "127.0.0.1" apart from “localhost” for the ignored sites.

Note that the URL Rewrite approach is by far the simplest one to add and should kick in at the web server level before the web app has any chance to process the request.

I also see {REQUEST_URI} being used instead of {R:1} and pattern="^OFF$" instead of pattern="off".

At pattern added the ignoreCase="true" too, though it might be the default (same goes for enabled="true" for the rule, handy to have there if you want to turn some rule off when debugging some rule chain)

However, wondering based on https://serverfault.com/questions/224039/iis-url-rewrite-http-to-https-with-port/418530#418530 if one needs to use SERVER_NAME instead of HTTP_HOST in the pattern if non-default ports are used and specify the port in the Redirect url too

  <system.webServer>

  <!-- … -->

    <rewrite>
        <rules>

            <rule name="HTTP to HTTPS redirect (excluding localhost)" enabled="true" 
                  stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
                    <add input="{HTTP_HOST}" pattern="127.0.0.1" negate="true" />
                </conditions>
                <action type="Redirect" redirectType="Permanent" 
                        url="https://{HTTP_HOST}/{R:1}" />
            </rule>

        </rules>
    </rewrite>

  <!-- … -->

</system.webServer>

Categories: Posts Tags: ASP.net, Debugging, HowTo, HTTP, HTTPS, IIS, Local, MVC, Rewrite, URL

HowTo: HTTPS on IIS website with free auto-renewing certificate

2022/10/26 George Birbilis Leave a comment

Below is an image-based walk-through on how to configure HTTPS on an IIS website, making use of a free certificate for encryption from the non-profit Let’s Encrypt certificate authority, also configuring autorenewal of the certificate.

1) Download the win-acme client application (for the command-line).