我在asp.net 3.5上构建了一个应用程序,该应用程序托管在AppHarbor上。问题是在HTTPS上,URL重写不起作用。以下是在SSL上运行某些页面的代码:
string CurrentUrl = Request.Url.ToString();
string sPath = System.Web.HttpContext.Current.Request.Url.AbsolutePath;
System.IO.FileInfo oInfo = new System.IO.FileInfo(sPath);
string sRet = oInfo.Name;
string sDir = oInfo.Directory.Name;
pageName = sRet;
if (sRet == "Register.aspx" || sRet == "Login.aspx" || sRet == "Post.aspx" || sRet == "ChangePassword.aspx" || sRet == "ChangeUserStatus.aspx" || sRet == "Verification.aspx" || sRet == "ContactInfo.aspx" || sRet == "Find.aspx" || sRet == "MyAccount.aspx" || sRet == "MyEmailAddresses.aspx" || sRet == "Load.aspx" || sRet == "MyPostedLoads.aspx" || sRet == "MySubmittedBids.aspx" || sRet == "MySavedAddresses.aspx" || sRet == "MyCarriers.aspx" || sRet == "MyPotentialLoads.aspx" || sRet == "MyFreightAlarms.aspx" || sRet == "MyFreightAlarmsPreferences.aspx" || sRet == "MyAddress.aspx" || sRet == "GetUserComments.aspx" || sRet == "MyCreditCard.aspx" || sRet == "MyWallet.aspx" || sRet == "InvoiceMe.aspx" || sRet == "MyShippers.aspx" || sRet == "MyCoWorkers.aspx" || sRet == "MyACH.aspx" || sRet == "RouteMap.aspx" || sRet == "Pricing.aspx" || sRet == "PricingPayment.aspx" || sRet == "PaymentProcessed.aspx")
{
string NewUrl = "";
if (!Request.IsSecureConnection && !string.Equals(HttpContext.Current.Request.Headers["X-Forwarded-Proto"], "https", StringComparison.OrdinalIgnoreCase))
{
NewUrl = Regex.Replace(CurrentUrl,
@"^https?(://[^/:]*)(:\d*)?",
"https$1",
RegexOptions.IgnoreCase);
Response.Redirect(NewUrl);
}
}
web.config上的URL重写规则:
<rewrite>
<rules>
<rule name="Rewrite with .aspx" stopProcessing="true">
<match url="^([^\.]+)$" />
<action type="Rewrite" url="{R:1}.aspx" />
</rule>
<rule name="Redirect .aspx page requests" stopProcessing="true">
<match url="(.+)\.aspx" />
<action type="Redirect" url="{R:1}" />
</rule>
</rules>
</rewrite>
问题是该页面仍处于无限循环中,无法正确重定向。
答案 0 :(得分:0)
RequireHttpsAttribute:如果您使用内置的RequireHttpsAttribute来确保控制器操作始终使用HTTPS,您将遇到重定向循环。 原因是SSL在负载均衡器级别终止,并且RequireHttps无法识别它用于指示请求是使用HTTPS发出的X-Forwarded-Proto标头。
“肉”以粗体显示。
请参阅:AppHarbor SSL FAQ - 特别是疑难解答部分。
如果您的Web服务器前面有SSL集中器或类似设备,则会出现同样的问题。这在“云托管”环境中很常见......
H个....
答案 1 :(得分:0)
与EdSF提到的一样,您遇到的问题是因为SSL(HTTP)处于负载均衡器级别。这意味着,进入ASP.NET应用程序的所有请求都将是HTTP。
因此,在AppHarbor上运行的应用程序中,以下内容始终如下:
Request : https://mysite.com/about
---------------------------------------------------------------------------------
-> Request.Url.Scheme // http
-> Request.Url.AbsoluteUri // http://mysite.com:port/about
-> Request.issecure // false
你重写规则依赖于protocal / scheme为https而且永远不会,导致无限循环。
在AppHarbor上运行的ASP.NET应用程序中检查HTTPS的方法如下:
string.Equals(Request.Headers["X-Forwarded-Proto"],
"https",
StringComparison.InvariantCultureIgnoreCase);
我还在AppHarbor上托管我的Web应用程序,需要更好的解决方案,因此我创建了SecurePages项目(NuGet - GitHub)。此项目允许您使用字符串文字和正则表达式配置安全/ https URL。它还强制所有其他URL使用HTTP。您还可以注册充当HTTP请求匹配规则的自定义谓词委托。因此,您可以为AppHarbor注册一个以检查标题:
//Secure a page
secureUrls.AddUrl("/Register.aspx");
//Secure any page under /cart/*
secureUrls.AddRegex(@"(.*)cart", RegexOptions.IgnoreCase);
//Register a custom HTTPs match rule for AppHarbor
SecurePagesConfiguration.RegisterCustomMatchRule(
c => string.Equals(c.Request.Headers["X-Forwarded-Proto"], "https", StringComparison.InvariantCultureIgnoreCase));
安全页面还支持使用IIS Express进行单元测试和本地浏览器测试。