Website on primary domain + secure MVC web app on subdomain

Question

The problem

I'm trying to achieve the following:

Host a static website on http://www.somedomain.com.
Host an ASP.NET MVC app on https://secure.somedomain.com

(Note: This domain/subdomain is for illustrative purposes only.)

I've obtained an SSL/TLS certificate from my host, WinHost, and I'm applying it only to the subdomain (secure.somedomain.com), not the primary domain (somedomain.com).

When I publish the MVC app, the files are actually stored in the directory somedomain.com/secure.

Getting this all to work has proven much more difficult then I thought it would be.

What I've tried so far

I've found a number of questions about how to have different subdomains for different purposes (e.g., one subdomain per language, one subdomain per company, etc.), but my needs are much simpler--I just want my entire MVC app to be hosted from a single subdomain.

I've attempted two basic approaches so far (both independently and in combination):

Use IIS Manager to set up URL rewrites that basically translate requests for secure.somedomain.com -> somedomain.com/secure.
Write custom routes and/or constraints within my MVC app and add them to the RouteCollection in my Global.asax.cs file.

I've had some luck with Approach #1. I eventually managed to come up with a couple rules that would (1) not interfere with the website on the primary domain, (2) block any requests for somedomain/secure (because the security certificate is not in effect for the primary domain), and (3) serve up the correct page upon requests for secure.somedomain.com.

The major failure of this approach (at least in isolation) is that static content no longer gets served, and requests by unauthenticated users result in incorrect URLs, such as "https://secure.somedomain.dom/secure/somecontroller/someaction/?ReturnUrl=%2fsomecontroller" (note the extra "secure").

For the record, here are my URL rewrites:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="subdomain" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTP_HOST}" pattern="^(secure.)somedomain.com$" />
                </conditions>
                <action type="Rewrite" url="\secure\{R:0}" />
            </rule>
            <rule name="subfolder" stopProcessing="true">
                <match url=".*" />
                <conditions>
                    <add input="{URL}" matchType="Pattern" pattern="^(http://|https://)?(www)?[^/]*/secure" ignoreCase="true" negate="false" />
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

As for Approach #2, I honestly can't say that anything I've tried has made much of a difference (whether in combination with the URL rewrites or alone).

First, I tried to write the following custom route, which I basically stole from https://stackoverflow.com/a/15287579/129164:

public class SubdomainRoute : Route
{
    private const string _subdomain = "secure";

    public SubdomainRoute(string url) : base(url, new MvcRouteHandler()) { }

    public override RouteData GetRouteData(HttpContextBase httpContext)
    {
        var routeData = base.GetRouteData(httpContext);
        if (routeData == null) return null; // Only look at the subdomain if this route matches in the first place.

        // A subdomain specified as a query parameter takes precedence over the hostname.
        var subdomain = httpContext.Request.Params[_subdomain];
        if (subdomain == null)
        {
            var host = httpContext.Request.Headers["Host"];
            var index = host.IndexOf('.');
            if (index >= 0) subdomain = host.Substring(0, index);
        }
        if (subdomain != null) routeData.Values[_subdomain] = subdomain;
        return routeData;
    }

    public override VirtualPathData GetVirtualPath(RequestContext requestContext, RouteValueDictionary values)
    {
        var subdomainParam = requestContext.HttpContext.Request.Params[_subdomain];
        if (subdomainParam != null) values[_subdomain] = subdomainParam;
        return base.GetVirtualPath(requestContext, values);
    }
}

I attempted to hook it up like this in Global.asax.cs:

public static void RegisterRoutes(RouteCollection routes)
{
    routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
    routes.Add(
        "Default",
        new SubdomainRoute("{controller}/{action}/{id}")
        {
            Defaults = new RouteValueDictionary(
                new { controller = MVC.Home.Name, action = MVC.Home.ActionNames.Index, id = UrlParameter.Optional }),
            Constraints = new RouteValueDictionary(
                new { controller = @"[^\.]*" })
        });
}

(I basically replaced routes.MapRoute() with routes.Add().)

