SSL Certificate Connection Error with VS 2015 - iis

So SSL is enabled, and the first time I used it, it asked me for the certificate and worked absolutely fine! I approved it and let it be.
Now, whenever I attempt to debug in Chrome, it throws an SSL Connection Error and ERR_SSL_PROTOCOL_ERROR
I've tried deleting the IIS Express certificate and re-enabling SSL in VS 2015. I've also tried repairing IIS Express, and repairing VS 2015 (which took a while) but to no avail.
I've tried changing ports for SSL and I made sure the SSL port matches the port in the project 'Web' properties as the default URL so that I am using the right port/link every time I debug. Also useless.
Why did it suddenly stop working? No clue, and I don't know how to get it working again.
Here's the rewrite rule:
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
Thank you guys in advance!

Related

Unnecessary HSTS header over HTTP on Windows Server 2016 IIS 10

I am attempting to enforce hsts on my Windows Server 2016 IIS 10 v14. I added the following code to my web.config:
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload"/>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
This works on most my web sites without issues, however, on two of the sites, I am getting a warning:
Warning: Unnecessary HSTS header over HTTP
The HTTP page at http://sandairephotography.com sends an HSTS header. This has no effect over HTTP, and should be removed.
How do I remove this behavior?
In my case, I followed a pre-windows server 2019 example that directed me to implement the HSTS (Strict Transport Security) via my Web sites individual web.config, as posted below. As it happens, the two Web sites that generated the Warning was already setup to use the Strict Transport Security, locally via the IIS Manager HTTP Response Header, which was the source of the Header Warning. Once I removed the entry and restarted the Web Site, the warning disappeared. Apparently, I am using the nopCommerce Web Platform (E-Commerce Template) with a theme that added the http header response entry.
I plan to post a question on the nopCommerce forum as well to determine if this is a normal behavior.

HTTP to HTTPS redirect issue with iis8.5 and Websphere7

We have applications hosted on WebSphere 7.0 and Jboss EAP7 which is behind IIS 8.5 Web server, we enabled ssl for iis.
our requirement is whenever users access with http it has to be redirected to https, to achieve this we configured rewrite2 module in iis below inbound rule
<rules>
<rule name="http to https" enabled="false" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="SeeOther" />
</rule>
issue :- when i access http://www.example.com/login it redirects to https://www.example.com/sePlugins/iisWASPlugin_http.dll and gives 404 Status code. (only applications hosted websphere)
The problem is that we have a ISAPI Websphere plugin to handle the requests and for some reason URL is getting changed by IIS.
redirect rule works fine for Applications hosted on J BOSS.
Not sure what happened to my registration process but I posted the original answer so reposting again after registering.
I found that specifying {CACHE_URL} in the Redirect Url instead of https://{HTTP_HOST}{REQUEST_URI} worked. so url="{CACHE_URL}"
This is how my rule is defined and it seems to work well.
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" />
</conditions>
<action type="Redirect" url="{CACHE_URL}" />
</rule>
I found that specifying {CACHE_URL} in the Redirect Url instead of https://{HTTP_HOST}{REQUEST_URI} worked. so url="{CACHE_URL}"

IIS 7.5 - Force canonical AND https using certificate issued with www

We purchased an SSL certificate for one of our domains. The certificate was issued to www.ourdomain.com. I am having great difficulty writing web.config rewrite rules to force both www and https. The problem is the certificate itself. Again, the certificate was issued to the www variant of our domain. As such it is only valid if www is present in the URL. Currently, I am using the following rule:
<rule name="Redirect to WWW" stopProcessing="true" >'
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^www\." negate="true"/>
</conditions>
<action type="Redirect" url="https://www.{HTTP_HOST}{HTTP_URL}" redirectType="Permanent" appendQueryString="false" />
</rule>
<rule name="Redirect to HTTPS">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="OFF"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{HTTP_URL}" redirectType="Permanent" appendQueryString="false" />
</rule>
http ourdomain.com is OK. http www.ourdomain.com is OK. https www.ourdomain.com is OK. https ourdomain.com FAILS with a browser error
I believe it fails because IIS processes SSL before it gets to these rules in the web.config. And because the certificate requires www to be requested, the user browser gets an error. On the error page, you can click "continue anyways" and the web.config rules kick in and force the redirection. Can this be fixed or do I need to buy a new certificate without www in the domain? Other certificates I have installed on the server without www in the domain work for all 4 URL examples.
Update: still looking for feedback

Adding Rewrite rule to web.config causes error in IIS console

Hi I have added a http to https redirect to my web.config
<rewrite>
<rules>
<rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/" redirectType="Found" />
</rule>
</rules>
</rewrite>
It is within the as required, in fact it is exactly the same as another iis I have running on another box.
However on this server when I save the config and then check the IIS control panel I get an
"There was an error while performing this operation ... Details: Filename \?D:\site\web.config Error:
and there is no error. When I remove the rewrite from the config everything is fine.
The only difference between this server setup and the one that works is that the broken server website is not in the root or is it the default website.
Has anyone encountered this type of error before?
Thanks
Jon
Very strange, even though i had everything set up in IIS and during the add/remove roles to include the http redirect it still needed this extension adding
http://www.microsoft.com/web/gallery/install.aspx?appid=urlrewrite2
the urlrewrite. I installed that extension and it all started working. Shame the error message couldnt ell me that i was missing the feature.

IIS UrlRewrite problem

I've been using the UrlRewrite IIS plugin for about a month on our production site.
I created a single redirect rule using the supplied template/wizard, the resulting config enrty is as follows:
<rewrite>
<rules>
<rule name="CanonicalHostNameRule1" enabled="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^www\.mycompany\.com$" negate="true" />
</conditions>
<action type="Redirect" url="http://www.mycompany.com/{R:1}" />
</rule>
</rules>
</rewrite>
It's been running fine until this morning, when the site started erroring with "too many redirects". As far as I know, nothing in the configuration or infrastructure changed.
I disabled the rule, and the site became functional again (though clearly without any redirecting).
I then re-enabled the rule, and now all is running as expected. I didn't make any changes to the rule other than to temporarily disable it.
Any ideas? Is the plugin buggy?
I'd recommend setting this up:
http://learn.iis.net/page.aspx/467/using-failed-request-tracing-to-trace-rewrite-rules/
This may help you track down the problem if you start getting the "too many directs" error again.
Try this other code, i have on my web and run perfect:
<rule name="Canonical Host Name" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^yourdomain\.com$" />
</conditions>
<action type="Redirect" url="http://www.yourdomain.com/{R:0}" redirectType="Permanent" />
</rule>
The explanation is simple:
Match any URL received to process
The condition is that have anydomaintext.extension (your domain and extension) without prefix
Redirect to same domain with full prefix and put all url.
Other tries was R:1 but quit some of the main url and not run.
The sample from Ruslani:
http://blogs.iis.net/ruslany/archive/2009/04/08/10-url-rewriting-tips-and-tricks.aspx
I tried to use adding www but finally use the sample above.
The fix below worked for me. I discovered my rewrite rule was at out-of-date. The other domain had changed their URL policy and were now redirecting all traffic from otherdomain.com to www.otherdomain.com
<action type="Rewrite" url="http://otherdomain.com/abc/{R:1}" />
to
<action type="Rewrite" url="http://www.otherdomain.com/abc/{R:1}" />
Do you see the difference? By adding the 'www' I preempted the other domain redirection. I basically just complied with their new policy.

Resources