IIS 7.5 URL 重写 - 对于帐户控制器,从 http 重定向到 https,对于其他所有内容,从 https 重定向到 http
我已经找到了完成这项工作所需的一些东西,但无法将所有内容整合到一个可行的解决方案中。
我正在一个 Intranet 站点上工作,并且希望使用 https 来保护*仅我的帐户控制器上的登录和注销操作。我已经正确安装了证书,并且可以使用 UrlRewrite 规则成功地将这些控制器操作的流量重定向到 https:
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="^account/logon$|^account/logoff$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
</rule>
但是现在,我还想重定向 *我网站的所有其余请求(除了两个操作的流量之外)回到http。我对争论这种方法的优点不感兴趣,因为我有我认为想要从 https 重定向回 http 的正当理由。
我尝试在操作中编写一些代码来实现此目的,但遇到了重大问题。我不知道这是因为我正在使用两个负载平衡服务器还是什么,但我尝试的任何操作都会给我一条“重定向太多”错误消息。
因此,有两个问题:
- 使用 UrlRewrite 规则重定向出 https 或控制器操作是否更好?
- 有谁有一个有效的代码示例或至少可以让我开始走上正确道路的东西吗?
非常感谢任何帮助!
I've found bits and pieces of what I need to make this work, but haven't been able to bring everything together into a workable solution.
I am working on an intranet site, and want to secure *just the logon and logoff actions on my account controller with https. I have the certificate installed correctly, and can successfully redirect traffic to these controller actions to https using a UrlRewrite rule:
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="^account/logon$|^account/logoff$" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
</rule>
Now, however, I also want to redirect *all of the rest of my site's requests (other than traffic to the two actions) back to http. I'm not interested in debating the merits of this approach, as I have what I consider valid reasons for wanting to redirect back out of https to http.
I've tried writing some code in the Actions to achieve this, but am having major issues with this. I don't know if it is because I'm working with two load-balanced servers or what, but anything I try just gives me a "too many redirects" error message.
So, two questions:
- Is it better to use a UrlRewrite rule to redirect out of https or a controller actions?
- Does anyone have a working code example or something that can at least get me started down the right path?
Any help is much appreciated!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
迟到总比不到好。这可能会对您或其他人有所帮助。
Better late than never. This might help you or someone else.
首先,就非页面资源而言,您将面临一些挑战 - 如何引用图像和样式表?
至于手头的问题,我认为您想强制网络服务器的上游,例如负载均衡器。我还将通过添加 RequireHttps 属性来支持帐户控制器。
最后,请记住,即使登录过程是安全的,如果该 cookie 不是通过 HTTPS 传输,您很容易就会遇到类似 firesheep 的情况。
First, you will have a bit of a challenge here insofar as non-page resources -- how are you referencing images and stylesheets?
As for the question at hand, I think you want to force this upstream of the web servers, such as on the load balancer. I would also backstop the account controller by adding a RequireHttps attribute.
Finally, remember that even if the login process is secured, if that cookie is not transmitted over HTTPS you can easily end up with a firesheep like scenario.
我有一些代码这里可以让你可以用属性来控制它。
MVC 已经有一个 [RequireHttps] 属性,您可以将其应用于登录/注销页面。我的代码扩展了这种方法,并为您提供了一个额外的 [ExitHttpsIfNotRequired] 属性。将此属性应用于您的基本控制器后,当您尝试使用 HTTPS 访问任何没有 [RequireHttps] 的操作时,它会将您重定向到 HTTP。
I have some code here which lets you control this with attributes.
MVC already has a [RequireHttps] attribute which you would apply to your logon/logoff pages. My code extends this approach and gives you an additional [ExitHttpsIfNotRequired] attribute. With this attribute applied to your base controller, when you try to access any action with HTTPS that doesn't have [RequireHttps], it will redirect you to HTTP.