Reputation: 640
IIS 7.5 URL Rewrite - Redirect from http to https for account controller but from https to http for everything else
I've found bits and pieces of what I need to make this work, but haven't been able to bring everything together into a workable solution.
I am working on an intranet site, and want to secure *just the logon and logoff actions on my account controller with https. I have the certificate installed correctly, and can successfully redirect traffic to these controller actions to https using a UrlRewrite rule:
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="^account/logon$|^account/logoff$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
</rule>
Now, however, I also want to redirect *all of the rest of my site's requests (other than traffic to the two actions) back to http. I'm not interested in debating the merits of this approach, as I have what I consider valid reasons for wanting to redirect back out of https to http.
I've tried writing some code in the Actions to achieve this, but am having major issues with this. I don't know if it is because I'm working with two load-balanced servers or what, but anything I try just gives me a "too many redirects" error message.
So, two questions:
- Is it better to use a UrlRewrite rule to redirect out of https or a controller actions?
- Does anyone have a working code example or something that can at least get me started down the right path?
Any help is much appreciated!
Upvotes: 1
Views: 4215
Answers (3)
Reputation: 11
Better late than never. This might help you or someone else.
<rule name="Redirect to HTTP">
<match url="secureDir/(.*)" negate="true" />
<conditions>
<add input="{HTTPS}" pattern="^ON$" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" />
</rule>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="secureDir/(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
Upvotes: 1
Reputation:
I have some code here which lets you control this with attributes.
MVC already has a [RequireHttps] attribute which you would apply to your logon/logoff pages. My code extends this approach and gives you an additional [ExitHttpsIfNotRequired] attribute. With this attribute applied to your base controller, when you try to access any action with HTTPS that doesn't have [RequireHttps], it will redirect you to HTTP.
Upvotes: 0
Reputation: 15673
First, you will have a bit of a challenge here insofar as non-page resources -- how are you referencing images and stylesheets?
As for the question at hand, I think you want to force this upstream of the web servers, such as on the load balancer. I would also backstop the account controller by adding a RequireHttps attribute.
Finally, remember that even if the login process is secured, if that cookie is not transmitted over HTTPS you can easily end up with a firesheep like scenario.
Upvotes: 0
Related Questions
- Redirect http to https via IIS
- URL Rewrite on IIS from http to https is not working,
- ASP.NET - rewriting all https requests to http
- Force https redirect on all http requests on IIS
- rewrite rule not redirecting http to https
- Redirect to HTTPS when user is logged in with URL Rewrite 2
- IIS 7 URL rewriting from http to https
- Rewrite URLs on an HTTPS page to HTTP
- IIS 7 URL Rewrite for HTTPS
- URL Rewrite HTTP to HTTPS but now backwards