3 Ways to Redirect HTTP to HTTPS and non-www to www in ASP.NET Core

Ray HuangIn support, we’ve been seeing a lot of issues with URL Rewrite in ASP.NET Core.  Core is a complete rewrite of .NET and so things have changed. In ASP.NET Core, URL Rewrite is no longer handled by the URL Rewrite module (web.config file) but is now served by URL Rewriting Middleware.

This basic tutorial shows you three ways on how you can implement URL Rewrite rules using the Microsoft.AspNetCore.Rewrite library.

Let’s start by creating an empty ASP.NET core application.  In Visual Studio 2017, go to File -> New -> Project… (Ctrl-Shift-N).  Select Web -> ASP.NET Core Web Application.  Name the application and click on OK to continue.

In the Project template window, highlight Empty and click OK to continue.

In order to use the Microsoft.AspNetCore.Rewrite library, we’ll need to add it using NuGet.  Go to Tools -> NuGet Package Manager -> Manage NuGet Packages for Solution…  Under Browse, type in Microsoft.AspNetCore.Rewrite, highlight it, check the checkbox next to your project, and click on Install.

That’s it.  Now, you’re ready to add URL Rewrite rules to your website.  Here are the 3 methods.

Method 1 : web.config/.htaccess file

If you know nothing about how to use the new URL Rewrite Middleware libraries or need some time to learn it, then you’re in luck.  You can still use the good old URL Rewrite syntax from the web.config file.  Right click on your project, select Add -> New Item… (Ctrl-Shift-A), highlight Data under ASP.NET Core, and select XML File.  In this example, I will name the file RedirectToWwwRule.xml, click on Add, and add the following markup to the file:

    <rule name="CanonicalHostNameRule">
      <match url="(.*)" />
        <add input="{HTTP_HOST}" pattern="^www\.domain\.com$" negate="true" />
      <action type="Redirect" url="http://www.domain.com/{R:1}” />

Make sure you replace “domain.com” with your domain name in both the pattern and url.  Highlight the XML file and make sure in the Properties window, you select Copy always in the Copy to Output Directory field.  Now open up the Startup.cs file, add a using Microsoft.AspNetCore.Rewrite; directive at the top and enter the following code in Configure method:

app.UseRewriter(new RewriteOptions()
   .AddIISUrlRewrite(env.ContentRootFileProvider, "RedirectToWwwRule.xml")

What this does is redirect the non-www version of the URL to the www version and redirect HTTP requests to HTTPS.  You could also have removed the .AddRedirectToHttps() method and included it the URL Rewrite rule in the XML file and that would have worked too.

What’s great about RewriteOptions() is that if you place a . after it, IntelliSense will show you the available methods that you can use.  You’ll notice an AddApacheModRewrite() method which means you can use the rewrite rules from a .htaccess file instead, providing great flexibility for implementing rules from different sources.

Method 2 : Regular Expressions and HttpContext.Request.Path

The second method is fairly straightforward using a regular expression to perform the redirect.  Add the following code to the Startup.cs file:

app.UseRewriter(new RewriteOptions()                
   .AddRedirect("^foo$", "bar")

What this does is exactly the same thing as above but performs an additional redirect if either of these URLs is entered:


This will redirect to:


Note that the AddRedirect() method evaluates the regular expression against the HttpContext.Request.Path, so if you need something more complicated, you’ll need to use the first or last method.

Method 3: Adding a Rule using a Class

The last method involves implementing a rule using a class.  Right click your project, select Add -> New Item… and add a class named RedirectToWwwRule.cs.  Replace the entire class with this code:

using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Extensions;
using Microsoft.AspNetCore.Rewrite;
using System;

namespace URLRewriteSample
    public class RedirectToWwwRule : IRule
        public virtual void ApplyRule(RewriteContext context)
            var req = context.HttpContext.Request;
            if (req.Host.Host.Equals("domain.com", StringComparison.OrdinalIgnoreCase))
                context.Result = RuleResult.ContinueRules;

            if (req.Host.Value.StartsWith("www.", StringComparison.OrdinalIgnoreCase))
                context.Result = RuleResult.ContinueRules;

            var wwwHost = new HostString($"www.{req.Host.Value}");
            var newUrl = UriHelper.BuildAbsolute(req.Scheme, wwwHost, req.PathBase, req.Path, req.QueryString);
            var response = context.HttpContext.Response;
            response.StatusCode = 301;
            response.Headers[Microsoft.Net.Http.Headers.HeaderNames.Location] = newUrl;
            context.Result = RuleResult.EndResponse;

Then add the following code to your Startup.cs file:

var options = new RewriteOptions();
options.Rules.Add(new RedirectToWwwRule());

This does essentially the same thing as Method 1.