I also attempted to create a custom route constraint instead of a custom route, as suggested by https://stackoverflow.com/a/15234839/129164. My class looked like this:

public class SubdomainRouteConstraint : IRouteConstraint
{
    private readonly string _subdomain;

    public SubdomainRouteConstraint(string subdomain)
    {
        _subdomain = subdomain;
    }

    public bool Match(
        HttpContextBase httpContext,
        Route route,
        string parameterName,
        RouteValueDictionary values,
        RouteDirection routeDirection)
    {
        return httpContext.Request.Url != null && httpContext.Request.Url.Host.StartsWith(_subdomain);
    }
}

And I updated my RegisterRoutes method to this:

public static void RegisterRoutes(RouteCollection routes)
{
    routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
    routes.MapRoute(
        "Default" /* Route name */,
        "{controller}/{action}/{id}" /* URL with parameters */,
        new { controller = MVC.Home.Name, action = MVC.Home.ActionNames.Index, id = UrlParameter.Optional } /* Parameter defaults */,
        new { controller = @"[^\.]*", subdomain = new SubdomainRouteConstraint("secure") } /* Parameter constraints */);
}

Again, I saw no difference when I tried this.

Some of the other answers I came across suggested writing extension methods to basically modify Html.ActionLink and Url.Content to fix the URLs as necessary, but I'm really resistant to this approach because it would involve a lot of refactoring to hook it up (and given my luck so far, I'm not confident it will work).

Anyway, if you are still with me, I could really use some advice on how to approach setting up my secure subdomain (hopefully) without having to make major sweeping changes to my MVC app.

Also, if you see any glaring mistakes in the solutions I've attempted so far, or you have some thoughts on specific modifications or combinations I should try, please let me know.

score 1 · Answer 1 · answered Mar 16 '14 at 06:52

1

I may not fully understand your setup/requirements but if you have two separate domains for two entities with separate purposes, why don't you use two web sites rather than a single one.

Just set the host header in the bindings and have the root of the secure site pointing to the secure folder. If you need some static files from the static site, just bring them in via a virtual directory. No need for URL rewrites or routing.

If you need to store the secure folder under the static site but don't want users to see it there, just hide it:

<system.webServer>
  <security>
    <requestFiltering>
      <hiddenSegments>
         <add segment="secure" />
      </hiddenSegments>
     </requestFiltering>
   </security>
</system.webServer>

answered Mar 16 '14 at 06:52

Peter Hahndorf

10,767
4
42
58

Thanks for your answer, +1. I didn't mean to imply that I have a single web site. I have one web site and one web application. Each has a link to the other, but they are otherwise separate. Site bindings sounds like the right solution, but it looks like it is not possible to do on a WinHost shared hosting environment: http://forum.winhost.com/threads/website-binding-to-subdomain.10323/. This at least leads me to the possibility of using a redirect, which I will look into. As for the request filter, that worked great. – devuxer Mar 16 '14 at 16:38
It looks like the redirect is not going to work because the URL in the browser is no longer secure.somedomain.com, and therefore, the security certificate no longer applies. I'm thinking I'll probably need to just need to change the security certificate to apply to the primary domain and give up on the subdomain. – devuxer Mar 16 '14 at 17:20

score 0 · Answer 2 · answered Mar 17 '14 at 07:12

A similar issue here- somedomain.com and abc.subdomain.com. (both in ASP.Net 4.0) Static html files in somedomain.com

Deployed a simple aspx file into the abc.subdomain.com. - Works fine.

Deployed a simple mvc3 application into the abc.subdomain.com. - Not working. Showing the message Forbidden - you dont have permission to access / on this server. (error 403).

No changes made to global.asax and webconfig.

Deployment mode - publish to a local folder and ftp upload. (all dependencies added).

Website on primary domain + secure MVC web app on subdomain

2 Answers2