0

I found and tried Jeff's rules found here but I can't get it to work exactly right:

What I need is to have http://a.b.com go to https://a.b.com (where a is not www, but that distinction shouldn't really affect the rule, should it? www is just another subdomain, right?)

Where Jeff has (.*)billing/(.*), I replaced with (.*), but that's not working.

The results of my attempts produce "redirect loop" errors.

This rewriting stuff is new to me.

Appreciate all your help.

Community
  • 1
  • 1
Marc
  • 33
  • 5

2 Answers2

2

Rather than using redirections, you should make sure your application (that sends to http://a.b.com/ sends to https://a.b.com/ directly), otherwise, the same request will go over plain HTTP before being redirected to HTTPS, which defeats the point.

(This this other question for more details.)

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • our in-code redirections point to https, but I'm trying to address the issue where the user is typing in the URL directly and doesn't know to type https. So on landing, they enter http://a.b.com and they get sent to https...similar to gmail, for example. Thanks for the input. – Marc Nov 05 '10 at 17:16
  • 1
    @Marc, I'd actually force it to break, precisely, to find out when there are coding mistakes (although it wouldn't prevent the incident). If someone typed `http://a.b.com/page/1?sometoken` by mistake, they're sent to `https://a.b.com` (you'd be able to find out where it's wrong more easily). A better approach would be to have `http://a.b.com` as the entry point, redirecting to `https://secure.b.com` with a different IP address and nothing listening on port 80, so that `http://secure.b.com` would always fail (although someone could still trick the request to be valid). – Bruno Nov 05 '10 at 17:23
1

Well not exactly the answer you are asking for, but if you by any chance are using this on an ASP.net page, you can open your Global.ASPX file and inside the "Application_BeginRequest" page you can put:

    Dim url As New System.UriBuilder(Context.Request.Url)

    'Do our redirect if we need
    If Context.Request.IsSecureConnection = False Then

        url.Scheme = "https"
        url.Port = -1
        System.Web.HttpContext.Current.Response.Redirect(url.Uri.ToString())

    End If
Anthony Greco
  • 2,885
  • 4
  • 27
  • 39
  • Here is a link I found using the rewrite addition to IIS7. Havn't tried it out yet: http://www.iis-aid.com/articles/how_to_guides/redirect_http_to_https_iis_7 – Anthony Greco Nov 05 '10 at 17:09
  • Yes it is ASP.NET. I'll give your example a go. I was trying to get away from using code and trying the new Rewrite "tricks." Thanks. – Marc Nov 05 '10 at 17:10
  • @Marc, you should really avoid redirects or rewrite tricks if the purpose of using HTTPS is to provide some sort of security. – Bruno Nov 05 '10 at 17:12
  • if that solution works for you, u might also want to add the following so no redirects happen while debugging ASP.net from Visual Studio. (Add right below Dim url) [If url.Host.ToLower = "localhost" Then Exit Sub] – Anthony Greco Nov 05 '10 at 17:13
  • @Bruno, well, if I may ask you directly. Our website uses https to address security concerns, yes (isn't that normal?). The rewrite is for those users who don't know to type https in their address bars. So on arriving at our site via http, they get sent to https. If I'm approaching this wrong, please enlighten me on the ideal approach. Thanks! – Marc Nov 05 '10 at 17:21
  • @Marc, it's not bad as such, it's just that having a systematic rewrite for the whole thing makes it hard, even for developers, to find out where there are potential leaks (especially if people disable the warnings regarding going from an HTTPS page to an HTTP page, which is quite a common thing to do). The redirects are usually almost instantaneous. (I must admit it's a tricky case to solve.) – Bruno Nov 05 '10 at 17:26
  • Based on recent experience, I just set my web root to require SSL and then at the server-level, I added the rewrite rule to redirect HTTP to HTTPS. If the web root requires SSL, then you can't put the redirect in the web root, as the SSL requirement will supersede the rule and cut off the non-secure connection before the rewrite rule has a chance to run, so you have to put the rewrite rule at the server level. That ensures everything on the server is always encrypted, and all requests the hit the web root meet the SSL requirement. – Triynko Jul 22 '13 at 02:51