Many thanks to the folks at StackOverflow for supplying the sample code for the rule,  and I hope it helps the folks out there that are struggling with ASP.NET Core and URL Rewrite to get started.

Windows Server 2016 Hosting

Takeshi Eto Windows 2016 hosting with Internet Information Services (IIS) 10.x is available in our US-based data center. In the DiscountASP.NET Order form, you can select Windows 2016 for your O/S.

Any existing customers who wish to move their site(s) to the Windows 2016 hosting platform, please contact our technical support staff so we can schedule a migration.

Windows 2016 hosting


Orlando Code Camp – March 17th Seminole State College

John MeeksCalling all developers in the Orlando, Florida area, are you looking for something to do this weekend? Well, have I got just the right thing for you.

On Saturday, March 17th the Orlando Code Camp is taking place, and we are a proud sponsor of the event. We are always proud to support the developer community and these events. Come out and learn, network, and have fun.Orlando Code Camp

Google Now Blocking Ads in Chrome Natively

John MeeksStarting on Thursday, February 15th 2018, Google turned on what they call “Ad Filtering” for their Chrome browser. What that means is Chrome will now block ads natively instead of you having to install an ad-blocker extension to the browser. This all starts with Chrome version 64 and will affect Windows, Mac, Linux, Chrome OS, and Android. The iOS version of Chrome is Safari-based so it will not have the ad-blocking yet.

To come up with the guidelines on what is considered a “bad ad”,  Google worked with the independent organization Coalition for Better Ads and identified 12 ad types that they found were a poor user experience for visitors. These “bad ads” include pop-ups, countdown ads that restrict access to content until finished, auto-play ads, and large sticky ads.



If you display ads on your website:
To see if your site has ads that will violate these guidelines, you will need to have access to the Google Search Console for your site. Via the Search Console there will be a section marked “Web Tools”. Under “Web Tools” you will now have access to the “Ad Experience Report” which will give your site a Passing, Warning, or Failing status. If your site has yet to be reviewed, Google will not provide a status. Google will base your site’s status on a sampling of pages from your site on both desktop and mobile devices. If you are found to have offending “bad ads”, you will be given 30 days to correct the issue before Google acts to block ads on your site. Once you correct the ads in question, you will need to proactively request Google to re-review your site. If you take no action, or if the correction isn’t sufficient, after 30 days Google will block ALL ads from showing on the site – not just the offending ads. Chrome will then display a small notice to users when visiting your site that they have blocked the ads on your site with a link for more info.

This change is a major shift in how ad-blocking works. As of January 2018, Chrome’s user market share was 56.31% according to StatCounter, meaning that a majority of users on the internet will probably have an ad-blocker in place when they visit your site.



Google has also stated that their own ad networks, AdSense and DoubleClick, are not exempt from the ad-blocker and ads will be blocked if their own networks are in violation.

As a publisher you will need to be aware of the ads you are displaying on your site and what type of ads you are running. If you are a publisher who is reliant on advertising for any sort of income, just one “bad ad” that goes unfixed can have ALL the ads for your site blocked.

If you are an advertiser using display ads:
As an advertiser you need to be aware of the ads you are running, as well as the sites you are running them on. If you happen to have ads on a site that Google has decided to block in Chrome, you may be paying for advertising that no one will ever see.

You can read Google’s latest blog post on how this will all work in their Chromium Blog post “Under the hood: How Chrome’s ad filtering works“.

Life just got more difficult for publishers and advertisers…..

What’s Happening with Symantec SSL Certificates?

Michael PhillipsYou may have recently read one of the many confusing or seemingly contradictory articles about the Symantec vs. Google grudge match that’s been going on for some time now. If not, here’s the problem in a nutshell:

Google found a troubling number of bad SSL certificates issued by Symantec – bad meaning they had issued certs for google.com and other high profile domains, but they issued them to people who were not Google, etc. Symantec said they were just test certificates used by internal staff, and they never left their four walls. But the fact remained that the certs were valid and could potentially cause a lot of trouble.

