Maintain protocol in URL Rewrite Rules

The URL Rewrite 2.0 module for IIS7+ is a very powerful tool for manipulating requests to an IIS server. We use it quite heavily with Application Request Routing load balancers in our environment. The combination allows us to perform L7 load balancing of requests. One of the great features of ARR is the ability to perform SSL offloading, which effectively terminates the SSL connection at the ARR node. Accomplishing this is quite simple – you create your rule and use HTTP:// as the scheme to route to the appropriate server farm. However, there are times when you will want to pass through the protocol to the backend servers.

There are a few ways to accomplish this. First, you could create two rules with a condition tracking the HTTPS server variable and route appropriately. However, this doubles the number of rules to maintain. Second, you could use a condition on the CACHE_URL variable and a back reference in the rewritten URL. The problem there is that you then need to match all of the conditions which could be a problem if your rule depends on a logical “or” match for conditions. Lastly, my preference involves using a rewrite map on the HTTPS server variable.

The idea is that we create a rewrite map named MapProtocol that contains two key value pairs – ON = https and OFF = http (I also prefer to set the default value for the rewrite map to http in the off chance the HTTPS variable does not contain a value). Then, we use that rewrite map in the Action url against the HTTPS server variable. The rule will look something like this:

<rule name="ARR Maintain protcol" enabled="true" stopProcessing="true">
  <match url=".*" />
    <conditions>
      <add input="{LOCAL_ADDR}" pattern="10\.1\.1\.10" />
    </conditions>
  <action type="Rewrite" url="{MapProtocol:{HTTPS}}://Webfarm1/{R:0}" />
</rule>
 
<rewriteMap name="MapProtocol" defaultValue="http">
  <add key="ON" value="https" />
  <add key="OFF" value="http" />
</rewriteMap>

4 thoughts on “Maintain protocol in URL Rewrite Rules

  1. Hi Jeff. Thank you for this post. I have an issue and I hope you have seen or dealt with something like this in the past. We currently have a deployment of SharePoint 2013 in AWS. We have an Elastic Load Balancer only accepting traffic over port 443 and passing it to our web front end running IIS w/ ARR and Rewrite Engines. Our issue is when we browse to the root of the SP site from the outside, we receive a Windows Auth Pop-Up, once we enter creds, the SP site does a 302 redirect to the start.aspx page but for whatever the reason, when the response gets to the browser, the https is no longer and its been changed to HTTP which breaks the browsing session since the ELB is only accepting in HTTPS. We only have this issue with SharePoint, Dynamics CRM 2015, and another .Net Website work flawlessly using this logic. Any ideas how to deal with something like this? Below is the rewrite logic currently using, appreciate any help you can lend. Thank you.

  2. Hi Jeff. Thank you for this post. We are facing an issue. We want to display content of “https://www.anotherexample.org” under “http://www.example.com” url so, we are using IIS Rewrite module. (Same as CNAME)
    We have created Inbound rules for same. We have added rules below.

    However we are facing below error.

    HTTP Error 502.3 – Bad Gateway

    A connection with the server could not be established

    Below are some other observations.

    It is working when we use “Redirect” action type but Here we want “Rewrite” action in rule because we want same “http://www.example.com” url in browser and want to display content of “https://www.anotherexample.org” so, “Redirect” will not work for us.

    Secondly, we observed that It is working with http protocol(checked some another site).
    Below is configuration. (It is not working with HTTPS)

    Any help would be much appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *