Redirect HTTP to HTTPS with IIS 7

Getting onto two years ago now I wrote an article that has become quite popular that detailed three methods to redirect HTTP to HTTPS. At that time there wasn't a lot in the way of options for URL manipulation on IIS, and Helicon's ISAPI Rewrite 2 was the de facto standard. Now there are several options for rewriting URL's on IIS, and users of IIS 7 are able to take advantage of Microsoft's own URL Rewrite module. In this guide we'll look at how you can use Microsoft's URL rewrite module to transparently redirect HTTP to HTTPS.

For this guide to work you'll need;

  • IIS 7 installed
  • Microsoft URL Rewrite Module installed
  • Create HTTPS bindings to your IIS website and assign certificate
  • Ensure Require SSL is NOT checked under SSL Settings for your website

Once you have this done you can simply copy and paste the following code between the <rules> and </rules> tags in your your web.config file in your website root directory.

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
  <match url="(.*)" />
    <conditions>
      <add input="{HTTPS}" pattern="off" ignoreCase="true" />
    </conditions>
  <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>

From here all you have to do is save your web.config file and test that the redirection is working.

Hopefully this guide has helped you to enabled HTTP to HTTPS redirection for your website on IIS 7 using the Microsoft URL Rewrite Module. If you have any feedback or comments please post below, and if you have specific support requests please post in the forums.

Average rating
(8 votes)

Comments

VPuccetti's picture

Example Config

Since my web.config didn't have any rewrite paths I figured someone may find this useful (mainly because there is a "rules" and "rule" path that has to follow properly):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

Anonymous's picture

Fails when used at application level

This worked for me in my application web.config











Anonymous's picture

Help Please !!!!!!!!!!!!!!!!!!!!!11

Hi !
I have implemented this on my SSL site, It working great ! many many thanks!

But I have small issue again :)

please explain ?

Coz, When someone types my site name as http://www.mywebsite.com , It adds HTPS , Thats OK.

But when user types http://mywebsite.com

It gives SSL certificate error ,Saying that Certificate was issued to another website.

My Website certificate is issued to =www.mywebsite.com not =mywebsite.com

Helpppppppppppppppppppppppppppppppppppppppp Please......!

Thanks in adavnce
Sandy

Brashquido's picture

New certificate or rewrite to the current one?

Hi Sandy,

You have two options. Either get yourself a new certificate for mywebsite.com or alter your rewrite rules to redirect any non www traffic to www (i.e mywebsite.com to www.mywebsite.com)
----------------
Dominic Ryan
5 x Microsoft IIS MVP, MCSE, MCSA
IIS Aid owner/webmaster

Anonymous's picture

Slight correction

This didn't work for me in the case where the url contains a subfolder.

for example:

http://www.example.com/admin/Default.aspx?a=b

goes to:

https://www.example.com/Default.aspx?a=b

The following should work:

    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" /> <!-- Require SSL must be OFF in the site settings -->
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>

Anonymous's picture

Not working outside the server

Hi,

I did everything the article mentioned and I'm able to use the HTTP to HTTPS redirection when I try to open the site from within the server where it is hosted.

However, when I try this from the "outside world", the redirection does not work. I can access it via HTTPS, but if I try with HTTP (which should be redirected to HTTPS), the site never shows up.

Any ideas?

Thanks in advance,

Helder Conde

Anonymous's picture

Sorry! It *us* working OK now

The error I mentioned before has been solved! For some reason port 80 was blocked on that particular server.

HTTP to HTTPS redirection is now working perfectly. Thanks!

Helder

Anonymous's picture

HTTPS to HTTP

Hi

Just wondering if anyone knows how to have traffic say on https://mysite.com redirected to an internal address http://192.168.1.1.

I can get IIS redirect to redirect http traffic but wonder if it supports https?

Anonymous's picture

Another easy way to do it

Use HTTP Redirection at IIS 7:

http://technet.microsoft.com/en-us/library/cc725815(WS.10).aspx

If this feature is not installed, add it: Server Manager -> Roles -> Web Server -> Add Role Services -> Common HTTP Features -> HTTP Redirection

Basically you just need to create an additional site that will listen to 80 (http) and set it to redirect all traffic to your original/content website which listens to 443.

Anonymous's picture

NO SSL lock

When this is performed and someone goes to the http:// site, it works as far as functionality, but the SSL Lock no longer shows up in the browser window letting you know it is secure... anyone else get this?