Redirect from HTTPS to HTTP is looping.

[GoogleCodeExporter]

What steps will reproduce the problem?

When I Click HTTP page from HTTPS it is looping and address is not changed to 
HTTP. It stays in HTTPS. 

What is the expected output? What do you see instead?

Suppose to Redirect to HTTP.

What version of the product are you using? On what operating system?

4.1.4217

Original issue reported on code.google.com by ded...@gmail.com on 4 Aug 2011 at 1:15

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Forgot to mention

I am using IIS 7 Integrated version.

And My web config 

<configSections>
...
<section name="securitySwitch" type="SecuritySwitch.Configuration.Settings, 
SecuritySwitch" requirePermission="false" />
...
</configSections>
<securitySwitch mode="RemoteOnly" bypassSecurityWarning="true" 
ignoreAjaxRequests="true" >
<paths>
<add path="~/Style.css" security="Ignore"/>
<add path="http://www.googleadservices.com/pagead/" security="Ignore"/>
<add path="~/Default.aspx" security="Insecure"/>
<add path="~/Pages/Secure/Summary_Submit.aspx" />
<add path="~/Images/" security="Ignore"/>
<add path="~/App_Themes/" security="Ignore"/>                       
<add path="~/Pages/Secure/" />
<add path="~/Pages/" security="Insecure"/>
<add path="~/Admin/" />
</paths>
</securitySwitch>
...
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<!-- for IIS 7.x + Integrated Mode -->            
<add name="SecuritySwitch" type="SecuritySwitch.SecuritySwitchModule, 
SecuritySwitch" />
</modules>
...

Original comment by ded...@gmail.com on 4 Aug 2011 at 3:20

[GoogleCodeExporter]

It is possible it is hanging up on the Google Ad Service entry in the config. 
I've not tested how the module reacts to such URLs, but it is not meant to work 
with absolute URLs or external URLs, in general. You will have to remove that 
entry and setup your Google Ad code to account for http/https.

Most of the Google code snippets have an option to account for SSL encrypted 
pages. They usually put in a check to which protocol the page was called under, 
and it builds the Google URL with a matching protocol (i.e., https://... if 
your page was called under https).

Let me know if removing that line fixes it or not.

Original comment by vent...@gmail.com on 4 Aug 2011 at 1:41

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I removed Google Ad Service entry but still when I click click http area it's 
not looping. 
It's happening, When I put <add path="~/Pages/" security="Insecure"/>
When I removed it is working fine but it's using https, it is not converting 
back to http.

Note:
Previously it was working with WebPageSecurity.

Original comment by ded...@gmail.com on 5 Aug 2011 at 12:03

[GoogleCodeExporter]

What page are you trying to access when the problem occurs?

Original comment by vent...@gmail.com on 5 Aug 2011 at 1:01

[GoogleCodeExporter]

~/Default.aspx and 
<add path="~/Default.aspx" security="Insecure"/>
Pages inside Pages folder
<add path="~/Pages/" security="Insecure"/>

Original comment by ded...@gmail.com on 7 Aug 2011 at 9:00

[GoogleCodeExporter]

Okay. I'd like to suggest you try the following configuration.

<securitySwitch mode="RemoteOnly" bypassSecurityWarning="true" 
ignoreAjaxRequests="true" >
  <paths>
    <add path="~/Admin" />    
    <add path="~/Pages/Secure" />

    <add path="~/Style.css" security="Ignore"/>
    <add path="~/Images" security="Ignore"/>
    <add path="~/App_Themes" security="Ignore"/>                        
  </paths>
</securitySwitch>

Then, try to visit ~/Default.aspx and a page directly under ~/Pages (not under 
~/Pages/Secure since that should force HTTPS). Let me know how that works.

