IIS7: HTTP->HTTPS Cleanly

Question

Is there a clean way to redirect all attempts to going to an HTTP:// version of a site to its HTTPS:// equivalent?

Answer can be found on James Kovac's blog: http://jameskovacs.com/2007/05/09/how-to-autoredirect-to-a-sslsecured-site-in-iis/ — cpuguru, Mar 08 '11 at 19:33
If you are on IIS 7 and on R2 [here](http://www.jppinto.com/2010/03/automatically-redirect-http-requests-to-https-on-iis7-using-url-rewrite-2-0/) is a guide which works and the most "clean" — Ujwal Parker, Sep 21 '12 at 15:37

toxaq · Accepted Answer · 2018-06-16T02:22:38.720

178

I think the cleanest way is as described here on IIS-aid.com. It's web.config only and so if you change server you don't have to remember all the steps you went through with the 403.4 custom error page or other special permissions, it just works.

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
            <conditions>
              <add input="{HTTPS}" pattern="off" ignoreCase="true" />
            </conditions>
            <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

edited Jun 16 '18 at 02:22

answered Sep 30 '11 at 02:12

toxaq

6,745
3
46
56

4

This works perfectly, and for bonus points it's completely self-contained so you don't have to create a new website as outlined in the accepted answer – WickyNilliams Jun 28 '12 at 10:42
1

Will this fire for all URLs regardless of filetype. e.g. A direct URL to a txt file? – Cheekysoft Aug 27 '13 at 16:27
9

This worked for me with the exception that I had to modify the redirect URL to https://{HTTP_HOST}{REQUEST_URI} – Andrew S Oct 24 '13 at 20:28
6

This also worked for me. I had to add the application I was running under... http://localhost/app1/ => http://{HTTP_HOST}/app1/{R:1} – RealSollyM May 06 '14 at 13:28
15

For anybody that doesn't already have a rewrite section, place the rules in the following sections of the web.config: ... – raider33 Aug 04 '14 at 02:02
16

make sure Microsoft URL Rewrite Module is installed on the IIS server – Iman Jun 30 '15 at 09:04
7

For SEO reasons you should use redirectType="Permanent". Review https://support.google.com/webmasters/answer/6033085?hl=en&ref_topic=6033084 – Niels Bosma Nov 11 '15 at 09:38
4

This does not work for me on IIS 8, it causes `ERR_TOO_MANY_REDIRECTS` in Chrome. – vaindil Jan 10 '16 at 20:20
3

The Rewrite Rule above solved my problem but it was not until I first went into SSL Settings in IIS for this domain and unchecked Require SSL (even though only Ignore was checked). – Harvey Mushman Apr 21 '16 at 19:54
FYI this should go in a `Web.config` file in the root of your website – nebffa Sep 28 '16 at 23:37
Need IIS bindings on both 443 and 80 – Savage May 17 '17 at 08:41

score 14 · Answer 2 · answered Jul 14 '16 at 08:31

14

The most easy and clean solution I found was to

In SSL Settings -> require SSL
In Error Pages -> On 403.4 error -> Redirect to the HTTPS site
In Error Pages -> Edit Features Settings... -> Set Detailed errors for local requests and custom error pages for remote request

The benefit is that it requires no extra lines of code. Downside is that it redirects you to an absolute url.

answered Jul 14 '16 at 08:31

ColacX

3,928
6
34
36

1

works perfectly (on IIS 8.5 / 2012 R2). and no tinkering with the web.config – schmendrick Oct 03 '16 at 11:22
Could you please give an example of this downside? In what circumstances would it happen and why is it a negative thing? If you could add it to your answer, that would be great. Thanks a lot! – Marcos Dimitrio Mar 03 '17 at 20:12
2

@MarcosDimitrio Im unsure since it was so long ago. but I believe when i meant that it redirects you to an absolute url i meant a "base url". For example "http"://mywebsite.com/hellokitty would be redirected to "https"://mywebsite.com thus losing some path information, this would break every existing link with extra path information. – ColacX Mar 04 '17 at 21:07

score 5 · Answer 3 · edited Jul 10 '15 at 18:38

A clean way changes only the URL scheme from http -> https and leaves everything else equivalent. It should be server-side so that there are no browser issues.

JPPinto.com has Step-By-Step instructions on how this is done, except that they use javascript (HttpRedirect.htm) instead of a server-side redirect. For some reason, I couldn't get IE run the javascript if you have ‘Show friendly HTTP error messages’ enabled, which is on by default. Another thing with the script is that redirection to path didn't work even in FF or Chrome. The script always redirects to root. (Maybe I have missed something, because it should redirect to path.)

For these reasons I have used an ASP page for the redirect. The downside is of course that this requires classic ASP to be enabled on the server.

OpsanBlog has an ASP script and instructions that work well with IIS6.

I've had a few issues using this method with IIS7. User interface issues mostly, since IIS7 makes it really easy to miss something.

First, you need to install ASP as a web server role feature.
Second, using a virtual directory didn't not work as expected in IIS7 and I didn't try to debug this. Instead, I put the file in the root folder of the site and used the url '/SSLRedirect.asp' in the 403.4 error page to reference it.
Last, the most tricky part, you must NOT enforce SSL for SSLRedirect.asp. Otherwise you'll get an 403.4 error. To do this you pick the file in IIS7 'Content View', and switch to 'Features View' so that you can edit the SSL settings for the single file and disable 'Require SSL' checkbox.

IIS manager should show the file name in the header.

The linked instructions at JPPinto.com have been updated to highlight that this does not work on IIS 7.5 or R2. They say you will get a lock violation due to changes in security in the newer versions of IIS. They suggest using the URL Rewrite 2.0 method instead (similar approach as per the answer from @toxaq). — Robert Shattock, Feb 15 '16 at 04:22

score 0 · Answer 4 · answered May 31 '17 at 11:11

0

Global.asax

protected void Application_BeginRequest()
{
if (!Context.Request.Url.AbsoluteUri.Contains("localhost") && !Context.Request.IsSecureConnection)
Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
}

answered May 31 '17 at 11:11

Toolkit

10,779
8
59
68

1

I can easily get around this redirect by putting "localhost" somewhere into the URI, e.g. the query string http://yourdomain.com?localhost=true I would suggest checking the Request.Url.Host property instead – Aidy J Nov 29 '17 at 16:01

score 0 · Answer 5 · answered Dec 11 '18 at 13:46

I use classic asp (intranet) and on pages that requires login the logon include file does the redirect:

if Request.ServerVariables("SERVER_PORT_SECURE") <> "1" or Request.ServerVariables("HTTPS") <> "on" then 
    Response.Redirect "https://" & Request.ServerVariables("SERVER_NAME") & Request.ServerVariables("URL")
end if

This of course does not include GET or POST data. So in effect it's a clean redirect to your secured page.

score -4 · Answer 6 · answered Sep 05 '08 at 17:56

-4

I think by 'cleanly' you mean like with a 300 redirect. Config for a lot of servers & languages here.

answered Sep 05 '08 at 17:56

slipsec

3,004
3
34
46

IIS7: HTTP->HTTPS Cleanly

6 Answers6

Linked