Google took issue with the fact that the certs were issued at all, and accused Symantec of sloppy housekeeping. They said to Symantec, “You need to prove to the world that you can clean up your act or we’re going to stop trusting your certs.” Symantec basically replied, “Oh, stop being so dramatic,” and Google said, “Oh yeah? We’ll show you dramatic,” and issued notices giving the exact dates when they would stop trusting the Symantec certs.



Okay, that’s not exactly how it went down, but it’s not that far from what really happened. Just imagine the above in barely polite corporate speak and you’re pretty much there.

In any event, you’re probably wondering what it all means if you have a Symantec SSL certificate (and if you use a RapidSSL, GeoTrust QuickSSL or GeoTrust True BusinessID certificate – which is what we issue – you are using a Symantec certificate).

The short answer: nothing.

It’s not likely that you’ll experience any problems related to the dust up.


Because Symantec sold their certificate business to a company that Google does trust. So the Symantec name will continue on, but the certificates will be issued by the “new” Symantec and trusted by Google. And unless you bought your current certificate a long time ago, it will be re-issued by the new Symantec when you renew it, so you won’t notice a thing.

Again, if you pay for your SSL certificate every year, this probably doesn’t apply to you, but just for the sake of completeness, here are the actual dates and what happens when:


For certificates issued before June 1st, 2016

The Chrome browser will no longer trust this certificate after March 15, 2018. In order to retain trust by the Chrome browser, you need to replace this certificate.

  • If the certificate expires before March 15th, 2018, you don’t need to do anything. The certificate will continue to be trusted by Chrome until it expires.
  • If the certificate expires after March 15th, 2018, but before September 13th, 2018, you can re-issue this certificate any time before March 15th, 2018.
  • If the certificate expires after September 13, 2018, you have to re-issue the certificate before March 15, 2018.


For certificates issued after June 1st, 2016

The Chrome browser will no longer trust this certificate after September 13, 2018.

  • If the certificate expires before September 13th, 2018, you don’t need to do anything. The certificate will continue to be trusted by Chrome until it expires.
  • If the certificate expires after September 13th, 2018, you have to re-issue the certificate before September 13th, 2018.
  • If you have purchased a certificate after December 1st, 2017, the Chrome browser will trust this certificate. You do not have to re-issue.

Top 10 Things We Accomplished in 2017

Takeshi EtoHow time flies…. Here is my annual Top 10 list – this time for 2017.

1. Launched a new responsive website…. finally
2017 marks the year that the DiscountASP.NET website  finally moved into the 20th century with a responsive website that is free from the previous clutter. 🙂 Yes, it took a long time to get the site done, due in part to the older site’s sprawling number of pages and Microsoft’s continuous release of new stuff that we had to keep up with. Another time consuming and tricky aspect was working to make sure we didn’t lose any of the SEO juice we’ve maintained for over the past decade.  In my previous life working at other hosting providers, I’ve witnessed several launches of redesigned sites which resulted in significant decreases in natural search engine rankings. I didn’t want that to happen with our redesign. If you have any feedback for us, please let us know.

2. Adopted HTTPS for all DiscountASP.NET web properties
With Google’s push to increase web security using their reach with their Chrome browser and search engine, all website owners are on notice to adopt an “HTTPS everywhere” approach. We took the opportunity during the DiscountASP.NET site redesign to adopt HTTPS security for all DiscountASP.NET web properties. It would seem like installing an SSL certificate and updating the HTML links would do the trick, but converting to HTTPS everywhere is not trivial. We have our own war stories and learnings on our path to HTTPS everywhere, so if any of our customers are in the middle of their HTTPS conversion – or just starting to think about it – we are available to compare notes.

3. Improved support for .NET Core
In 2016, we launched support for .NET Core 1 (formerly ASP.NET 5). But then, keeping up with minor updates became very difficult.  After spending time testing a minor .NET Core version update, we would finally deploy the update across all of our servers only to find that Microsoft released a new minor update.  In addition, the installation process could change drastically between minor updates. This made it extremely challenging to stay on top of all the updates and continue to provide a stable hosting environment for our customers. The last thing we wanted to do to was break customers working apps. So taking advantage of a new feature within .NET Core, we launched support for Self-Contained deployment (SCD). In this deployment method, the framework is deployed along with the application, so you no longer need to rely on what framework is installed on the server – the ultimate in portability. We have articles in our knowledge base on how to change a .NET Core app from Framework-dependent to Self-contained for Visual Studio 2017 and Visual Studio 2015. However, we did not just call it a day  – we continued to work on how to more efficiently keep up-to-date with the .NET Core updates because we understand that many customers are used to the framework dependent deployment (FDD) workflow. Currently, we do have one server that will support .NET Core framework-dependent deployment and we plan on updating the rest of the servers where possible. If you are interested in FDD, reach out to our technical support staff.