Original comment by vent...@gmail.com on 7 Aug 2011 at 6:20

[GoogleCodeExporter]

No It's still looping.
It's trying to access URL=https://localhost.testWeb/Default.aspx

Original comment by ded...@gmail.com on 7 Aug 2011 at 11:11

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Is there a valid self-signed SSL certificate installed on your local IIS 7 
server where you are attempting these tests?

Original comment by vent...@gmail.com on 8 Aug 2011 at 4:10

[GoogleCodeExporter]

Yes there is a valid SSL certificate installed on local IIS7 server.
I have attached Certificate. 

Original comment by ded...@gmail.com on 8 Aug 2011 at 11:18

Attachments:

• WebSSLCertificate.jpg

[GoogleCodeExporter]

I cannot duplicate this issue with my setup mimicking your page structure and 
configuration. Perhaps, I am misunderstanding what you mean when you say it is 
or is not "looping". Do you mean, the infinite redirection loop that some 
browsers report?

Original comment by vent...@gmail.com on 8 Aug 2011 at 11:42

[GoogleCodeExporter]

It is looping, When I changed page from HTTPS to HTTP. yep I think it's 
infinite redirection loop.
I've attached fiddler's log

Original comment by ded...@gmail.com on 9 Aug 2011 at 12:43

Attachments:

• loopRedirection.jpg

[GoogleCodeExporter]

Thanks for the Fiddler log. I've determined that for some reason, 
Request.IsSecureConnection is returning false in your situation. It should be 
returning true since the protocol is indicated as HTTPS.

Here is a quick test to confirm the theory.
  1) Disable this module.
  2) Add this line in your Default.aspx page's OnLoad method or Load event handler.
        Response.Write(Request.IsSecureConnection.ToString());
  3) Visit the Default.aspx page on your site via HTTPS manually.
  4) Verify that "false" is getting written at the top of your page.

If it writes "true", then my theory is wrong and we're no further along with 
the mystery. If it is "false", I have some other things you can look for/test 
with your server setup to find the issue.

Original comment by vent...@gmail.com on 9 Aug 2011 at 10:56

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Unfortunately it's writing "true"!!
Any other solution?

We also found that in our Production server, Pages are unable to auto redirect 
to HTTPS site from HTTP. It is looping.

On the other hand, in our test server it is auto redirecting to HTTPS from HTTP 
but not auto redirecting to HTTP from HTTPS.

Best Regards,
Damodar

Original comment by ded...@gmail.com on 10 Aug 2011 at 5:33

[GoogleCodeExporter]

I'm stumped! I cannot reproduce this behavior in any of my environments. I'm 
especially confounded by the fact that it is doing this to you on a local 
computer. If it were just on servers, I would suggest looking for a proxy or 
SSL accelerator interfering.

Every diagnostic and test I run to match the issue you are having comes back 
with flying green colors. I'll try a few more environments when I get the 
chance. What environments is this happening on for you (e.g., Windows 7 64-bit 
with SP1, Windows Server 2008 R2, etc.)?

Original comment by vent...@gmail.com on 10 Aug 2011 at 5:11

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

It's happening in test server and in Live server, have not tried in local 
computer.

Test server is build in Windows Server 2008 R2 64-bit, and Live Server in 
Windows Server 2008 64-bit.

Original comment by ded...@gmail.com on 10 Aug 2011 at 11:42

[GoogleCodeExporter]

Hi, 

When I tried in my local machine(Windows 7 64-bit with SP1) and with self 
signed certificate it's working fine.
Even <add path="~/Pages" security="Insecure"/> is working.

Our Test and Live is hosted by a separate company.

Best Regards,
Damodar

Original comment by ded...@gmail.com on 11 Aug 2011 at 1:35

[GoogleCodeExporter]

I'm wondering if there is something "in front of" those web servers, like a 
proxy or SSL accelerator, that is preventing the switch or detection properly. 
Another possibility is some global module conflicting with this that the 
hosting company adds to all websites it runs.

Original comment by vent...@gmail.com on 11 Aug 2011 at 11:53

[GoogleCodeExporter]

It was working fine when we were using secureWebPages
The redirection was working fine.

