We have urls coming in from customers in the form of
http://oursite.com/foo/12345678-7488-4807-f249-2085208293f0/somefilename.xml&fileTypeId=1
These are coming from customers who have misconfigured their setups, and the & should be a ?. We have URL rewrite rules that take URLs in that form and convert them to valid URLs
<rule name="Testing Rewrite" enabled="true">
<match url="foo/([0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12})/(.*)" />
<action type="Rewrite" url="ChannelContent/?foo={R:1}&resourceUrl={R:2}" appendQueryString="false" logRewrittenUrl="true" />
</rule>
Most of the time this works fine but we're getting the unhandled exception A potentially dangerous Request.Path value was detected from the client (&) occasionally with these urls.
Same url will sometime be fine, sometimes throw an exception.
We've considered adding the requestPathInvalidCharacters to the web.config, but since it's intermittent there isn't really a great way to check if this is going to fix things long term.
Related
because a Software provider changed the URL of a Programm hosted in my IIS, I now have many broken links.
The URL used to be
https://example.com/#/subdomain/and/here/some_more
now it is
https://example.com/#/and/here/some_more
They just took away the first part of the path (subdomain)
I thought I could fix my links with an URL Rewrite rule.
I tried this:
<rewrite>
<rules>
<rule name="example" stopProcessing="true">
<match url="(https:\/\/example\.com\/#)(\/subdomain)(\/.*)" ignoreCase="true"/>
<action type="Redirect" url="https://example.com/#{R:3}" appendQueryString="false" />
</rule>
</rules>
</rewrite>
This actually matches in the "Test Pattern" but it doesn't redirect.
I also tried using :
url="{R:1}{R:3}
but still no redirect is happening. I tried with different browsers with no success.
Thanks for the help
The number sign (#) delimits the URI from the fragment identifier. The client should never send this character uncoded. Instead, the client should only send the URI to the server (everything before #). So your client application (web browser) does not send anything after #, which we can see in the URL logged on the server. So what you need to do is to encode this character.
https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference
I hope this makes sense. I'm trying to write a global rewrite rule in IIS that will abort a request if a client cert isn't presented to the IIS(rather than giving a 403 error). I've come across the cert_flags option, but I can't quite figure out what I'm supposed to put in for the condition. Has anyone done this before?
Thanks!
Not sure if this is still relevant, but I recently ran into this, so I figured I'd toss my solution out there.
I took inspiration from this solution for Apache https://serverfault.com/questions/411858/allowing-users-in-from-an-ip-address-without-certificate-client-authentication.
There were two things I did to make this work. The first was to change IIS to "accept" client certificates instead of making it "require" them, while still requiring an SSL connection. The second was to add an extra rewrite rule that processes all incoming URLs and aborts the request if it matches the condition:
{CERT_FLAGS} Does not match pattern ^1$
CERT_FLAGS should be one if the certificate is valid as per the descriptions from https://msdn.microsoft.com/en-us/library/ms524602%28v=vs.90%29.aspx and the description of how microsoft does flags https://msdn.microsoft.com/en-us/library/dd304685.aspx.
My web.config for that rule looked basically like:
<rule name="Bad Certs" enabled="true" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{CERT_FLAGS}" pattern="^1$" negate="true" />
</conditions>
<action type="AbortRequest" />
</rule>
I have a bad url coming in as
http:/example.com/path/file.html how
How can I fix it to be
http://example.com/path/file.html how
Notice the http:\ to http:\\
I don't want to fix it for just a single url, would like to be fixed for all urls that happen to have an error IIS URL Rewrite.
I coded many URL Rewrites before, but for some reason I can't figure this one out.
I think I figured it out, there might be a better way, but this seems to fix the issue.
<rule name="Fix Slash Issue" stopProcessing="true">
<match url="^(http.?:\\[a-zA-Z0-9])" />
<action type="Redirect" url="https:\\{HTTP_HOST}\{REQUEST_URI}" />
</rule>
I am having a problem with an IIS7 Integrated Pipeline URL Rewrite.
For my particular scenario I need to rewrite/redirect part of the initial request as follows.
User enters http://savecontoso.com/files/123456789/somefile.html in the browser address bar.
User is redirected to http://savecontso.com/default.aspx?url= (results of url="default.aspx?url={R:1}")
This currently works as expected only if I create the initial request as such, http://savecontoso.com/default.aspx/files/123456789/somefile.html.
I must note that there is no actual directory of /files/ nor /123456789/ nor any file named somefile.html on the server. I simply need that entire path and filename appended to a query string.
This is my first day working with redirect/rewrite functions using IIS instead of page code behind and I have looked all around learn.iis.net, Google etc to no avail. I understand that rewriting takes place before page requests but for some reason my particular code requires a page request before firing the redirect.
I suspect it is because I am not triggering conditions at the initial request?
<rewrite>
<rules>
<rule name="1" stopProcessing="true">
<match url="(.*)(/files/\d+/.*html$)" />
<action type="Redirect" redirectType="Permanent" url="default.aspx?url={R:1}" />
</rule>
</rules>
</rewrite>
Most likely it does not work because of your match pattern:
the {R:1} will only match (.*) in your pattern, and will never match files/123...
URL in match pattern always starts with no leading slash: should be files/\d+... and not /files/\d+...
Try this one instead (works fine for me):
<rule name="1" stopProcessing="true">
<match url="^files/\d+/.*\.html$" />
<action type="Redirect" url="default.aspx?url={R:0}" redirectType="Permanent" />
</rule>
I'm trying to use the URL Rewrite module for IIS 7.5 to redirect all HTTP requests to HTTPS for my ASP.NET website. The site works fine at the moment but forces the user to type the https:// in the address bar.
I followed the instructions in this article. Everything seems to be fine: I've tried putting the rule in the web.config and it shows up in the UI as it should; I've also done the reverse and can see the changes in the web.config when I use the UI to add the rule. I have RequireSSL unchecked for the site. Unfortunately I still just get a 404 when I try to hit the site via http://.
I've tried a few different action urls including {HTTP_HOST}/{R:1} and the one shown below.. nothing works.
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
</system.webServer>
I'm fairly new to this and pretty frustrated at this point. Seems like this should be a lot easier. Any advice would be appreciated, thanks..
Reposting from ServerFault as it's been sitting unanswered for a while.
HTTP Error 404. The requested resource is not found
Do you actually have binding for HTTP 80 port? Sounds like you do not have it (only HTTPS).
The reason I'm asking is the quoted text is the exact message that I would see if I request unknown to IIS domain (when there is no catch-all defined) or domain is not bound to the requested port.