12

I'm trying to get a site ready for HSTS preload and one of the requirements is that the root domain also support HSTS. I'm serving pages at "www." so I need to redirect from the root domain to the "www." subdomain. Since this is a static site hosted on Azure, I'm trying to get it all to work with the IIS URL Rewrite module.

Here's what I have so far:

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <clear />
        <!-- http -> https -->
        <rule name="https" enabled="true">
            <match url="(.*)" />
            <conditions logicalGrouping="MatchAll">
                <add input="{HTTPS}" pattern="off" ignoreCase="true" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
        </rule>
        <!-- https://anything -> https://www.example.com -->
        <rule name="redirect" enabled="true">
            <match url="(.*)" />
            <conditions logicalGrouping="MatchAll">
                <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                <add input="{HTTP_HOST}" pattern="^(?!www.example.com$).*$" />
            </conditions>
            <action type="Redirect" url="https://www.example.com{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
        </rule>
      </rules>
      <outboundRules>
          <rule name="hsts" enabled="true">
              <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
              <conditions>
                  <add input="{HTTPS}" pattern="on" ignoreCase="true" />
              </conditions>
              <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
          </rule>
      </outboundRules>
    </rewrite>
  </system.webServer>
</configuration>

The redirection works great:

The problem is that the outboundRules don't get applied when using a Redirect action (from the MS docs at https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference):

Usage of a Redirect action implies that no subsequent rules evaluated for the current URL after redirection is performed.

This means that the 301 response from https://example.com -> https://www.example.com will not have an HSTS header as required by HSTS preload.

Also note that while customHeaders (https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httpprotocol/customheaders/) can typically be used to add headers to any response, the HSTS specification explicitly prohibits adding the Strict-Transport-Security header to non-HTTPS responses. I wasn't able to identify how to use customHeaders conditionally, though that would also solve this particular problem if there were a way to do so.

So here's the question: how can one add headers (specifically, the Strict-Transport-Security header) to the 301 response generated when redirecting?

daveaglick
  • 3,600
  • 31
  • 45
  • I can't test it right now, but might this help? Not sure if it can be done conditionally for just one or a few paths if you don't want the headers on every request. https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httpprotocol/customheaders/ – Michael Stum Nov 07 '17 at 19:15
  • @MichaelStum The problem with adding them outright in `customHeaders` is that the HSTS spec clearly states the headers should not be added to non-HTTPS responses. If there's a way to do conditional `customHeaders` that would be awesome, but I couldn't find one. – daveaglick Nov 07 '17 at 19:17
  • Ah, shucks. If nothing else crops up, another option could be to create a second site in IIS and have it bound to only port 80 (and the main one only to 443), that way you can have different web.configs. Ugly, but if nothing else, it would be a close-to-last resort. (Last resort is to put another web server in front of IIS that just does that, which is possibly overkill.) For that, you don't even need an application, just an empty folder with a web.config will suffice for a pure redirect site. – Michael Stum Nov 07 '17 at 19:21
  • @MichaelStum Thanks for the effort :). A second site is about where I'm at right now and was hoping to avoid. Help me Stack Overflow, you're my only hope. – daveaglick Nov 07 '17 at 19:26

0 Answers0