3

In IIS7.5, I have a URL Rewrite rule that redirects http requests to https. If I check "Require SSL", I get a 403 Unauthorized instead of a redirect, which makes sense.

Is there a way to use them together? Would there even be a benefit? I'm assuming no since every http request would be redirected, but I'm checking here in case I'm wrong.

Is this secure?

Ivy
  • 887
  • 1
  • 7
  • 25

1 Answers1

5

The 2 options work a very different way.

If you use the Require SSL option, every single page of your website has to be accessed by HTTPS and it means that (as you have seen it), if you forget the HTTPS and try to access with HTTP, you will have a 403 Unauthorized.

If you use the URL Rewrite Module, you can setup some pages or your whole website to be redirected to HTTPS (and some part back to HTTP if needed), and if a user forgets the HTTPS and hits the HTTP, he/she will be redirected to the HTTPS url.

As of having them to work together, there is a solution, but I don't really see the point:

[...] you will need to disable “Require SSL” checkbox for the web site. If you do not want to do that, then you can create two web sites in IIS – one with http binding and another with https binding – and then add this rule to the web.config file of the site with http binding.

http://blogs.iis.net/ruslany/archive/2009/04/08/10-url-rewriting-tips-and-tricks.aspx
(Section 4. Redirect to HTTPS)

cheesemacfly
  • 11,622
  • 11
  • 53
  • 72
  • That's what I thought. Just didn't want anyone to be able to get to something they shouldn't be able to get to based on an assumption that it was safe. Thanks – Ivy Mar 11 '13 at 19:00
  • 1
    If you want to be 100% sure, you can use them together with the 2 websites on different bindings. That said, I have never seen the URL Rewrite Module fails with the HTTP/HTTPS handling. – cheesemacfly Mar 11 '13 at 19:08