4

My issue is precisely the one presented here, and I've decided to try rewrite all https requests to http. I've searched long and hard but there doesn't seem to be a definitive way to achieve this - see these questions (no solutions): Redirect https to http using rewrite rule in webconfig file ; https://stackoverflow.com/questions/15214717/iis-rewrite-https-to-http-whilst-keeping-existing-https-rules

I've added the rewrite module to IIS, and tried the following in web.config:

<rewrite>
  <rules>
    <clear />
    <rule name="force http" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
    </rule>
  </rules>
</rewrite>

But it still allows the user to access a non-https site with https (essentially accessing a different site).

How do I force all https requests to be http requests?

edit: I've also tried every suggested solution here with no luck. The url rewrite module is definitely successfully installed on IIS!

edit2: Tried the following without success:

<system.webServer>
<rewrite>
  <rules>
    <clear />
    <rule name="force http" stopProcessing="true">
      <match url="(.*)" />
      <conditions logicalGrouping="MatchAll">
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
        <add input="{HTTP_HOST}" pattern="^(?:www)?\.test.site\.com$"
            negate="true" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}"
            redirectType="Permanent" />
    </rule>
  </rules>
</rewrite>
</system.webServer>

I restarted IIS and the rewrite rules reflect in inetmgr. Loading https://test.site.com/ still loads with https.

Community
  • 1
  • 1
notAnonymousAnymore
  • 2,637
  • 9
  • 49
  • 74
  • Do you have the option of adding an additional IP address to the server so the bindings could be changed? – beavel Nov 20 '13 at 00:43
  • There is that option but I'd like to get URL rewriting to work as expected – notAnonymousAnymore Nov 20 '13 at 07:21
  • Asked about the IP Address as it seems that the URL Rewrite module is designed to handle processing only after the request has been assigned to an IIS site, since the match URL starts after the host. I think the IP address is preferably, but it can be accomplished without it. See answer below. – beavel Nov 20 '13 at 19:26

1 Answers1

2

A couple of things. First the rewrite needs to process when HTTPS is on and not off. Second, for the application that needs to run over HTTPS you will need to exclude it from the rewrite. The revised rewrite rule should look something like this:

<rewrite>
  <rules>
    <clear />
    <rule name="force http" stopProcessing="true">
      <match url="(.*)" />
      <conditions logicalGrouping="MatchAll">
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
        <add input="{HTTP_HOST}" pattern="^example\.com$" 
            negate="true" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" 
            redirectType="Permanent" />
    </rule>
  </rules>
</rewrite>

This should keep https://example.com/login on https and all other URL's will get redirected to http. For example, https://test.example.com/login will be redirected to http://test.example.com/login. This rewrite rule needs to be placed on the site with the HTTPS binding for the rewrite to work properly.

Please be aware when using a 301 permanent redirect some browsers won't make the request out to the server on subsequent hits so after changing the rule a browser cache clear is required. The network tab may even lie and say the request is made but an external tool like Fiddler or Wireshark will let you know for sure.

Cerveser
  • 752
  • 8
  • 23
beavel
  • 1,077
  • 1
  • 8
  • 16
  • Thanks a lot beavel! The sites are on the same domain: `https://www.site.com/` and `http://test.site.com/` - will this be a problem? Could you maybe update your answer if anything needs to change. I will test soon.. – notAnonymousAnymore Nov 20 '13 at 21:35
  • That shouldn't be an issue as it will match everything that isn't www.site.com. If your users expect to access www.site.com as site.com then the pattern would need to like so: ^(?:www)?\.site\.com$ that will make the www optional. – beavel Nov 21 '13 at 01:07
  • I updated my question. Does the pattern account for paths after the `.com`? `https://test.site.com/login` – notAnonymousAnymore Nov 21 '13 at 11:12
  • @user982119 I've updated my answer to reflect the new pattern and example. Please see my warning about testing as well. – beavel Nov 21 '13 at 12:12
  • Cleared cache. It doesn't redirect. – notAnonymousAnymore Nov 26 '13 at 13:16
  • @user982119 Looking at the question again. This will leave `https://test.site.com/login` and `https://site.com/login` on https and everything else will get redirected. I'm updating my answer to reflect. – beavel Nov 26 '13 at 13:53
  • _Everything_ needs to redirect from https to http. – notAnonymousAnymore Nov 26 '13 at 18:44
  • @user982119 If everything needs to be http, why do you have any bindings for https and an SSL cert assigned? The link you provided describes the problem I have solved of having one SSL site with all remaining sites not loading over SSL. I'm not sure what you are trying to solve at this point. If you don't want to support https, don't register the bindings. – beavel Nov 26 '13 at 21:33
  • By everything I mean everything on `test.site.com`. The only site with https bindings is `site.com`, but explicitly loading `https://test.site.com/` should not load anything, or it should force normal http. Right now the user can request `https://test.site.com/` and the server will actually load `site.com`. Don't know how else to explain the problem. If you want a bounty just say so :P – notAnonymousAnymore Nov 28 '13 at 08:17
  • I've revised my answer again to reflect your most recent explanation. I would recommend being this explicit up front next time as _Everything_ doesn't really help as it is unclear. – beavel Nov 29 '13 at 20:56