Rewrite URLs on an HTTPS page to HTTP

Question

Using the 'bindings' feature of IIS7, I added an SSL certificate at the root of my website to 'https' (port 443). Then, I required an SSL connection for a specific directory, '/secure-directory/'. I can now redirect to this directory by explicitly linking to the https address: https://www.mysite.com/secure-directory/ . The problem is that /secure-directory/ is the only directory I want to use SSL, and it contains navigation links which are now maintaining the https prefix, so my 'Home' link now directs to https://www.mysite.com instead of http://www.mysite.com .

What is the ideal way to preserve the http prefix for links in the /secure-directory/? I have the IIS7 URL Rewrite module so if someone can share an outbound rule, that would be much appreciated. Otherwise, I would like to know if I'm going about this entirely the wrong way, or of there is a better solution than a rewrite rule. Thanks.

Answer 1

I'm using this module . You can configure /secure-directory/ as being access only via https

<secureWebPages>
    <directories>
        <add path="secure-directory" />
    </directories>
</secureWebPages>

Answer 2

I normally use something like this and it has always worked for me. (Not entirely sure this is the best way though).

You can have a function like this in global.asax and can call in Application_BeginRequest

private void RedirectToCorrectSSLScheme()
    {
        Uri pageRequest = Request.Url;
        string requestPath = pageRequest.GetLeftPart(UriPartial.Path).ToLower();

        requestPath = Server.UrlDecode(requestPath);
        // PageIsSecure returns if the given page should be secure or not. I 
       //maintain a list of secure pages or 
       //secure directory in an XML config.  
        bool securePage = GetSecurePages().PageIsSecure(requestPath);
        if (pageRequest.Scheme == "https" && !securePage && requestPath.Contains(".aspx"))
        {
            Response.Redirect("http://" + pageRequest.Host + pageRequest.PathAndQuery, true);
        }
        else if (pageRequest.Scheme == "http" && securePage && requestPath.Contains(".aspx"))
        {
            Response.Redirect("https://" + pageRequest.Host + pageRequest.PathAndQuery, true);
        }
    }

Answer 3

This is not an URL rewriting problem, IMO. But you can, at least theoretically (POC time?), write another rewrite rule that flips back to non-SSL. The rewrite scenario is not as scalable, however, as it forces two hits every time a person flips. This may or may not be an issue, depending on normal use of the application.

An easy way to handle this is override the menu control(s) so you can respect the configuration. This will mean the menu uses absolute links for the other implementation (absolute for SSL when non-SSL, and vice versa).

If you need something more "industrial strength" consider adding an HTTP handler to the "pipeline" and controlling SSL or non-SSL there. I would walk through this thoroughly so you don't end up reinventing the wheel (not invented here syndrome) and try to make this a reusable abstraction. This is a bit more complex, but can end up simpler to repeat when you move to another solution. I would first look and see if someone open sourced a handler like this, as this is not an uncommon problem.

I am sure there are other ways to look at this.

Answer 4

Thanks for the replies. I considered implementing the global.asax and module solutions, but what ended up working best for my needs was an outbound rewrite rule. I may revisit this at a later date and re-evaluate my situation, but for now, this is what I'm using (with the 1860 port removed for production):

<rule name="ForceHttpsToHttp" preCondition="ResponseIsHtml1">
    <match filterByTags="A, Img" pattern="^(?!.*javascript).*$" />
        <conditions>
            <add input="{HTTPS}" pattern="ON" />
            <add input="{SERVER_PORT}" pattern="443" />
        </conditions>
    <action type="Rewrite" value="http://{HTTP_HOST}:1860{R:0}" />
</rule>

(The pattern prevents rewriting on server-side click events, whereas (.*) would rewrite and break them)