I am not sure have to check.

Original comment by ded...@gmail.com on 13 Aug 2011 at 2:54

[GoogleCodeExporter]

That is interesting. The only differences in HOW version 4 works compared to 
version 3 (secureWebPages), are:

  1) Detecting if a page is secure or not. Prior versions checked the absolute URI string's protocol (e.g., if (Request.Url.AbsoluteUri.StartsWith("https://"))). The latest version checks the request's IsSecureConnection or request headers, if specified.

  2) Redirecting a request to another absolute URI, if determined necessary from the above detection. Previous versions use HttpResponse.Redirect (302: Temporary redirect). The latest version uses status code 301 for a permanent redirect. Both versions use a Refresh response header if bypassSecurityWarning is set to true.

One last thing to try. How about removing bypassSecurityWarning="true" or set 
it to "false" and test again. Maybe the response header is being stripped out 
by something at your host.

Original comment by vent...@gmail.com on 13 Aug 2011 at 4:00

[GoogleCodeExporter]

Still no luck! 
Attached Fiddler's log.

Original comment by ded...@gmail.com on 15 Aug 2011 at 11:36

Attachments:

• fiddlerLog.jpg

[GoogleCodeExporter]

It really does look like it's trying. It's issuing the 301 Redirect, but still 
keeps coming up HTTPS. Can you look at the details of the 301 response coming 
back from the server? For example, do the response headers show the location 
with "http://"?

Also, I noticed tmproxy:4560 in the comments for the log. That made me think 
that you may be using non-standard ports for the site. If that's the case, be 
sure to set baseInsecureUri and baseSecureUri to those URLs.

<securitySwitch mode="RemoteOnly" ignoreAjaxRequests="true" 
baseInsecureUri="http://mysite.com:1234" 
baseSecureUri="https://mysite.com:9876">
  ...
</securitySwitch>

Original comment by vent...@gmail.com on 16 Aug 2011 at 5:49

[GoogleCodeExporter]

<securitySwitch mode="RemoteOnly" ignoreAjaxRequests="true" 
baseInsecureUri="test.mysite.com.au" baseSecureUri="https://test.mysite.com.au" 
>
I am sure we are using standard port. I checked in IIS. port 80 (for non 
secure) and 443 (for secure https).

Now it's taking me to 
https://test.mysite.com.au/test.mysite.com.au/Default.aspx

Original comment by ded...@gmail.com on 17 Aug 2011 at 2:18

[GoogleCodeExporter]

I am having the exact same problem, Anybody know why this is happening? I 
checked all of my code and setting according to each message in this post and I 
get the same thing.
Thanks,
Aaron

Original comment by ajmoore1...@gmail.com on 18 Aug 2011 at 3:39

[GoogleCodeExporter]

https://test.mysite.com.au/test.mysite.com.au/Default.aspx is the result 
because the protocol is missing form the baseInsecureUri. However, it shouldn't 
be necessary if they are using default ports and are the same domain.

Original comment by vent...@gmail.com on 19 Aug 2011 at 12:28

[GoogleCodeExporter]

Aaron,

Would you describe your environment (web server, proxy/accelerator servers, 
etc.), please? Perhaps we can find a commonality between you both.

Thanks,

-Matt

Original comment by vent...@gmail.com on 19 Aug 2011 at 12:29

[GoogleCodeExporter]

Hi Matt,

I have changed and still I am getting redirection loop.
I have attached a image from chrome.

It's happening when I am clicking Http page from Https page.

Best Regards,
Damodar

Original comment by ded...@gmail.com on 19 Aug 2011 at 3:18

Attachments:

• [Chrome page Redirect loop.jpg](https://storage.googleapis.com/google-code-attachments/securityswitch/issue-23/comment-31/Chrome page Redirect loop.jpg)

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I tested my site in google chrome and it reports the exact screen as Damodar. 
If I monitor my ISA firewall, it reports the loop also...

I am getting this loop just by setting SecuritySwith mode="On" and commenting 
all "paths" in webConfig. It simply loops for and https request for my site, 
when I set mode=Off, https works fine.

Something else... If I turn mode="On" and add a path to ignore all pages in the 
site, https pages will not loop and basically performs just like security 
switch isnt installed... <add path="/" security="Ignore" />.  Just thought I 
would let you know that it works this way.

Thanks, Aaron

Original comment by ajmoore1...@gmail.com on 19 Aug 2011 at 1:18

[GoogleCodeExporter]

Thanks Aaron. Having it on with no paths will basically tell the module that no 
files should be secured, so when it sees https, it will try to switch it to 
http. For some reason though, it seems that there is a special case with you 
two. In the past, this has always been another device redirecting back to https.

Here's something you can both try to simulate the module in a very simple way. 
It should help narrow down the culprit.
  1) Set mode="Off" for the module or remove it entirely.
  2) Add the following block to your Default.aspx page's Load event handler or OnLoad method:
    if (Request.IsSecureConnection) {
      Response.StatusCode = 301;
      Response.RedirectLocation = "http://the.nameofyoursite.com/Default.aspx";
    }
  3) Type the URL to your page into the browser manually with https (e.g., https://the.nameofyoursite.com/Default.aspx).
  4) See if you are redirected to http without issue or if you get the redirection loop again.

Original comment by vent...@gmail.com on 19 Aug 2011 at 4:14

[GoogleCodeExporter]

I did it both ways- I set mode to off and commented out SecuritySwitch in the 
Web.config. Next I went to the site and used https, it worked.  Then I added 
the code to the default page and went to the site again with chrome- it looped.

So you are saying that when the site does a 301 redirect, something on the 
network or iis is causing the loop?  How do you think I can debug this?

Thanks,
Aaron

Original comment by ajmoore1...@gmail.com on 19 Aug 2011 at 5:49

[GoogleCodeExporter]

Aaron,

That's what it looks like. You can also try it with status code 302 (temporary) 
or a simple HttpResponse.Redirect(url) which will perform a 302 redirect. The 
code you just tried mimics ASP.NET's new HttpResponse.RedirectPermanent(url).

IIS will be easier to test (even with trial and error), but if there is another 
device/server on the network causing the issue, that will likely be more 
difficult to troubleshoot.

For IIS, I would suggest first checking to see if the IIS Rewrite module is 
installed and if so, if you have any rules that are interfering here. Next, you 
can look at HTTP Redirection in IIS to see if it is active for your site. Those 
are probably the only things that would cause issues like this in IIS.

You can check for other ASP.NET modules that may be redirecting things as well. 
The .NET page life-cycle never guarantees the order in which modules execute, 
so that could be a culprit.

As for a device on your network, you could start with a trace route to find 
everything between the server and the outside world (all local network IPs 
like, 10.x.x.x and/or 192.168.x.x). Once you know all the servers involved in 
routing a request/response, you can look at each one for conflicts. From my 
experience, this is almost always caused by an SSL accelerator (ISA dabbles in 
this btw), proxy, or firewall (in that order of likelihood). Check each 
configuration for rules that would result in an additional redirect preventing 
a 301/302 from HTTPS to HTTP. Many of these devices/servers have a debug mode 
you can utilize to some extent as well.

Good luck and let us know what you find! I'm planning on adding another wiki 
page for troubleshooting issues like this one. Your findings could help; 
especially, if it's a new result I haven't seen before.

Thanks!

Original comment by vent...@gmail.com on 19 Aug 2011 at 6:55

[GoogleCodeExporter]

Alright, I think I fixed my problem.  I searched google for a iis/isa server
redirect loop and I found this KB article...

http://support.microsoft.com/kb/924373

Looks like some apps and configurations cause and endless loop.  I am not
using some of the apps mentioned but I am using ISA 2004,IIS 7 and I get the
same error. What I did was login to my ISA 2004 server and change the rule
that is used to publish my website.  I opened the properties window and went
to the "Link Translation" tab as described in the article.  I added a entry
for https://www.mydomain.com to force it to go to the same link
https://www.mydomain.com . It didnt work so I added a
http://www.mydomain.com link translation also. Then it started working!

Not sure why this was happening exactly but glad it is fixed!

Thanks for you help with debugging the problem! And thanks for the product!

Aaron

Original comment by ajmoore1...@gmail.com on 22 Aug 2011 at 2:59

[GoogleCodeExporter]

That is excellent news! I am very glad you got this resolved.

Damodar, does this solution apply to you as well?

Original comment by vent...@gmail.com on 22 Aug 2011 at 5:59

[GoogleCodeExporter]

Hi 

In my case We are using IIS, we don't have ISA server. 

We don't have IIS Rewrite module, HTTP Redirection.
We have separate server. 
But I am not sure the host is handling 301 redirection or not!
Beside that do we have anything else to check?

Best Regards,
Damodar

Original comment by ded...@gmail.com on 22 Aug 2011 at 11:44

[GoogleCodeExporter]

Damodar,

I would ask your hosting provider whether or not they have an SSL accelerator, 
proxy server, or firewall in-place that could be conflicting with redirects.

Have you tried the test that Aaron used to find out that something else was 
influencing the redirects?

  1) Set mode="Off" for the module or remove it entirely.
  2) Add the following block to your Default.aspx page's Load event handler or OnLoad method:
    if (Request.IsSecureConnection) {
      Response.StatusCode = 301;
      Response.RedirectLocation = "http://the.nameofyoursite.com/Default.aspx";
    }
  3) Type the URL to your page into the browser manually with https (e.g., https://the.nameofyoursite.com/Default.aspx).
  4) See if you are redirected to http without issue or if you get the redirection loop again.

Original comment by vent...@gmail.com on 23 Aug 2011 at 1:26

[GoogleCodeExporter]

I am getting loop when I test Aaron's test.

I'll check with hosting company if they are using SSL accelerator, proxy 
server, or firewall.

Original comment by ded...@gmail.com on 24 Aug 2011 at 12:37

[GoogleCodeExporter]

Okay. Please, let us know your findings.

Original comment by vent...@gmail.com on 24 Aug 2011 at 1:17

[GoogleCodeExporter]

Hi,

I tried different approach. 
I used 'Url Rewrite' in IIS and it's working in our test machine(hosted).

So not sure if that's some settings from the program is wrong?

Because previous version is able to work fine. and Url Rewrite is working too.

Any other suggestion?

Best Regards,
Damodar

Original comment by ded...@gmail.com on 25 Aug 2011 at 12:59

[GoogleCodeExporter]

I don't understand. I thought it was looping when you disabled this module and 
tested a simple redirect (the 4-step test that Aaron tried as well). If 
disabling this module still yields issues with a simple redirection, there is 
definitely something else causing this issue.

Original comment by vent...@gmail.com on 25 Aug 2011 at 1:17

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I also Could not figure it out!
Implemented same in Prod machine and it's live working fine!
But Firefox and safari is unable to redirect them properly!!

Original comment by ded...@gmail.com on 29 Aug 2011 at 4:54

[GoogleCodeExporter]

Any Updates? 
Any other ways to fix this problem?

Original comment by ded...@gmail.com on 6 Sep 2011 at 6:23

[GoogleCodeExporter]

I'm sorry. I cannot identify the problem you are having. There is obviously 
something interfering with redirects; most likely on the network with your 
servers. Since you are experiencing the problem without this module enabled 
(using a simple redirect), there is nothing I can fix with the module; it is 
working properly.

I wish you luck finding the true culprit.

Original comment by vent...@gmail.com on 6 Sep 2011 at 11:47

• Changed state: Invalid