1. Home
  2. Categories
  3. Coding Help
  4. Not sure which is TRWTF - Me or IIS web.config

Not sure which is TRWTF - Me or IIS web.config

  • LoremIpsum

    Here's what I want to do: If anyone accesses our site using HTTP, redirect to HTTPS. If they access us using any host name other than www.domain.co.uk then redirect to that.

    I have the following rules in web.config on our live site:

        <rule name="HTTPS Only" enabled="true" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
            <add input="{HTTP_HOST}" pattern="^localhost$" negate="true" />
            <add input="{HTTP_HOST}" pattern="^(?:\d+\.){3}\d+$" negate="true" />
            <add input="{HTTPS}" pattern="off" />
        </conditions>
        <action type="Redirect" url="https://www.domain.co.uk/{R:1}" appendQueryString="true" />
    </rule>
    <rule name="Canonical Host HTTPS" enabled="true" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
            <add input="{HTTP_HOST}" pattern="^(?:www|testing)\.domain\.co\.uk$" negate="true" />
            <add input="{HTTP_HOST}" pattern="^localhost$" negate="true" />
            <add input="{HTTP_HOST}" pattern="^(?:\d+\.){3}\d+$" negate="true" />
        </conditions>
        <action type="Redirect" url="https://www.domain.co.uk/{R:1}" appendQueryString="true" />
    </rule>

    When I upload it, everything works as expected, both from the browser and through using Network Tools to check the headers. Then, some time later (around 10 minutes), accessing https://www.domain.co.uk results in an infinite redirect loop! Network Tools confirms this as well.

    I thought I had made a mistake and had made various changes over the last few days, each time believing I'd fixed it. Then it would break again. Today, just out of spite, I merely uploaded the exact same web.config to the live site without any changes, and it works! And then, after around 10 minutes, it stops working again! I can reproduce it every time!

    Have I found a bug in IIS or am I dong it wrong? As a side-note, sessions last for hours, so I don't think that's anything to do with it.

    1
  • blakeyrat

    Oh shit, I did exactly this once, but I no longer have the code. I remember it being a pain in the ass, and thinking, "isn't this a really fucking common use-case to be such a pain in the ass?"

    Sorry.

    1 LoremIpsum 1 Reply
  • LoremIpsum

    Well, glad I'm not alone with this! I've tried to rewrite this logic in a few ways, but yeah... I've had a canonical www domain rule up for ages with no issues, so I'm perplexed.

    0 blakeyrat 1 Reply
  • blakeyrat

    My problem is I did it on the web server's IIS config and so while I have the web.config of the project, I don't have the IIS config stuff I put in.

    I couldn't put it in the web.config of the project because then it would break testing and I'm too lazy to maintain two separate web.configs. WELL NOW THAT'S BIT ME IN THE ASS.

    EDIT: IIRC, and it's been years so grain of salt, I had to set up a rule for the URLs I actually wanted, put a "stop processing = true" on that, then set up a rule that matches everything to do the redirect.

    0
  • LoremIpsum

    Hmm.... Seems to be playing nice at the moment. How about I leave it as it is on a Friday and see if I get any support calls over the weekend!

    0 blakeyrat 1 Reply
  • blakeyrat

    That is the key to software quality success!

    9
  • MathNerdCNU

    Slight derivative of this?

    <rule name="Redirect all the things" enabled="true" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAny">
            <add input="{SERVER_PORT_SECURE}" pattern="^1$" />
            <add input="{SERVER_PORT_SECURE}" pattern="^0$" />
        </conditions>
        <action type="Redirect" url="https://www.domain.co.uk/{R:1}" appendQueryString="true" redirectType="Permanent" />
    </rule>
    0 blakeyrat LoremIpsum 2 Replies
  • blakeyrat

    That looks right off-hand, but you need to add in a rule to not redirect traffic already on the correct domain and do a "stopProcessing" on it. Otherwise, you'll end up redirecting legit traffic.

    0
  • LoremIpsum

    So... Match {SERVER_PORT_SECURE} = 1 and match {SERVER_PORT_SECURE} = 0... so redirect everything? Sounds like a WTF to me. And why use {SERVER_PORT_SECURE} over {HTTPS}?

    1 cartman82 blakeyrat MathNerdCNU 3 Replies
  • cartman82

    Yeah I was confused about that too, but I figured I don't know enough about IIS config to make a fuss.

    0
  • blakeyrat

    That's what his code sample is doing, it's redirecting everybody.

    I was saying you need to make sure the people who aren't supposed to be redirected are matched first, and dump out of the rules if so. So they don't end up re-redirected back to where they were. Which is either harmless, or a nasty redirect loop, I'm not sure which...

    1 cartman82 1 Reply
  • cartman82

    @blakeyrat said:

    That's what his code sample is doing, it's redirecting everybody.

    Why then do you need to put <conditions> tag at all? Wouldn't removing it achieve the same purpose?

    0 blakeyrat 1 Reply
  • MathNerdCNU

    Redirecting everything seemed far simpler than trying to fuck up match possible variations of the domain.

    I mean, if you get a request for nottherightdomain.com on your server, DNS is all kinds of FUBAR so do you really care?

    As Blakey pointed out, and I neglected to read in the link, just using my example as-is will result in an infinite loop. Also using HTTPS should work in place of SERVER_PORT_SECURE.

    Filed under: I don't always Copy-Pasta, but when I do...

    0
  • blakeyrat

    I didn't write the fucking code. I don't have the version of it I wrote.

    0
Log in to reply