Hexagon Geospatial
MENU

WebGIS

Need a push in the right direction when configuring WebMap, Portal or SDI services? Looking for hints and tips, or just looking for Ideas and information? The WebGIS discussion board is where you start those discussions, connect and share information.
Showing results for 
Search instead for 
Do you mean 
Reply
Regular Contributor
Posts: 246
Registered: ‎10-26-2015
Accepted Solution

Operating Geospatial Portal and GeoMedia WebMap in mixed HTTP/HTTPS

On a new implementation of GeoMedia WebMap and Geospatial Portal I have the following requirements:

 

  1. All Geospatial Portal web sites must be accessed over HTTPS only
  2. Users entering incorrect URLs for the Geospatial Portal web sites must be automatically redirected to HTTPS and a Fully Qualified Domain Name (to avoid certificate errors).
    • Example http://<server>/<site> or https://<server>/<site> or http://<server>.<domain>/site all redirected to https://<server>.<domain>/site
  3. GeoMedia WebMap web services can operate over HTTP (WebMap Publisher Service is used which cannot use HTTPS)

All web sites and web services are running under the the Default Web Site in IIS Manager with port 80 and port 443 bindings enabled.

 

I have started to look at the IIS URL Rewrite module to handle requirement 2 using suggestions such as https://forums.iis.net/t/1186288.aspx?Redirect+all+incoming+traffic+to+FQDN+with+SSL

 

Configuring rules in the IIS URL Rewrite module breaks the Administration Console and Admin Portal web site from communicating with the Geospatial Portal web site (unable to configure the instance or set a starting workspace).

 

Has anyone identified a particular configuration that works in a mixed HTTP/HTTPS environment?

 

Thanks for any suggestions.

 

Colin

 

Regular Contributor
Posts: 246
Registered: ‎10-26-2015

Re: Operating Geospatial Portal and GeoMedia WebMap in mixed HTTP/HTTPS

I have made some progress with this.

 

I have now identified that an exclusion needs to be added within the URL re-write module to allow communication over HTTP to the AdministrationService.svc endpoint within the Geospatial Portal site. This allows the Geospatial Portal instance to be configured through the Administration Console and a starting workspace assigned through the Admin Portal.

 

You need two seperate rules to achieve redirecting short names in URLs to Fully Qualified Domain Names and then redirect to HTTPS. I've tried many rule combinations but this seems to work on a server where all web sites and web services are running within the Default Web Site with HTTPS and HTTP binding is enabled.

 

Remember to update the url parameter value (highlighted in bold below) in the "Redirect2FQDN" rule action with the domain name for your environment.

 

 

<rewrite>
            <rules>
                <rule name="Redirect2FQDN" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{REQUEST_URI}" pattern="^.*\.svc$" negate="true" />
                        <add input="{HTTP_HOST}" pattern="^([^\.]+)$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}.domain.com/{REQUEST_URI}" />
                </rule>
                <rule name="Redirect2HTTPS" enabled="true" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{REQUEST_URI}" pattern="^.*\.svc$" negate="true" />
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{REQUEST_URI}" />
                </rule>
            </rules>
        </rewrite>

Unfortunately the above rules don't meet all of requirement 2. When accessing the URL https://<server>/<site> the user is still prompted with a certificate warning message which they must accept before the redirect changes the URL to https://<server>.<domain>/site. I'm still looking for a solution to this as it appears the URL rule applies after certificate checks are made.

 

On a seperate environment where I have split web sites and web services across different IIS web sites (one for HTTP and one for HTTPS) its proving much harder to redirect calls to AdministrationService.svc so my advice is to plan your IIS setup carefully when running mixed HTTP/HTTPS.

Highlighted
Regular Contributor
Posts: 246
Registered: ‎10-26-2015

Re: Operating Geospatial Portal and GeoMedia WebMap in mixed HTTP/HTTPS

Following further research online it does appear it is not possible to redirect the URL https://<server>/<site>  as the redirect kicks in after the SSL connection is opened so a certificate error will be displayed if the certificate doesn't contain a subject alternative name for this URL this is unavoidable.

 

Sources of research:

https://superuser.com/questions/1281185/iis-url-rewrite-ssl-certificates

https://stackoverflow.com/questions/46160055/redirect-to-fqdn-in-iis-not-working

Do you need immediate support?
If you encounter a critical issue and need immediate assistance please submit a Service Request through our Support Portal.