Final web.config for Angular on IIS (with redirect on double slashes)

 <?xml version="1.0" encoding="utf-8"?>

<configuration>

  <system.webServer>

    <rewrite>

      <rules>

        <!-- Redirect if path starts with double slashes -->

        <rule name="RedirectLeadingDoubleSlashes" stopProcessing="true">

          <match url="^(//+)(.*)" />

          <conditions>

            <!-- Skip redirect if Radware WAF handled it -->

            <add input="{HTTP_X_RADWARE_WAF}" pattern=".*" negate="true" />

          </conditions>

          <action type="Redirect" url="https://{HTTP_HOST}/{R:2}" redirectType="Permanent" />

        </rule>


        <!-- Angular rewrite fallback for all other routes -->

        <rule name="Angular Routes" stopProcessing="true">

          <match url=".*" />

          <conditions logicalGrouping="MatchAll">

            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />

            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />

          </conditions>

          <action type="Rewrite" url="/index.html" />

        </rule>

      </rules>

    </rewrite>

    <staticContent>

      <mimeMap fileExtension=".json" mimeType="application/json" />

    </staticContent>

  </system.webServer>

</configuration>


Steps:

Open IIS Manager.


Select your website.


Click on Logging.


Click "Select Fields...".


Click Add Field:


Field Name: X-Radware-WAF


Source Type: Request Header


Source: X-Radware-WAF


Save and apply


 3 Ways to Check if the Header Reaches IIS

๐Ÿ” Option 1: Use Browser DevTools (Simple Check)

  1. Open your Angular app publicly (through the WAF).

  2. Press F12 → Open Network tab.

  3. Refresh the page.

  4. Click the first request (should be https://anchor.com/).

  5. Look under Request Headers (not Response Headers).

  6. See if X-Radware-WAF is listed.

✅ If it’s there → WAF is forwarding the header.

๐Ÿงช Option 2: Use curl to Simulate Traffic

1. Test via public URL (goes through WAF):

bash

curl -I https://anchor.com////about

Then test the same with a header to simulate WAF:

bash

curl -I https://anchor.com////about -H "X-Radware-WAF: active"

Observe:

  • If the header affects redirect behavior, then your web.config is working and the header is being respected by IIS.

๐Ÿ“‚ Option 3: Log the Header in IIS Logs

Step-by-Step:

  1. Open IIS Manager.

  2. Select your site.

  3. In Features View, open Logging.

  4. On the right → click "Select Fields..."

  5. Click "Add Field":

    • Field Name: X-Radware-WAF

    • Source Type: Request Header

    • Source: X-Radware-WAF

  6. Click OK, Apply.

Now:

  • Make a request through the WAF.

  • Go to the IIS logs folder:
    C:\inetpub\logs\LogFiles\W3SVC<your-site-id>\

  • Open the latest log file.

  • See if X-Radware-WAF shows a value.

✅ If you see the header in the logs, WAF is forwarding it.

❌ If the Header is NOT Reaching IIS

If none of the methods show X-Radware-WAF, then:

๐Ÿ”’ Radware WAF is probably:

  • Normalizing the request (removing bad slashes)

  • But not sending a custom header to IIS

✅ Solution: Add a Custom Header in Radware

Ask your security/WAF admin to add a rule in Radware AppWall or Cloud WAF to:

"Inject a custom header (e.g. X-Radware-WAF: true) into all incoming requests after WAF inspection."

This is usually done in:

  • AppWall GUI → Security Policies → Header Injection

  • Or via a custom rule in Radware WAF configuration

Once that's added, IIS will receive the header and your rule will behave properly.

✅ TL;DR — What You Should Do

TaskHow-To
Check if header is passedUse browser DevTools or curl
Log it in IISAdd a custom field in IIS Logging
Header missing?Ask WAF team to inject X-Radware-WAF: true after inspection



<configuration>
  <system.webServer>
    <rewrite>
      <rules>

        <!-- Rule 1: Normalize multiple slashes -->
        <rule name="Remove Double Slashes" stopProcessing="true">
          <match url="(.*//.*)" />
          <conditions>
            <add input="{REQUEST_URI}" pattern="(.*//.*)" />
          </conditions>
          <action type="Redirect" url="{R:1}" redirectType="Permanent" />
        </rule>

        <!-- Rule 2: Angular fallback routing -->
        <rule name="Angular Routes" stopProcessing="true">
          <match url=".*" />
          <conditions logicalGrouping="MatchAll">
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
          </conditions>
          <action type="Rewrite" url="/index.html" />
        </rule>

      </rules>
    </rewrite>
    <staticContent>
      <mimeMap fileExtension=".webmanifest" mimeType="application/manifest+json" />
    </staticContent>
  </system.webServer>
</configuration>


<rule name="Remove Double Slashes" stopProcessing="true">
  <match url="(.*//.*)" />
  <conditions>
    <add input="{REQUEST_URI}" pattern="(.*//.*)" />
  </conditions>
  <action type="Redirect" url="{R:1}" redirectType="Permanent" />
</rule>


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

starter ASP.NET Core Web API project with example

Starter ASP.NET Core Web API project that follows all the best practices listed above. ๐Ÿ› ️ Starter Project Overview We’ll build a Produc...

Best for you