我正在使用 IIS 重写规则来尝试重定向子域 - 例如
www.example.com
example.com
或者
this.example.com
example.com
规则:
<rule name="RedirectAll" enabled="true" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
<add input="{HTTP_HOST}" pattern="^(this\.)(.*)$" />
</conditions>
<action type="Redirect" url="https://{C:2}{REQUEST_URI}" redirectType="Permanent" />
</rule>
www
重定向有效,但规则的this
部分不会触发,因此,如果我转到this.example.com
,我最终会得到以下响应:
您的连接不是私人的 攻击者可能试图窃取您的 来自 this.example.com 的信息(例如密码、消息 或信用卡)。了解更多NET::ERR_CERT_COMMON_NAME_INVALID
我并不是在寻求有关该错误的帮助,因为我意识到该错误是因为我没有链接到子域的证书。
即使我更改规则并删除
www
部分,this
条件也不会触发:
<rule name="RedirectAll" enabled="true" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^(this\.)(.*)$" />
</conditions>
<action type="Redirect" url="https://{C:2}{REQUEST_URI}" redirectType="Permanent" />
</rule>
如果我在 IIS 中测试上述规则
this
它工作正常:
为什么在网站上使用时只有
www
条件有效,而 this
测试不起作用,即使根据屏幕截图测试这两个规则时,两者都工作正常?
一旦该规则包含在 web.config 中并与现有设置一起包含,IIS 是否会忽略除
wwww
规则之外的任何内容?
下面列出了完整的 web.config。
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpErrors errorMode="Custom" defaultResponseMode="ExecuteURL">
<remove statusCode="500" subStatusCode="100" />
<remove statusCode="500" subStatusCode="-1" />
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" path="/error_404.asp" responseMode="ExecuteURL" />
<error statusCode="500" prefixLanguageFilePath="" path="/error_500.asp" responseMode="ExecuteURL" />
<error statusCode="500" subStatusCode="100" path="/error_500.asp" responseMode="ExecuteURL" />
</httpErrors>
<rewrite>
<!-- https://blog.elmah.io/web-config-redirects-with-rewrite-rules-https-www-and-more/ -->
<rules>
<rule name="RedirectToHTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="RedirectAll" enabled="true" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
<add input="{HTTP_HOST}" pattern="^(this\.)(.*)$" />
</conditions>
<action type="Redirect" url="https://{C:2}{REQUEST_URI}" redirectType="Permanent" />
</rule>
<!-- https://sublimecoding.com/blocking-bots-in-iis/ Added 30th September 2020 -->
<rule name="RequestBlockingRule1" enabled="true" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_USER_AGENT}" matchType="Pattern" pattern="^$|EasouSpider|Add Catalog|PaperLiBot|Spiceworks|ZumBot|RU_Bot|Wget|Java/1.7.0_25|Slurp|FunWebProducts|80legs|Aboundex|AcoiRobot|Acoon Robot|AhrefsBot|aihit|AlkalineBOT|AnzwersCrawl|Arachnoidea|ArchitextSpider|archive|Autonomy Spider|Baiduspider|BecomeBot|benderthewebrobot|BlackWidow|Bork-edition|Bot mailto:[email protected]|botje|catchbot|changedetection|Charlotte|ChinaClaw|commoncrawl|ConveraCrawler|Covario|crawler|curl|Custo|data mining development project|DigExt|DISCo|discobot|discoveryengine|DOC|DoCoMo|DotBot|Download Demon|Download Ninja|eCatch|EirGrabber|EmailSiphon|EmailWolf|eurobot|Exabot|Express WebPictures|ExtractorPro|EyeNetIE|Ezooms|Fetch|Fetch API|filterdb|findfiles|findlinks|FlashGet|flightdeckreports|FollowSite Bot|Gaisbot|genieBot|GetRight|GetWeb!