What's the best way to auto redirect http to https?
Thanks, Doug
An IIS rewrite rule is usually the easiest to do this generically.
This is what I use on a number of my sites:
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
+++ Rick ---
Can this be applied by website? Or does it affect all sites on server?
Applied per Web site in the <system.webserver> section inside of web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Note the IIS Rewrite Module is an installed component - get it with the Web Platform Installer.
+++ Rick ---
Do I need to install the IIS Rewrite Module or can I edit the Web.config file directly?
You need to install the IIS Rewrite module, and set the settings in web.config.
+++ Rick ---
I've installed IIS URL Rewrite and configured. Via a browser it is doing the rewrite from http to https just fine.
However, communications via ohttp.httpget("https://...") is not returning a value.
Basically, it seems that the httpget() will not work if I use the https protocol prefix in the passed in url.
Even when the URL Rewrite rule is disabled, the httpget() returns nothing when using https prefix.
Ideas?
Doug
No. That should work fine. Does it work with other sites?
What version of Windows are you on? If you're on XP you might be failing because of newer TLS transports for certificates not supported by XP.
+++ Rick ---
Update: httpgetex() is returning error code: 12157. Which, according to MS is: "12157 The application experienced an internal error loading the SSL libraries."
Also, using an older version of wwhttp.prg (2003) handles using https just fine.
Doug
Url you're hitting? You should probably post your code...
+++ Rick ---
It may be the Windows version. Because when I run from the clients site, we have problems when using https with httpget(). They may have older machines.
But, when I run the same code (below) from a Windows 10 machine, it performs fine. Whether using http or https with/without the URL Rewrite enabled.
The subject system has many points (inventory updates, shopping cart order downloads, website monitoring etc...) where the ERP system interacts with the online system. But I've boiled it down to this code for testing:
oHTTPTEST = CREATEOBJECT('WWHTTP')
lcresponse = oHTTPTEST.HTTPGET("https://www.pssconline.com/test.pssc")
? lcresponse
RELEASE oHTTPTEST
So, with Win 10, all scenarios work. With older machines, only http works. But with the URL rewrite enabled in IIS, shouldn't the http request from older machines be rewrote on the server (which is MS Server 2012) and therefore be handled?
I guess what I'm asking is, is there a way we can use httpget() with http protocol and use the URL Rewrite in IIS?
Doug
I don't understand what you're asking. The code actually works on Windows 10, which means the HTTP interaction is perfectly valid.
What's failing most likely is that the certificate on the server is probably using TLS 1.2 which is not supported on XP or Vista. TLS 1.2 support in Windows WinInet started with Windows 7 and hasn't been patched back to older OSs.
UrlRewrite effectively redirects requests to the HTTP url - there's nothing inherent in UrlRewrite that isn't supported. The issue is the certificate processing. Older versions may work because they might have had certain security settings set more leniently (and very insecurely). If I remember right the loHTTP.lIgnoreCertificateWarnings = .T. used to be set. The default now is .F. You can try using that flag, but if it's a TLS protocol issue that won't work.
+++ Rick ---
Just trying to figure a way so they don't have to upgrade a bunch of pc's.
Now getting "No data sent" after trying to post data. But only when the rewrite rule is enabled. Would the rewrite rule (http to https) affect posting?
Here is the code:
SELECT ttemp && cursor of data to upload
*--- Convert the cursor into an xml string with DTD
loXML = CREATE("wwXML")
loXML.ncreatedatastructure = 2 && Instructs wwxml to include the DTD
lcxml = loXML.CursorToXML() && Create xml string from cursor
use in ttemp
WAIT WINDOW 'Uloading iinventid '+trans(liinventid)+'... please wait' NOWAIT
loIP = CREATE("wwhttp")
loIP.nconnecttimeout = 60
*** Post the XML to the server
loIP.AddPostKey("",lcXML)
*--- Send the data up to the receivedata method.
*--- DNG 01-26-2018: Changed to https from http.
lcresult=loIP.HTTPGet("http://"+lcserver+"/"+lcurl)
lcresult is receiving "No data sent"
Again, works fine when rewrite rule is turned off.
Doug
Well, it works if I change http to https in the call:
This works: ```foxpro lcresult=loIP.HTTPGet("https://"+lcserver+"/"+lcurl)
This doesn't: ```foxpro
lcresult=loIP.HTTPGet("http://"+lcserver+"/"+lcurl)
I would have thought the rewrite rule would have rewrote both to https.
I guess I'll change all my calls now.
Doug
UrlRewrite won't forward data that you are sending, so most likely all of your POST data is lost. You can't 'redirect' to an HTTPS url without completely restarting the connection since the connection is initiated with the TLS protocol. So yes you have to call the HTTPS endpoint if you are passing data. For get requests the redirect should work as WinInit follows redirects.
+++ Rick ---
With the pressure on for https, I think this thread will help a few.
Thanks for all the assistance. Doug
Is it possible to apply a URL Rewrite rule by ipaddress? That is, if the incomming ip address is found in a list, the rule will not be applied.
I see there is a "Conditions" section, but am unsure how to use in this case.
Doug
Yes it's possible, but I don't know of the top of my head what the syntax is. I'm sure you can search for it though - Common rewrite rules are generally easy to find in discussions.
+++ Rick ---
Yep! we are having similiar issues. I'm trying out the web.config right now.
hmm, we already have a web.config that has a configuration section with a system.webserver section. Do I make a new configuration section or just add the rules section to the existing system.webserver section?
OMG, i think it is working!
Thanks again Rick. and Doug -)