HTTPS URL rewriting
-
I am trying to force a canonical domain rewrite for HTTPS in IIS using the rewrite module - i.e if user types https://mydomain.com?querystring they get sent to https://www.mydomain.com?querystring I can get this to work for the simple HTTP protocol, but not HTTPS - I've tried all sorts of variations but this is the closest (as I say, it works for HTTP)
<rewrite> <rules> <rule name="force\_www\_https" enabled="true" patternSyntax="ECMAScript" stopProcessing="true"> <match url=".\*" /> <conditions> <add input="{HTTPS\_HOST}" pattern="^mydomain.com$" /> </conditions> <action type="Redirect" url="https://www.mydomain.com/{R:0}" redirectType="Permanent" /> </rule> <rule name="force\_www" enabled="true" patternSyntax="ECMAScript" stopProcessing="true"> <match url=".\*" /> <conditions> <add input="{HTTP\_HOST}" pattern="^mydomain.com$" /> </conditions> <action type="Redirect" url="http://www.mydomain.com/{R:0}" redirectType="Permanent" /> </rule> </rules>so why won't my HTTPS URL's redirect? The issue is my SSL certificate which is only valid for www.mydomain.com, so if users type in teh URL for a secure page without the www. they get presented with a browser securoty warning. Any help gratefully received!
-
I am trying to force a canonical domain rewrite for HTTPS in IIS using the rewrite module - i.e if user types https://mydomain.com?querystring they get sent to https://www.mydomain.com?querystring I can get this to work for the simple HTTP protocol, but not HTTPS - I've tried all sorts of variations but this is the closest (as I say, it works for HTTP)
<rewrite> <rules> <rule name="force\_www\_https" enabled="true" patternSyntax="ECMAScript" stopProcessing="true"> <match url=".\*" /> <conditions> <add input="{HTTPS\_HOST}" pattern="^mydomain.com$" /> </conditions> <action type="Redirect" url="https://www.mydomain.com/{R:0}" redirectType="Permanent" /> </rule> <rule name="force\_www" enabled="true" patternSyntax="ECMAScript" stopProcessing="true"> <match url=".\*" /> <conditions> <add input="{HTTP\_HOST}" pattern="^mydomain.com$" /> </conditions> <action type="Redirect" url="http://www.mydomain.com/{R:0}" redirectType="Permanent" /> </rule> </rules>so why won't my HTTPS URL's redirect? The issue is my SSL certificate which is only valid for www.mydomain.com, so if users type in teh URL for a secure page without the www. they get presented with a browser securoty warning. Any help gratefully received!
Try something like this:
<rewrite>
<rules>
<rule name="force_www_https" enabled="true" stopProcessing="true">
<match url=".*" /><conditions> <add input="{HTTPS}" pattern="on" /> <add input="{HTTP\_HOST}" pattern="^www.mydomain.com$" negate="true" /> </conditions> <action type="Redirect" redirectType="Permanent" url="https://www.mydomain.com{REQUEST\_URI}" appendQueryString="false" /> </rule> <rule name="force\_www\_http" enabled="true" stopProcessing="true"> <match url=".\*" /> <conditions> <add input="{HTTPS}" pattern="off" /> <add input="{HTTP\_HOST}" pattern="^www.mydomain.com$" negate="true" /> </conditions> <action type="Redirect" redirectType="Permanent" url="http://www.mydomain.com{REQUEST\_URI}" appendQueryString="false" /> </rule> </rules></rewrite>
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Try something like this:
<rewrite>
<rules>
<rule name="force_www_https" enabled="true" stopProcessing="true">
<match url=".*" /><conditions> <add input="{HTTPS}" pattern="on" /> <add input="{HTTP\_HOST}" pattern="^www.mydomain.com$" negate="true" /> </conditions> <action type="Redirect" redirectType="Permanent" url="https://www.mydomain.com{REQUEST\_URI}" appendQueryString="false" /> </rule> <rule name="force\_www\_http" enabled="true" stopProcessing="true"> <match url=".\*" /> <conditions> <add input="{HTTPS}" pattern="off" /> <add input="{HTTP\_HOST}" pattern="^www.mydomain.com$" negate="true" /> </conditions> <action type="Redirect" redirectType="Permanent" url="http://www.mydomain.com{REQUEST\_URI}" appendQueryString="false" /> </rule> </rules></rewrite>
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thanks, but... still stays stubbornly on https://mydomain.com....
-
Thanks, but... still stays stubbornly on https://mydomain.com....
OK, I think I see the problem. I've updated the rules in my previous answer.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
OK, I think I see the problem. I've updated the rules in my previous answer.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Still no, I'm afraid... as before, it's fine for HTTP but not HTTPS
-
Still no, I'm afraid... as before, it's fine for HTTP but not HTTPS
Have you copied the rules exactly as I posted them, substituting your real domain name? NB: Your question used
{HTTPS_HOST}, which doesn't exist. You have to use{HTTP_HOST}instead. Are you sure you're updating the config file on the live server? Is there any load-balancing hardware in the way? Everything I've seen suggests that the rules I posted should work. For example, they're practically identical to: http://www.rewriteguide.com/enforce-canonical-domain-iis.html[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
OK, I think I see the problem. I've updated the rules in my previous answer.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
AH.... what's hapening is that the browser still shows https://mydomain.com in the address bar, and throws up a "This connection is untrusted" warning... but if you click through that THEN you will get redirected to https://www.mydomain.com, adn all is well. However, I need, of course, to by-pass this warning...
-
Have you copied the rules exactly as I posted them, substituting your real domain name? NB: Your question used
{HTTPS_HOST}, which doesn't exist. You have to use{HTTP_HOST}instead. Are you sure you're updating the config file on the live server? Is there any load-balancing hardware in the way? Everything I've seen suggests that the rules I posted should work. For example, they're practically identical to: http://www.rewriteguide.com/enforce-canonical-domain-iis.html[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Yes, I copy pasted your code, substitutuing the domain name, to he live server - but see my other post in reply to this... While the certificate is installed on this server (of course) the domain's DNS is handled by a third-party, adn it *seems* as though what is happening is that when the original request comes in, the DNS server is requesting authorisation from the certificate before passing teh request on.... is that how it works? It would explain it, but leave me in a fix... [edit] no, no load balancing
-
Yes, I copy pasted your code, substitutuing the domain name, to he live server - but see my other post in reply to this... While the certificate is installed on this server (of course) the domain's DNS is handled by a third-party, adn it *seems* as though what is happening is that when the original request comes in, the DNS server is requesting authorisation from the certificate before passing teh request on.... is that how it works? It would explain it, but leave me in a fix... [edit] no, no load balancing
The DNS server shouldn't be requesting anything from your site. It's simply an address book which maps an entry like
www.mydomain.comto an IP address. From your other post, it sounds like the browser is making the request forhttps://mydomain.com, and then barfing when it gets a certificate forwww.mydomain.com, since they might not be the same site. Many certificate authorities will issue a certificate which is valid for bothwww.mydomain.comandmydomain.com, so it might be worth seeing if that's an option. Otherwise, you'll need a spare IP address and a second SSL cert to avoid this error. (You could probably get away with a free cert from StartSSL[^], since you're only securing a redirect to the real site.)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
The DNS server shouldn't be requesting anything from your site. It's simply an address book which maps an entry like
www.mydomain.comto an IP address. From your other post, it sounds like the browser is making the request forhttps://mydomain.com, and then barfing when it gets a certificate forwww.mydomain.com, since they might not be the same site. Many certificate authorities will issue a certificate which is valid for bothwww.mydomain.comandmydomain.com, so it might be worth seeing if that's an option. Otherwise, you'll need a spare IP address and a second SSL cert to avoid this error. (You could probably get away with a free cert from StartSSL[^], since you're only securing a redirect to the real site.)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Yes, I was afraid that might be the case. Given that it's pretty much a standard that mydomain.com and www.mydomain.com be the same site, you'd think this would be a standard too for SSL certificates. Sigh. Thanks anyway for your help.
