Develop Reference

iis redirect http to https does not process outbound rules

Windows Server 2008R2/IIS 7.5. I have a rule to redirect all http requests to https as follows:
<rule name="HTTPS Redirect">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
This has been working perfectly, as expected. Now for PCI compliance, our ASV requires that the server type/version is not displayed in http headers. So I added this outbound rule:
<outboundRules rewriteBeforeCache="true">
<rule name="Response Server">
<match serverVariable="RESPONSE_SERVER" pattern=".+" />
<action type="Rewrite" />
</rule>
</outboundRules>
This works great for https requests to the server, the Server: header is blank, as expected:
HTTP/1.1 200 OK =>
Cache-Control => private
Content-Length => 13049
Content-Type => text/html
Server =>
X-Frame-Options => DENY
Strict-Transport-Security => max-age=31536000;
Date => Tue, 12 Jun 2018 18:41:59 GMT
Connection => close
But for http requests, the server header is returned with the redirect:
HTTP/1.1 301 Moved Permanently =>
Content-Type => text/html; charset=UTF-8
Location => https://www.example.com/
Server => Microsoft-IIS/7.5
Strict-Transport-Security => max-age=31536000;
Date => Tue, 12 Jun 2018 18:44:50 GMT
Connection => close
Content-Length => 151
outboundRules appears to not be processing. How can I remove the Server: header under all circumstances?

I removed the previous answer I had here. Turns out that adding a custom header with the name Server: does not fix the issue. It fools some tools, but not all of them. Not even the simple JavaScript one that I created to dump the headers from an Ajax call.
My final solution was to use a Native-Code module called StripHeaders. Full source code, plus a MSI installer, is available on GitHub.

Gzip compression on IIS - Can't get it to work

I have an existing IIS application, and I am trying to get GZIP server side compression to work. The application runs on EPIServer CMS (which I am not that familiar with) - Thinking this could be related to the CMS somehow, as a first step...
I decided to create a new IIS application and this time using Umbraco (another CMS that I am very familiar with) - I have created a basic page with some CSS files and images,
Content-Encoding: gzip
header.
This is what I have tried and checked.
Working locally, I am running windows 10. and IIS 10
I have enabled Dyamic Content Compression and Static Content Compression under Internet Information Services > Performance Features in Windows Features
For the locally set up website in IIS I have ensured that the compression section has both Enable Dynamic & Static check boxes are ticked.
In my web-config file I have added this single line
<urlCompression doDynamicCompression="true" doStaticCompression="true" dynamicCompressionBeforeCache="false" />
When the Webconfig has this line I inspect the headers in my browser:
REQUEST HEADERS
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Host: umbracotest.site
Proxy-Connection: keep-alive
Referer: http://umbracotest.site/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
RESPONSE HEADERS
Accept-Ranges: bytes
Content-Type: text/css
Date: Tue, 01 May 2018 15:09:02 GMT
ETag: "03739d0e978d31:0"
Last-Modified: Tue, 19 Dec 2017 16:52:54 GMT
Transfer-Encoding: chunked
Vary: Accept-Encoding
If I change that webconfig line slightly - dynamicCompressionBeforeCache="false" to true - then I just get a whole bunch of symbols in the browser - does that mean anything?
If I add a few more lines in to my webconfig to look like this:
<system.webServer>
<httpCompression>
<staticTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/javascript" enabled="true" />
<add mimeType="application/x-javascript" enabled="true" />
<add mimeType="image/jpeg" enabled="true" />
<add mimeType="image/png" enabled="true" />
<add mimeType="image/svg" enabled="true" />
<add mimeType="*/*" enabled="false" />
</staticTypes>
<dynamicTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/javascript" enabled="true" />
<add mimeType="application/x-javascript" enabled="true" />
<add mimeType="image/jpeg" enabled="true" />
<add mimeType="*/*" enabled="false" />
</dynamicTypes>
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll"
dynamicCompressionLevel="8" />
</httpCompression>
<urlCompression doDynamicCompression="true" doStaticCompression="true"
dynamicCompressionBeforeCache="false" />
headers are still the same.
C:\inetpub\temp\IIS Temporary Compressed Files\MYAPPPOOL-NAME << this folder is created but empty.
This is a ASP.net MVC application
Any ideas?

So after banging my head on the wall for about 8 hours, I finally got it to work!
After checking everything twice, reading every post I could find on the topic, I came across a comment to a similar question that suggested it could be something to do with my antivirus software. I'm working in an enterprise environment and I don't have the rights to disable it on my local machine. So I deployed the code to our staging server......... and it works.
So in case someone else has this problem, try and disable your anti-virus and see if that makes any difference, it worked for me.