4. Launched Private MySQL hosting at Everleap
Previously, we introduced Private SQL hosting on our Everleap cloud hosting platform . In 2017, we added Private MySQL hosting to our portfolio. Just like Private SQL, the Private MySQL solution is for customers that outgrow our shared database service or have special configuration needs on the MySQL server. The Private MySQL service gives customers their own instance of MySQL on their own private server that is not shared with any other customer.

5. Launched Private MongoDB hosting at Everleap
Due to the increasing popularity of NoSQL databases, we also launched Private MongoDB hosting at Everleap. MongoDB is one of the more popular NoSQL solution options.  With this service, you’ll get your own private server with your own instance of MongoDB.

6. Renewed Microsoft Partnership
Every year we’ve been working hard to renew our partnership with Microsoft, and 2017 was no different. We successfully renewed our partnership, this time at the Silver Partner level with the Datacenter competency. This change was due to changes within the Microsoft Partner Network program. You can read about it here.

7. Attained Swiss-US Privacy Shield Certification
In 2016, we attained EU-US Privacy Shield certification, a new framework that was worked out after a EU court struck down the previous EU-US Safe Harbor framework. The EU-US Privacy Shield contained legacy language of the Swiss-US Safe Harbor framework, since the Department of Commerce (DOC) had not finalized their negotiations with Switzerland. In 2017, the Swiss-US Privacy Shield framework was finally approved, so we got ourselves certified for it. The situation is fluid and very confusing to keep up with so we turn for help with a privacy management solutions partner, Truste.

8. Continued supporting the developer community
Just like we have for the the past 15 years, we continued to help the developer community. In 2017, we sponsored many developer events including the AZGroup’s Scott Guthrie event, various code camps (Iowa, Orlando, New York City, Southern California, South Florida) , usergroups, and GiveCamps (Dallas, Southwest Ohio). We also give free cloud hosting resources to members of the new Microsoft Reconnect Program. If you run a developer event or usergroup, please feel free to reach out to us.

9. Moved office
In 2017, we moved our physical office space to Monrovia, California, a little further east than our previous location.  As you can imagine, moving is disruptive on many fronts and we are still working on building out parts of our office space. We are looking forward to getting settled in over the next several months.

10. Offering Custom Private Cloud solutions
Over the years we have talked to customers who outgrew our hosting services or who had needs outside of “web hosting.” If it made sense, we did take on one-off “Private cloud” services in the past, but we are making it more official now. We do offer IT-as-a-service solutions bringing clients our several decades of experience in designing and operating hosting infrastructure. We can build out, configure and manage a customized Private Cloud environment for your business.  If you looking for an IaaS/PaaS/Hybrid cloud, solution disaster recovery/business continuity solutions, application hosting, devops environments, Windows/Linux environments, database servers (including Microsoft SQL server, MySQL and Oracle), application streaming, cloud/virtual desktops…etc. please reach out to us, we may be able to help.

Wishing everyone success in the new year!

Meltdown, Spectre, and the Processor Problem That We All Face

Michael PhillipsBy now you may have read about an issue affecting Intel, AMD, and other processors, potentially exposing sensitive memory data. Until now, that data has been assumed to be safe, since a program running on a system isn’t supposed to be able to access the memory used by the kernel or core of that system. There are two separate bugs involved, known by the names “Meltdown” and “Spectre.” The bugs affect virtually every device that uses an Intel or AMD processor: desktop computers, laptops, tablets, phones – essentially almost all computing devices made since 1995.

No one knows yet whether the bugs have been exploited, since the potential exploits do not leave any trace in traditional log files. But there have been proof-of-concept demonstrations that the bugs are exploitable, so software and hardware manufacturers are issuing patches and firmware updates to remedy the problems created by Meltdown and Spectre.

What this means as far as your website hosting is concerned

Microsoft is expected to release a number of patches for their different operating systems on Tuesday, January 9th (UPDATE: patch releases have already begun for the most recent O/S versions). In addition to those fixes, it’s also possible that we’ll have to install a number of different firmware updates for the different types of hardware that host your websites. We will, of course, apply the patches and firmware updates as soon as we can, and we will do our best to keep any disruption to a minimum, but at this point we do not know the extent of any potential outages related to the fixes.

