I’m running a non core ASP dotnet app on IIS 10.
I’m configuring rewrite rules for https behind a load balancer per this config: https://www.jamescrowley.net/2014/03/07/ssl-termination-and-secure-cookiesrequiressl-with-asp-net-forms-authentication/
This is the part that confuses me:
You’ll also need to add HTTPS to the list of allowedServerVariables in
the applicationHost.config (or through the URL Rewrite config)
<rewrite>
<allowedServerVariables>
<add name="HTTPS" />
</allowedServerVariables>
</rewrite>
"or through the URL Rewrite config" seems to indicate this can be set in web.config
.
I don’t want to add this variable to the global applicationHost.config
file I want to set it in my specific applications web.config
.
Where do I put <allowedServerVariables>
in web.config
? I tried putting it under the rewrite rules as in the config snippet but I get an error:
Edit
This is not a solution to my actual question, but it appears what I was asking for is impossible.
I wanted to set this in my web.config because all the configuration tooling around IIS is terrible and painful to work with, but here we go. The snippet below is how I was able to script this on the server.
// Using try catch to make idempotent
// ErrorAction does not work here
// Despite examples online Get-WebConfigurationProperty nor Get-WebConfiguration were able to check if a variable was already set or not
try {
C:/Windows/system32/inetsrv/appcmd unlock config -section:system.webServer/rewrite/allowedServerVariables
Add-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST" -filter "system.webServer/rewrite/allowedServerVariables" -name "." -value @{name='HTTPS'}
}catch{}
2
Answers
Try in your web.config:
Some time ago I got this example from https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples
In your example:
Ok, I get your idea. You don’t want to add it to applicationHost.config.
But distributed rewrite rules can only set/overwrite the request headers and server variables that are defined in the allowed list for server variables allowedServerVariables. If a distributed rewrite rule attempts to set any server variable that is not listed in the allowedServerVariables collection a runtime error will be generated by URL Rewrite Module. The allowedServerVariables collection by default is stored in applicationHost.config
So for it to work, it is required to add it to the allowedServerVariables collection. This is specifically noted in the official documentation: https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-20-configuration-reference#using-inbound-rewrite-rules-to-set-request-headers-and-server-variables.