locked
http > https redirect bypasses my farm RRS feed

  • Question

  • User-1138725958 posted

    Hello all - 

    I've got a blue/green server farm setup according to this article, but my twist is this: I also want http > https redirection. The problem is that if I enable the top two rules, the redirect bypasses the server farm entirely, and I don't get the blue or green, I always get blue (or the one that has port 443). The bottom two rules work fine without the http > https redirection. 

    The question is: how do I get the redirect from http > https and then direct traffic to the farm where it can determine blue or green? Or put another way, how do I make sure that the top two rules don't bypass the bottom two rules? 

    Here's what I've got currently: 

              <rewrite>
                <globalRules>
                    <clear />
                    <rule name="No Redirect if https" enabled="true" stopProcessing="true">
                        <match url=".*" />
                        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                            <add input="{HTTPS}" pattern="^ON$" />
                        </conditions>
                        <action type="None" />
                    </rule>
                    <rule name="Redirect to https" enabled="true" stopProcessing="true">
                        <match url="(.*)" />
                        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                            <add input="{HTTP_HOST}" pattern="^test\.mydomain\.org$" />
                            <add input="{HTTPS}" pattern="^OFF$" />
                        </conditions>
                        <action type="Redirect" url="https://{HTTP_HOST}{R:0}" />
                    </rule>
                    <rule name="HTTP TO FARM" stopProcessing="true">
                        <match url=".*" />
                        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                            <add input="URL Path" pattern=".*" />
                            <add input="{HTTP_HOST}" pattern="^test.mydomain.org$" />
                            <add input="{SERVER_PORT}" pattern="^80$" />
                        </conditions>
                        <action type="Rewrite" url="http://alwaysup/{R:0}" />
                    </rule>
                    <rule name="HTTPS TO FARM" stopProcessing="true">
                        <match url=".*" />
                        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                            <add input="URL Path" pattern=".*" />
                            <add input="{HTTP_HOST}" pattern="^test.mydomain.org$" />
                            <add input="{SERVER_PORT}" pattern="^443$|^4433$" />
                        </conditions>
                        <action type="Rewrite" url="http://alwaysup/{R:0}" />
                    </rule>
                </globalRules>
            </rewrite>

    Thanks!

    Thursday, February 18, 2021 9:24 PM

Answers

  • User-1138725958 posted

    I stumbled upon the rule below, and that seems to do the trick. I don't know why this works, but I'm glad it does. 

    <rule name="redirect" enabled="true" stopProcessing="true">
        <match url=".*" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
             <add input="{HTTP_HOST}" pattern="test.mydomain.org" />
             <add input="{SERVER_PORT}" pattern="^80$" />
             <add input="{HTTP_X_ARR_SSL}" matchType="Pattern" pattern=".*" ignoreCase="true" negate="false" />
         </conditions>
         <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Found" />
    </rule>

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, February 22, 2021 3:50 PM

All replies

  • User690216013 posted

    Using Failed Request Tracing to Trace Rewrite Rules | Microsoft Docs

    Then learn from FRT what happens under the hood.

    Thursday, February 18, 2021 10:34 PM
  • User1065476709 posted

    Hi NovaDev,

    The question is: how do I get the redirect from http > https and then direct traffic to the farm where it can determine blue or green? Or put another way, how do I make sure that the top two rules don't bypass the bottom two rules? 

    Do you get any errors? If not, you can use failed request tracking to view detailed information.

    Best regards,

    Sam

    Friday, February 19, 2021 7:45 AM
  • User-1138725958 posted

    ok - I don't get errors, I'm realizing that the way the rules work, if I come through on port 80, then I redirect to port 443 - and then don't go through the rules again, because I have https at that point, so it's never going to hit the other two rules. So I guess I'm back to my original problem of "too many redirects", which is what the "No redirect if https" rule was created to prevent. 

    So how do I make sure traffic gets to the farm, is HTTPS only, and doesn't get "too many redirects"?

    Friday, February 19, 2021 5:41 PM
  • User1065476709 posted

    Hi NovaDev,

    ok - I don't get errors, I'm realizing that the way the rules work, if I come through on port 80, then I redirect to port 443 - and then don't go through the rules again, because I have https at that point, so it's never going to hit the other two rules. So I guess I'm back to my original problem of "too many redirects", which is what the "No redirect if https" rule was created to prevent. 

    So how do I make sure traffic gets to the farm, is HTTPS only, and doesn't get "too many redirects"?

    You need to use failed request tracking to see the detailed cause of the error.

    Best regards,

    Sam

    Monday, February 22, 2021 7:56 AM
  • User-1138725958 posted

    Sorry - I didn't say (and totally should have said) that I did go through the failed request tracing and got no errors. That's what made me realize that the pattern of what I'm doing was failing. 

    Monday, February 22, 2021 1:28 PM
  • User-1138725958 posted

    I stumbled upon the rule below, and that seems to do the trick. I don't know why this works, but I'm glad it does. 

    <rule name="redirect" enabled="true" stopProcessing="true">
        <match url=".*" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
             <add input="{HTTP_HOST}" pattern="test.mydomain.org" />
             <add input="{SERVER_PORT}" pattern="^80$" />
             <add input="{HTTP_X_ARR_SSL}" matchType="Pattern" pattern=".*" ignoreCase="true" negate="false" />
         </conditions>
         <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Found" />
    </rule>

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, February 22, 2021 3:50 PM