Articles
Redirect HTTP to HTTPS with IIS 7
Getting onto two years ago now I wrote an article that has become quite popular that detailed three methods to redirect HTTP to HTTPS. At that time there wasn't a lot in the way of options for URL manipulation on IIS, and Helicon's ISAPI Rewrite 2 was the de facto standard. Now there are several options for rewriting URL's on IIS, and users of IIS 7 are able to take advantage of Microsoft's own URL Rewrite module. In this guide we'll look at how you can use Microsoft's URL rewrite module to transparently redirect HTTP to HTTPS.
For this guide to work you'll need;
- IIS 7 installed
- Microsoft URL Rewrite Module installed
- Create HTTPS bindings to your IIS website and assign certificate
- Ensure Require SSL is NOT checked under SSL Settings for your website
Once you have this done you can simply copy and paste the following code between the <rules> and </rules> tags in your your web.config file in your website root directory.
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>From here all you have to do is save your web.config file and test that the redirection is working.
Hopefully this guide has helped you to enabled HTTP to HTTPS redirection for your website on IIS 7 using the Microsoft URL Rewrite Module. If you have any feedback or comments please post below, and if you have specific support requests please post in the forums.
- Login to post comments
- 184646 reads
Comments
Example Config
Since my web.config didn't have any rewrite paths I figured someone may find this useful (mainly because there is a "rules" and "rule" path that has to follow properly):
<?xml version="1.0" encoding="utf-8"?><configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Fails when used at application level
This worked for me in my application web.config
Help Please !!!!!!!!!!!!!!!!!!!!!11
Hi !
I have implemented this on my SSL site, It working great ! many many thanks!
But I have small issue again :)
Coz, When someone types my site name as http://www.mywebsite.com , It adds HTPS , Thats OK.
But when user types http://mywebsite.com
It gives SSL certificate error ,Saying that Certificate was issued to another website.
My Website certificate is issued to =www.mywebsite.com not =mywebsite.com
Helpppppppppppppppppppppppppppppppppppppppp Please......!
Thanks in adavnce
Sandy
New certificate or rewrite to the current one?
Hi Sandy,
You have two options. Either get yourself a new certificate for mywebsite.com or alter your rewrite rules to redirect any non www traffic to www (i.e mywebsite.com to www.mywebsite.com)
----------------
Dominic Ryan
5 x Microsoft IIS MVP, MCSE, MCSA
IIS Aid owner/webmaster
Slight correction
This didn't work for me in the case where the url contains a subfolder.
for example:
http://www.example.com/admin/Default.aspx?a=b
goes to:
https://www.example.com/Default.aspx?a=b
The following should work:
<rewrite><rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" /> <!-- Require SSL must be OFF in the site settings -->
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
</rules>
</rewrite>
</system.webServer>
Not working outside the server
Hi,
I did everything the article mentioned and I'm able to use the HTTP to HTTPS redirection when I try to open the site from within the server where it is hosted.
However, when I try this from the "outside world", the redirection does not work. I can access it via HTTPS, but if I try with HTTP (which should be redirected to HTTPS), the site never shows up.
Any ideas?
Thanks in advance,
Helder Conde
Sorry! It *us* working OK now
The error I mentioned before has been solved! For some reason port 80 was blocked on that particular server.
HTTP to HTTPS redirection is now working perfectly. Thanks!
Helder
HTTPS to HTTP
Hi
Just wondering if anyone knows how to have traffic say on https://mysite.com redirected to an internal address http://192.168.1.1.
I can get IIS redirect to redirect http traffic but wonder if it supports https?
Another easy way to do it
Use HTTP Redirection at IIS 7:
http://technet.microsoft.com/en-us/library/cc725815(WS.10).aspx
If this feature is not installed, add it: Server Manager -> Roles -> Web Server -> Add Role Services -> Common HTTP Features -> HTTP Redirection
Basically you just need to create an additional site that will listen to 80 (http) and set it to redirect all traffic to your original/content website which listens to 443.
NO SSL lock
When this is performed and someone goes to the http:// site, it works as far as functionality, but the SSL Lock no longer shows up in the browser window letting you know it is secure... anyone else get this?