#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Location
    Brewster, NY
    Posts
    29
    Rep Power
    0

    Question Dual redirects in web.config file??


    Our company website is hosted on an IIS7 server through a hosting service. We have an SSL certificate on the site for customer logins, shopping cart, and for administrative connection, but not for general viewing. However, I've been told that Google (and probably other search engines) are/going to require e-commerce sites to be ALL "https://", but our site defaults to the standard "http://"

    I found a web.config code online from StackOverflow.com for redirecting all page requests to go "https://" here:

    Code:
    <configuration>
        <system.webServer>
            <rewrite>
                <rules>
                    <clear />
                    <rule name="Redirect to https" stopProcessing="true">
                        <match url=".*" />
                        <conditions>
                            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                        </conditions>
                        <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                    </rule>
                </rules>
            </rewrite>
    Thing is, I already have a redirect web.config running on our server - this is a snippet of it:

    Code:
    <configuration>
        <system.webServer>
            <rewrite>
                <rules>
                    <rule name="CanonicalHostNameRule1">
                        <match url="(.*)" />
                        <conditions>
                            <add input="{HTTP_HOST}" pattern="^www\.endoscopy\.com$" negate="true" />
                        </conditions>
                        <action type="Redirect" url="http://www.endoscopy.com/{R:1}" />
                    </rule>
                </rules>
            </rewrite>
    Question: can I "nest" these two rules together in the one web.config file (just adding the https redirect "<rule>...</rule>" tags above or below the current rule within the "<rules>...</rules>" tags) or will doing so cause an error or a conflict so one or the other rule will not function?

    Also, the StackOverflow code has "<clear />" before it. What does this tag do? Do I need to keep it?

    Any and all help would be appreciated since I have no clue what I'm doing with the web.config file and I don't want to screw up our website!
  2. #2
  3. Forgotten Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,013
    Rep Power
    9616
    You can put the two <rule>s next to each other, yes. The <clear> removes any rules that might already be in place so that should go before the rules.

    But you also need to merge the logic together: the HTTPS rule should always go to the right domain name (not HTTP_HOST) and the canonical rule should always go to HTTPS. Otherwise the user will have to suffer through two redirects instead of one.

    Also make sure you fix your site to not create http:// links. Yes, you have to do that, the redirects are alone are not enough.

    As for screwing up your website,
    Do you not have a development version you can test on? You really need one.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Location
    Brewster, NY
    Posts
    29
    Rep Power
    0
    Originally Posted by requinix
    You can put the two <rule>s next to each other, yes. The <clear> removes any rules that might already be in place so that should go before the rules.

    But you also need to merge the logic together: the HTTPS rule should always go to the right domain name (not HTTP_HOST) and the canonical rule should always go to HTTPS. Otherwise the user will have to suffer through two redirects instead of one.

    Also make sure you fix your site to not create http:// links. Yes, you have to do that, the redirects are alone are not enough.

    As for screwing up your website,
    Do you not have a development version you can test on? You really need one.
    1) I tried to just change the "{HTTP_HOST}" to "{HTTPS_HOST}", then the URL redirect to "https://www.endoscopy.com"

    Disaster! Totally shut down - got an error message of "too many redirects" from the browser. I put it back to the way it was.

    2) Don't know how to "fix" my site. Everything is in .asp files and I try to do relative links as much as possible instead of direct links. Plus, the whole idea of this was to make sure that ALL links that are in "http://" go to "https://" instead.

    3) I do not have a development version to test on. Site is on a web server through a hosting company down in Florida. I don't have direct access to the server. Also, our site is run entirely through an E-Commerce package (NetSource Commerce's ProductCart) in which I've tried to make the package use "https://" (there IS a place in the Admin panel to make everything go through HTTPS, but it's not working - NetSource said to change the server).
    I also can't run the eCommerce package locally because the application would look at it as being used for two-different sites and, thus, we would need dual licenses to do it - NOT in the company budget!

    > the web.config rule that's in it right now (see original post); I take it it's there to make sure that variants of our web address such as "wwww.endoscopy.com", or "endoscopy.com" entered into a browser window, will then all be redirected to "www.endoscopy.com", correct?
    Last edited by MGatESS; May 2nd, 2017 at 12:30 PM. Reason: Additonal text, added thought
  6. #4
  7. Forgotten Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,013
    Rep Power
    9616
    Originally Posted by MGatESS
    1) I tried to just change the "{HTTP_HOST}" to "{HTTPS_HOST}", then the URL redirect to "https://www.endoscopy.com"

    Disaster! Totally shut down - got an error message of "too many redirects" from the browser. I put it back to the way it was.
    "HTTPS_HOST" is not a thing. "HTTP_HOST" is the domain the user typed in to get to your website, not the official domain name you want to use. You have to remove that entire placeholder and put your domain name in there instead.

    Originally Posted by MGatESS
    2) Don't know how to "fix" my site. Everything is in .asp files and I try to do relative links as much as possible instead of direct links. Plus, the whole idea of this was to make sure that ALL links that are in "http://" go to "https://" instead.
    If you have a link in your site
    Code:
    <a href="http://endoscopy.com">Homepage</a>
    IIS will not fix that for you. The user will click it and their browser will try to go to it. Then IIS will handle the redirection.

    You need to make sure that does not happen - the redirections you're working with now are there just in case someone uses the old URL (the no-www domain or the http:// site). The goal is to make sure those redirections happen as infrequently as possible.

    Worse yet, if you have a POSTed form
    Code:
    <form action="http://endoscopy.com" method="post">
    then the form will break because POSTed forms do not simply redirect to new sites. Those forms, above all else on your site, must have the correct URL that cannot involve automatic redirections. (Redirections after processing forms are another thing entirely.)

    So you need to go through your site and make sure that all links and forms and CSS/Javascript hrefs and such are all correct: either relative or absolute with the right protocol (https:) and domain name.

    Originally Posted by MGatESS
    3) I do not have a development version to test on.
    You need to set one up. It can be a little version you have running in the background on your own computer if you must - it's not like it has to be a actual server. Testing stuff on your live website is deplorable and if you break things while your users are on your site then you will drive them away.

    Originally Posted by MGatESS
    Also, our site is run entirely through an E-Commerce package (NetSource Commerce's ProductCart) in which I've tried to make the package use "https://" (there IS a place in the Admin panel to make everything go through HTTPS, but it's not working - NetSource said to change the server).
    1. Remove all HTTP<->HTTPS redirects.
    2. Switch the software to use HTTPS.
    3. Add the HTTP->HTTPS redirect in.

    In that order, with a fair amount of time (say, an hour) between each step to allow users in the middle of something to continue what they're doing without it breaking.
    Originally Posted by MGatESS
    I also can't run the eCommerce package locally because the application would look at it as being used for two-different sites and, thus, we would need dual licenses to do it - NOT in the company budget!
    Software like that almost always has a provision for development and/or test versions.

    Originally Posted by MGatESS
    > the web.config rule that's in it right now (see original post); I take it it's there to make sure that variants of our web address such as "wwww.endoscopy.com", or "endoscopy.com" entered into a browser window, will then all be redirected to "www.endoscopy.com", correct?
    Correct. Though it will redirect from any bad domain name, it will only ever handle whatever domains IIS knows about and has configured for your site (as far as I know) - so likely just "endoscopy.com".
    Last edited by requinix; May 2nd, 2017 at 12:55 PM.

IMN logo majestic logo threadwatch logo seochat tools logo