在重定向到web.config中的www子域期间,在域根上添加HSTS http标头 [英] Adding HSTS http headers on domain root during redirect to www subdomain in web.config
问题描述
我有一个asp.net Web应用程序,它由子域www上的搜索引擎索引。我真的不想改变这一点:对根域的请求都设置为永久重定向到www版本,这一切都很好。
I have an asp.net web application which is indexed by the search engines on the sub-domain "www". I don't really want to change that: requests to the root domain are all set up with a permanent redirect to the www version and that's all fine.
我是在网站上启用了HSTS,但由于重定向,我添加的HSTS出站标头规则从未在对域根目录的第一个请求中被点击。 (它适用于后续的https请求,因为没有重定向)。这是一个问题,因为我想提交HSTS预加载的网站 - 这要求重定向包含HSTS响应标题....
I've enabled HSTS on the site, but the HSTS outbound header rule which I've added is never hit on the first request to the root of the domain because of the redirect. (It works fine for subsequent https requests, because there's no redirect). This is a problem because I want to submit the site for HSTS preloading - and that requires that the redirect includes the HSTS response header....
我试过设置规则上的stopProcessing属性为false(希望即使在重定向上也可以运行设置HSTS标头的出站规则)也无济于事。
I've tried setting the stopProcessing attribute on the rule to false (hoping that the outbound rule to set the HSTS header would then be run even on the redirect) to no avail.
这是来自我的配置文件的相关摘录:
Here are the relevant extracts from my config file:
<rewrite>
<rules>
<rule name="Canonical Host Name, HTTPS enabled" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" negate="true" pattern="www.mysite.co.uk" />
<add input="{HTTP_HOST}" negate="true" pattern="^[a-z0-9]+\.cloudapp\.net$" />
<add input="{HTTP_HOST}" negate="true" pattern="localhost" />
</conditions>
<action type="Redirect" url="https://www.mysite.co.uk/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<!-- hsts | http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx -->
<outboundRules rewriteBeforeCache="true">
<rule name="Add Strict-Transport-Security" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="(mysite.co.uk|www.mysite.co.uk)" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
推荐答案
必须按如下方式添加标题:
Had to add the header as follows:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
</customHeaders>
</httpProtocol>
</system.webServer>
即使在发送重定向时也会发送标头。
我删除了outboundRules部分。
This sends the header even when sending a redirect. I removed the outboundRules section.
这篇关于在重定向到web.config中的www子域期间,在域根上添加HSTS http标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
