IE + https redirect = grief for me

Topics: User Forum
Jun 26, 2009 at 2:06 PM

Ok I was trying to write a rule that would redirect/rewrite 

https://mail.old.addr.ca -> https://mail.new.addr.ca

(I have a valid thawte cert for mail.new.addr.ca only)

 

 

the below config file works for Mozilla and Chrome

in that when I type 

https://mail.old.addr.ca/excange 

I goto 

https://mail.new.addr.ca/exchange and then I get chap(ed) at the redirected Addr No warning about the invalid cert

 

and dont get the "There is a problem with the websites security certificate" 

the Cert is for mail.new.addr.ca.

however IE for some reason prompts first that the cert is invalid any Ideas how I can change the rule below

to get IE to redirect before warning of the non matchine Security Certificate?

 

 

#RewriteLog  c:\temp\iirfLog.out

RewriteLogLevel 0

StrictParsing off

writeCond %{HTTP_HOST}   mail.old.addr.ca

RewriteCond %{SERVER_PORT} ^443$

RewriteRule ^/(.*)         https://mail.new.addr.ca/$1 [R]

Coordinator
Jun 26, 2009 at 7:08 PM
Edited Jun 26, 2009 at 7:10 PM

Sorry I don't know the answer to that.  Sounds like an IE thing, not a IIRF thing.

Does the warning happen if you DON'T get redirected?   What if you use a R=302 (Moved Permanently) redirection?  does that change the behavior of IE?  The default [R] is a 301, "Moved Temporarily".

Also, FYI, what you are doing is a REDIRECT not a Rewrite.  There is often a looseness about the terms, but to be clear you are using IIRF to send an HTTP 301/2 to the browser, which then can send a new request to the specified location.  This is known as a client-side redirect.  That may help you in your googling.

 

Jun 26, 2009 at 9:23 PM

Yep you are right it is a browser issue ...dammit!

 

 

RewriteCond %{HTTPS} (on)? 

RewriteCond %{HTTP_HOST}   gscsmail.gscs.sk.ca 

RewriteRule ^/(.*)         https://gscsmail.scs.sk.ca/$1 [I,R=302]

 

I dont see anything in the filter log until after I click "Continue to this web site"

 

I tried it with [I,R=302]  to no avail , any ideas is there some IIS config that will conteract this?

 

 

Coordinator
Jun 26, 2009 at 9:44 PM

Hmmmm....I think I had not understood what was happening.  It's getting clearer now.  When you get the "Continue to this web site", what is in the address bar?   I think maybe the problem you are having may have nothing to do with IIRF at all.

What I mean is this:  Seems like you have a rule that responds to requests for https://scs , and redirects them to https://gscs .  You told me you only have a single cert and it is for gscs.  So the inital request for https://scs is the one that is causing the browser to ask for confirmation from the user, eg the message that says "The certificate doesn't match the address.  Do you want to contnue to this web site anyway?"  or whatever. 

This is before IIRF gets involved. It could be that your IE configuration (and maybe the *default* IE configuration) is designed to warn users if the server-side certificate does not agree with the actual web address, while the other browsers do not warn users in that case.

This behavior is settable within IE - click Tools....Internet Options, and then select the Advanced tab.  There's a checkbox for "Warn about certificate address mismatch".  If you uncheck it you won't get the "Continue to this web site?"  confirmation step.  (But you must restart IE for a change of this setting to take effect ).    I don't know if the other browsers have an analogous setting, but if they do, it's possible that the setting is OFF - no warning.

This is not an IIS thing.  There is nothing you can do on the IIS side to get the error to NOT occur.  The problem is your cert has a different address than the server.  The browser can either treat this as a situation worthy of user notification (as in IE) or it can simply silently ignore the problem (presumably what the other browsers are doing).  IIS is irrevelant.  Likewise IIRF !