1. 技术文章
  2. Force some pages over HTTPS and others to HTTP… is it possible?

Force some pages over HTTPS and others to HTTP… is it possible?

瘦欲@ 提交于 2019-12-04 08:44:39

问题


I'm really stuck on this one...

Basically, I'm trying to make 2 pages always over SSL using the URLRewrite add-on for IIS. But I also need to force all other pages to HTTP (sigh - don't ask).

But if I force other pages over HTTP, then when you view the SSL page you'll get the security warning. I tried to solve this by checking if the HTTP_REFERER is the SSL page then let it be sent over SSL for that page only. This doesn't work because if someone clicks a link on the SSL page then it will stay over SSL.

Is this even possible?...

This is as far as I got so far:

<rewrite>
    <rules>
        <rule name="Force HTTPS Login" stopProcessing="true">
            <match url="(.+)login.aspx" />
            <conditions>
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
        </rule>
        <rule name="Force HTTPS Payments" stopProcessing="true">
            <match url="(.+)payments.aspx" />
            <conditions>
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
        </rule>
        <rule name="Others Force HTTP" stopProcessing="true">
            <match negate="true" url="((.+)login.aspx|(.+)payments.aspx)" />
            <conditions>
                <add input="{HTTPS}" pattern="^ON$" />
                <add input="{HTTP_REFERER}" negate="true" pattern="(.+)login.aspx" />
                <add input="{HTTP_REFERER}" negate="true" pattern="(.+)payments.aspx" />
            </conditions>
            <action type="Redirect" url="http://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
        </rule>
    </rules>
</rewrite>

UPDATE: Found this article: Rewrite http to https on some pages only using .htaccess. No answer since March 2010...!


回答1:


So what I ended up doing is:

  1. Force HTTPS for the page(s) that required it.
  2. Force all other pages to HTTP EXCEPT for the page(s) in point#1 and the "/styles" and "/images" folders that are referenced on these pages.

Since the pages use relative paths, they automatically use the styles/images over HTTP/HTTPS respectively.

<rewrite>
    <rules>
        <rule name="Force HTTPS Login" stopProcessing="true">
            <match url="(.*)/login.aspx" />
            <conditions>
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" redirectType="Permanent" />
        </rule>
        <rule name="Others Force HTTP" stopProcessing="true">
            <match url="(((.*)/login.aspx)|((.*)/styles(.*))|((.*)/images(.*)))" negate="true" />
            <conditions>  
                <add input="{HTTPS}" pattern="^ON$" />
            </conditions>
            <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
        </rule>
    </rules>
</rewrite>


来源:https://stackoverflow.com/questions/8190682/force-some-pages-over-https-and-others-to-http-is-it-possible

标签
iis
redirect
ssl
rewrite
url-rewriting
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!