On our website certain sections or pages deal with sensitive user or account information. I want to force the users to browse those pages under HTTPS. Whereas other pages with public content should be available under HTTP. I was planning to install url Rewrite module on IIS and write rules to achieve this. I am not sure how to write the rules in web.config for redirection.
Server: IIS 7.5
Example of pages under SSL:
mywebsite.com.au/login
mywebsite.com.au/login/
- mywebsite.com.au/member
- mywebsite.com.au/member/dashboard
- mywebsite.com.au/member/account
- mywebsite.com.au/member/..........
All the pages that do not come under the URL pattern specified above should be browsed under http only.
Umbraco already has a UrlRewriging.net components shipped with it. Check your config folder and you will find urlrewriting.config which is one potential way of achieving what you are after. Here is an example of how the rules might look (untested):
<add name="ForceSSLLogin"
virtualUrl="^http://(.*)/login(.*)"
rewriteUrlParameter="ExcludeFromClientQueryString"
destinationUrl="https://$1/login$2"
redirect="Domain"
ignoreCase="true" />
<add name="ForceSSLMembers"
virtualUrl="^http://(.*)/member(.*)"
rewriteUrlParameter="ExcludeFromClientQueryString"
destinationUrl="https://$1/member$2"
redirect="Domain"
ignoreCase="true" />
I don't really like this solution though since if someone changes the name of the members area page the url rewriting will no longer work.
You don't say what version of Umbraco you are on but what might actually be better is to try a package like this:
HTTPS Redirect
HTTPS Redirect provides a simple mechanism to switch a URL from HTTP to HTTPS (SSL) based on the document-type (alias), node id or template alias.
https://our.umbraco.org/projects/website-utilities/https-redirect
Here goes the rewrite rules I implemented to achieve the http->https and https->http redirection. Please note that on http->https redirection, you also have to redirect the request for css, js and images files from http to https otherwise the browser might decline to execute these files.
You can also check the discussion on IIS forum.
<rewrite>
<rules>
<rule name="HTTPS to HTTP redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="ON" />
<add input="{URL}" pattern="^/login" negate="true" />
<add input="{URL}" pattern="^/member" negate="true" />
<add input="{URL}" pattern="^/(.*)(.js|.css|.png|.jpg|.woff)" negate="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="http://{HTTP_HOST}/{R:1}" />
</rule>
<rule name="HTTP to HTTPS redirect login" stopProcessing="true">
<match url="^login" />
<conditions>
<add input="{HTTPS}" pattern="OFF" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/login/" />
</rule>
<rule name="HTTP to HTTPS redirect member" stopProcessing="true">
<match url="^member/(.*)" />
<conditions>
<add input="{HTTPS}" pattern="OFF" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/member/{R:1}" />
</rule>
<rule name="HTTP to HTTPS redirect resources" stopProcessing="true">
<match url="http://(.*)(.css|.js|.png|.jpg|.woff)" />
<conditions>
<add input="{HTTPS}" pattern="ON" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}{R:2}" />
</rule>
</rules>
</rewrite>
来源:https://stackoverflow.com/questions/29023062/how-to-force-certain-sections-of-the-website-to-be-browsed-under-ssl