Symfony Response net::ERR_CONNECTION_RESET on video file

On my IIS machine (Windows 10) its working, but not on the hosting server (Windows 2008R2, IIS 7.5).
Hosting server: Video is not showing in Chrome by directly opening it via url. I get the error in the console net::ERR_CONNECTION_RESET. But its working in IE. Strangely images are working in Chrome.
This happens since i implemented a security mechanism: A file call is now forced to go through the Framework routing. The route calls a controller, then after some security checks, returns the file as BinaryFileResponse.
I had to adjust the webconfig (htaccess on linux). The video file is under a data/content folder.
<rule name="ID:0001 Folder or File exists" enabled="true" stopProcessing="true">
<match url="^(?!data/content)[a-z].*$" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{REQUEST_FILENAME}" matchType="IsFile" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" />
</conditions>
<action type="None" />
</rule>
<rule name="ID:0002 Datafolder" enabled="true" stopProcessing="true">
<match url="^data/((?!content).)*$" />
<action type="None" />
</rule>
I was searching on the internet and all what i found were possible problems with network, firewall or caching. But i dont think its a problem of that, because its since i am returning the response with Symfony BinaryFileResponse.
$response = new BinaryFileResponse($webPath);
$response->setAutoEtag(true); // Needed for partial loading of video
$response->headers->set('Content-Type', 'video/mp4');
return $response;
Network headers:
General
Request URL:http://foo.....bar.mp4
Referrer Policy:no-referrer-when-downgrade
Request Headers
Provisional headers are shown
Accept-Encoding:identity;q=1, *;q=0
chrome-proxy:frfr
Range:bytes=0-
Referer:http://foo.....bar.mp4
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

The solution was for IIS 7.5 to return more informations in the response header. Read this.

IIS 8.5 Url Rewrite Issue - Redirect Location Includes IP Address

I create a URL Rewrite Rule to remove the WWW from incoming requests based on http://madskristensen.net/post/url-rewrite-and-the-www-subdomain
Here is the rule straight from my web.config:
<rewrite>
<rules>
<rule name="Remove WWW" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{CACHE_URL}" pattern="*://www.*" />
</conditions>
<action type="Redirect" url="{C:1}://{C:2}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
When I try to open www.mydomain.com, FireFox gives me a "Corrupted Content Error" message. If I try to open it in Chrome, nothing happens.
Here are the response headers via Fiddler:
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://example.com:80:123.123.123.123/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 07 Dec 2015 18:20:53 GMT
Content-Length: 167
Response body:
<head>
<title>Document Moved</title>
</head>
<body>
<h1>Object Moved</h1>This document may be found here
</body>
Notice how the port and IP address are included in the Location. (I have replaced the IP Address of my server with 123.123.123.123)
Is this causing the issue? If so, why is it including this information and how to I remove it?
I restarted IIS after installing URL Rewrite.

Not really a solution, but my workaround...
My site is setup to require SSL so I don't really need the benefit of removing WWW for both protocols.
I have updated my rule as follows:
<rule name="Remove WWW and Redirect to HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
</conditions>
<action type="Redirect" url="https://{C:2}/{R:1}" />
</rule>

IIS 7.5 and images not being cached

I cannot get the image files to cache. I have tried everything that I have found on this site and others and still cannot get them to cache.
Web config setting that I have tried
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="1.00:00:00" />
</staticContent>
<httpProtocol allowKeepAlive="true" />
<caching enabled="true" enableKernelCache="true">
<profiles>
<add extension=".png" policy="CacheUntilChange" />
<add extension=".jpg" policy="CacheForTimePeriod" duration="12:00:00" />
</profiles>
</caching>
Here is the response headers for 1 of the images
Key Value
Response HTTP/1.1 200 OK
Cache-Control no-cache
Content-Type image/png
Last-Modified Thu, 16 Dec 2004 18:33:28 GMT
Accept-Ranges bytes
ETag "a1ca4bc9de3c41:0"
Server Microsoft-IIS/7.5
X-Powered-By ASP.NET
Date Fri, 18 May 2012 13:21:21 GMT
Content-Length 775

The following should cause the browsers to cache your images:
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="1.00:00:00" />
</staticContent>
<httpProtocol>
<customHeaders>
<add name="Cache-Control" value="public" />
</customHeaders>
</httpProtocol>
The <caching>...</caching> block is for server-side caching, not client side caching.

In case anyone needs to configure your site as Chrome Audits or GTMetrix require I've configured my environments with the following (thanks to Marco's answer):
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" />
using 365 days and both tools took that value as acceptable for a cache time.