41

I'm trying to rewrite urls from the form:

https://example.com/about

to the form

http://example.com/about

using IIS7 URL rewriting: 

<!-- http:// to https:// rule -->
<rule name="ForceHttpsBilling" stopProcessing="true">
  <match url="(.*)billing/(.*)" ignoreCase="true" />
  <conditions>
    <add input="{HTTPS}" pattern="off" ignoreCase="false" />
  </conditions>
  <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>

<!-- https:// to http:// rule -->    
<rule name="ForceNonHttps" stopProcessing="true">
  <match url="(.*)billing/(.*)" ignoreCase="true" negate="true" />
  <conditions>
      <add input="{SERVER_PORT}" pattern="^443$" />
  </conditions>
  <action type="Redirect" redirectType="Found" url="http://{HTTP_HOST}{REQUEST_URI}" />
</rule>

I'm at a loss; I've been browsing the web for examples and trying every syntax I can think of. The rewrite rules I specify simply don't appear to work at all for any https requests, as if all the https:// requests are flat out invisible to the rewrite engine.

rules work fine; see answer below.

Paul Tyng
  • 7,924
  • 1
  • 33
  • 57
Jeff Atwood
  • 63,320
  • 48
  • 150
  • 153
  • Smells like a rudimentary security 'feature' to me – Tullo_x86 Oct 08 '09 at 08:05
  • This smells like a Server Fault question to me... –  Oct 08 '09 at 08:47
  • @Charlie, no. This is one of those questions that's both coding and admin, so leave it on the site it started on (like a lot of scripting questions) – Richard Gadsden Oct 08 '09 at 10:18
  • It was really a good sample for configuration of http to https and vice-versa. I was looking for something like this only. Had tried few others but they were having one or other problem. –  Jul 12 '11 at 11:20
  • spin on this question- it can't be done without a valid certificate, correct? ie, I can't force https requests to go to http for the reason that I don't have a cert installed... – Brady Moritz Sep 15 '15 at 15:16
  • Can we use `action type="Rewrite"` instead of `Redirect`, so the browser would show the HTTPS shield? – Alex Klaus Jul 21 '17 at 03:31
  • @AlexKlaus did you find anything on this? – Vin Shahrdar Mar 11 '22 at 18:43

4 Answers4

28

Turns out that I had port :443 bound to a different website!

The above rewrite rules work fine for http:// to https:// rewriting and vice-versa -- though there might be more optimal or simple ways to do it.

Leaving this question here for future voyagers to find, as I didn't see many good examples of the https:// to http:// rewriting scenario on the web.

Jeff Atwood
  • 63,320
  • 48
  • 150
  • 153
  • 1
    I found that with the above https to http rule resulted in all of my css, javascript, and image resources on my https pages were being fetched as http. I dropped this rule and added an outbound rule to rewrite the a href tags on my secure pages to be http://{HTTP_HOST}/{R:0} to force the switch from https to http. Doesn't catch inadvertent manual navigation to non-secure pages using https but that's OK for me – Pat James Jan 25 '11 at 01:13
  • Pat James, I've having this issue too. Would you mind sharing your outbound rule? – StronglyTyped Feb 06 '12 at 19:18
  • Thanks you're a life saver. :)) – Shehroz Ahmed Mar 30 '17 at 14:35
8

This post is a little old, but I wanted to answer. I am using ASP.Net MVC3, and Fabio's answer above didn't work for me. The easiest solution I came up with to handle the https redirect to http, while still allowing valid https pages to request secure content was just to add Whitelist rules above my https/http redirects:

    <rule name="WhiteList - content folder" stopProcessing="true">
      <match url="^content/"/>
      <conditions logicalGrouping="MatchAll" trackAllCaptures="false"/>
      <action type="None"/>
    </rule>
    <rule name="Redirect to HTTPS" stopProcessing="true">
      <match url="(.*)billing/(.*)" ignoreCase="true" />
      <conditions>
        <add input="{HTTPS}" pattern="^OFF$" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/billing/" redirectType="SeeOther" />
    </rule>
    <rule name="ForceNonHttps" stopProcessing="true">
      <match url="(.*)billing/(.*)" ignoreCase="true" negate="true" />
      <conditions>
        <add input="{SERVER_PORT}" pattern="^443$" />
      </conditions>
      <action type="Redirect" redirectType="Found" url="http://{HTTP_HOST}{REQUEST_URI}" />
    </rule>
Ben
  • 861
  • 8
  • 4
7

please first consider binding https to your website for making below redirect module to work is essential (so bind your web app with a self-signed or valid certificate)

final part in web.config to redirect https to http: 

 <rewrite>
    <rules>
        <rule name="Force NonHTTPS" stopProcessing="true">
            <match url="(.*)" />
            <conditions>
               <add input="{HTTPS}" pattern="on" />
            </conditions>
            <action type="Redirect" url="http://{HTTP_HOST}/{REQUEST_URI}" />
        </rule>
    </rules>
</rewrite>

if you need the equivalent IIS GUI in rewrite module see below image

enter image description here

source: look tech-net for more detail and step by step guide.

Iman
  • 17,932
  • 6
  • 80
  • 90
3

Your solution work, but the problem is: your second instruction kill first instruction for any links is not (.)billing/(.), including your css, js, and images.

You can use this https to http rule:

<rule name="HTTPS to HTTP redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{RequiresSSL:{R:1}}" pattern="(.+)" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{REQUEST_URI}" pattern="^(.+)\.(?!aspx)" negate="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="http://{HTTP_HOST}/{R:1}" />
</rule>
Fabio
  • 31
  • 1