What we do know is that the fixes will almost certainly have an impact on the speed of all of the affected hardware. That doesn’t apply only to web servers, but to all affected devices. Virtual machines, which run the vast majority of websites, will see an impact, since the fixes necessary to counteract Meltdown require changes to the way the operating system handles memory. Preliminary testing indicates that the speed of the memory processing could be slowed by anywhere from 17% to 30%, depending on the task.

We can’t be sure of the overall effect until all of the fixes are in place. When we get to that point we will evaluate the situation, and if any adjustments are necessary on our end to keep things running smoothly for you, we will make them.

This is an unusual and unfortunate situation that is going to impact virtually everyone. No one can predict the ultimate effect it will have, but we will continue to monitor the issue as it unfolds and post any pertinent updates related to your hosting in the forum.

Read more about the issue here.

What is Greylisting?

Calvin WongEveryone hates spam. (The email kind – not the canned meat). Spam is an especially pertinent issue for hosting customers. If you’re starting a new site and registered a new domain name, you’ll likely be bombarded with spam.

The reason is because your domain name registration information (your name, address, phone number, email address, etc.) is publicly available. Anyone can do a WHOIS search on your domain name and find your contact info. There are even services out there that will provide a list of all the newly registered domain names every day, making them easy targets for spammers.

Just do a WHOIS search on a domain, and you’ll find the owner’s email. For example, here’s the WHOIS information for discountasp.net. As you may guess, marketing@discountasp.net, which is listed as the contact email for our domain, gets a ton of spam.

One way to combat this is to get WHOIS Privacy when you register a new domain name. WHOIS Privacy will mask your real contact information by using the information of the registrar instead. It’s important to get WHOIS Privacy when you initially register a domain name. You can add Privacy later, but by then it’s already too late. Your email and contact info has already been published on one of those lists.

Greylisting is another way to combat spam. When an email network “greylists” messages, they do not accept the initial incoming message, but rather instruct the sending mail server to try delivery again later (which most servers will do every few minutes). The assumption being that spam servers will not attempt to send the message again, but legitimate servers will.

A large percentage of spam is sent from compromised home and business computers. Spammers typically send messages from large numbers of these machines, but each machine sends only small batches of mail, in order to avoid detection, and they will almost never try to re-send the mail when they receive the “try again” response.

Greylisting is a very effective anti-spam tool. Our tests show a decrease in spam of 80% to 90% when greylisting is implemented. But it can cause delivery delays. Those delays will vary, depending on the sending server, but are typically no more than a few minutes.

Previously, we had Greylisting enabled by default for all customers. But on October 17th, we decided to disable Greylisting by default for all new customers.

Why did we disable Greylisting?

New customers not familiar with Greylisting thought something was broken with our email service. They would sometimes experience delays of a couple of hours (the delay time depends on how the sending email server is set up to response to the re-send requests).

What can customers do?

You can re-enable Greylisting.

  1. Log in to Control Panel.
  2. Click the “SmarterMail Manager” link on the left side.
  3. Click the “SmarterMail Management Login as Primary Admin” link. You will be automatically logged in as the Primary Domain Administrator.
  4. Once in the SmarterMail interface, click the “Settings” link in the left navigation (it is an icon that looks like gears).
  5. Click to expand the “Domain Settings” folder.
  6. Click “Users”.
  7. Check the box next to the account you want to enable Greylisting for and click “Edit”.
  8. Uncheck the box next to “Disable Greylisting”.
  9. Click “Save”.
  10. Repeat steps 7-9 on all the accounts you want Greylisting disabled for.

You can Get SpamExperts

Our email service, SmarterMail, comes with spam filters. You can tweak those spam filters if you want, but most customers are wary of doing that. Set your filters too strong and you risk false-positives, possibly having legitimate emails go into your spam folder.

So, we partnered with SpamExperts to offer Inbox Filtering. SpamExperts works great! In fact, we adopted it for our own corporate use. The SpamExperts spam filter engine will scrub your incoming emails and take out spam, viruses, phishing and other malicious email messages. It works great out of the box, with no tweaking – set it and forget it.

Most other spam filtering services charge for each email account. If you have 20 email accounts/users, you have to pay for 20 of them. SpamExperts, on the other hand, just charges per domain. So you can have as many email accounts/users as you want and pay just $3.95/month!

If you do decide to leave Greylisting disabled, or if you just get too much spam, we highly recommend you get SpamExperts. We did, and we love it!