|gigablast|Gigabot|Go-Ahead-Got-It|Go!Zilla|GrabNet|Grafula|GT::WWW|hailoo|heritrix|HMView|houxou|HTTP::Lite|HTTrack|ia_archiver|IBM EVV|id-search|IDBot|Image Stripper|Image Sucker|Indy Library|InterGET|Internet Ninja|internetmemory|ISC Systems iRc Search 2.1|JetCar|JOC Web Spider|k2spider|larbin|larbin|LeechFTP|libghttp|libwww|libwww-perl|linko|LinkWalker|lwp-trivial|Mass Downloader|metadatalabs|MFC_Tear_Sample|Microsoft URL Control|MIDown tool|Missigua|Missigua Locator|Mister PiX|MJ12bot|MOREnet|MSIECrawler|msnbot|naver|Navroad|NearSite|Net Vampire|NetAnts|NetSpider|NetZIP|NextGenSearchBot|NPBot|Nutch|Octopus|Offline Explorer|Offline Navigator|omni-explorer|PageGrabber|panscient|panscient.com|Papa Foto|pavuk|pcBrowser|PECL::HTTP|PHP/|PHPCrawl|picsearch|pipl|pmoz|PredictYourBabySearchToolbar|RealDownload|Referrer Karma|ReGet|reverseget|rogerbot|ScoutJet|SearchBot|seexie|seoprofiler|Servage Robot|SeznamBot|shopwiki|sindice|sistrix|SiteSnagger|SiteSnagger|smart.apnoti.com|SmartDownload|Snoopy|Sosospider|spbot|suggybot|SuperBot|SuperHTTP|SuperPagesUrlVerifyBot|Surfbot|SurveyBot|SurveyBot|swebot|Synapse|Tagoobot|tAkeOut|Teleport|Teleport Pro|TeleportPro|TweetmemeBot|TwengaBot|twiceler|UbiCrawler|uptimerobot|URI::Fetch|urllib|User-Agent|VoidEYE|VoilaBot|WBSearchBot|Web Image Collector|Web Sucker|WebAuto|WebCopier|WebCopier|WebFetch|WebGo IS|WebLeacher|WebReaper|WebSauger|Website eXtractor|Website Quester|WebStripper|WebStripper|WebWhacker|WebZIP|WebZIP|Wells Search II|WEP Search|Widow|winHTTP|WWWOFFLE|Xaldon WebSpider|Xenu|yacybot|yandex|YandexBot|YandexImages|yBot|YesupBot|YodaoBot|yolinkBot|youdao|Zao|Zealbot|Zeus|ZyBORG|PetalBot|petalbot|aiohttp|Yahoo Ad monitoring" ignoreCase="true" negate="false" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
</rules>
</rewrite>
<httpCompression directory="%SystemDrive%\websites\_compressed" minFileSizeForComp="1024" noCompressionForProxies="false" noCompressionForHttp10="false">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
<staticTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/javascript" enabled="true" />
<add mimeType="application/json" enabled="true" />
<add mimeType="image/jpeg" enabled="true" />
<add mimeType="image/gif" enabled="true" />
<add mimeType="image/png" enabled="true" />
<add mimeType="application/javascript" enabled="true" />
<add mimeType="text/css" enabled="true" />
<add mimeType="*/*" enabled="false" />
</staticTypes>
</httpCompression>
<staticContent>
<clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" />
</staticContent>
<tracing>
<traceFailedRequests>
<remove path="*" />
</traceFailedRequests>
</tracing>
<security>
<requestFiltering>
<filteringRules>
<remove name="BlockBots" />
</filteringRules>
</requestFiltering>
</security>
</system.webServer>
</configuration>
您看到的错误消息“NET::ERR_CERT_COMMON_NAME_INVALID”表示 SSL 证书存在问题,因为它与您尝试访问的域不匹配。这就是您的规则无法按预期工作的原因。
SSL 证书是针对特定域名(通用名称)颁发的,或者可能包含具有通配符证书的多个子域(例如 *.example.com)。如果您对“example.com”使用常规 SSL 证书,而不是覆盖“this.example.com”的通配符证书,则当您尝试访问“this.example.com”时,SSL 握手将会失败。当然,重定向规则不会继续执行。