Three methods to redirect HTTP to HTTPS

A few weeks ago a friend asked me what the best way was for redirecting a HTTP request to HTTPS. As always the "best" way depends totally on the environment in which it is to be implemented into. I decided to have a bit of a closer look into this as it is quite a common requirement and there is no simple way to do this redirection through the IIS administration GUI. What I found was there are three methods of redirection commonly in use, all of which are discussed in this article.

Redirect via a landing page

The simplest method to redirect a HTTP request to HTTPS is to create a landing page. With this method the IIS web server accepts the HTTP request, passes it to the default document for your site (if set) which is then redirected to HTTPS. This method is easy to write, easy to deploy and generally very hassle free. Below is a small PHP script which can be used to redirect a HTTP request to HTTPS.

<?php
if ($_SERVER['SERVER_PORT']!=443)
{
$url = "https://". $_SERVER['SERVER_NAME'] . ":443".$_SERVER['REQUEST_URI'];
header("Location: $url");
}
?>

Redirect via a custom error

There is a shortcoming with using the landing page method though, and that is if you have IIS set to require a secure connection for your site. This is a problem because the HTTP request is intercepted prior to it reaching your landing page, so the redirection can never take place.

However there is a way around this. When you try and access a site via HTTP that is set to require a HTTPS connection you are given a 403.3 error (Write access forbidden). With IIS you can define your own custom error pages or even redirect to an alternate URL. From here you can simply set a custom error for the 403.3 error code which either redirects to the HTTPS site required, or use the file option to use a script such as above to do the redirection for you.

Redirect via URL manipulation

Although functional, the custom error method is not exactly what you'd call a clean solution. Probably the cleanest and my personal favorite method of redirection is to use URL manipulation to seamlessly rewrite all HTTP requests to HTTPS. The only problem with this is that URL manipulation is not supported in IIS without 3rd party tools. I use ISAPI Rewrite to do all my URL manipulation, and below you can find the code needed to redirect HTTP to HTTPS. Simply place this code in a file called httpd.ini in the root of your website and you're away.

[ISAPI_Rewrite]
# http://www.isapirewrite.com/
# Defend your computer from some worm attacks
RewriteRule .*(?:global.asa|default\.ida|root\.exe|\.\.).* . [F,I,O]
RepeatLimit 32
# Block external access to the httpd.ini and httpd.parse.errors files
RewriteRule /httpd(?:\.ini|\.parse\.errors).* / [F,I,O]
# redirect all http requests  to https
RewriteCond  %HTTPS (?!on).*
RewriteCond Host: (.*)
RewriteRule (.*) https\://$1$2 [I,RP]

There are probably several other ways you can redirect HTTP to HTTPS, and I'd love to hear them if you have suggestions. However, the above three methods should be able to get you the desired result regardless of what IIS environment you are wanting to implement it in.

Average rating
(12 votes)

Comments

Anonymous's picture

Thanks a lot.

...though not for the ways to change protocol, but how to define it with php.

Anonymous's picture

https redirect

I tried the 3rd option as it seems the simplest but it didn't seem to work...do I need to have the ISAPI_Rewrite application installed on the IIS server for it to work or is the httpd.ini file alone good enough?

What else am I missing?

please reply to hrokow1 @ earthlink.net as I don't check forums often.

Brashquido's picture

Sorry, I only give

Sorry, I only give personalised email support to paying customers. I hope you understand, mouths to feed and all that. As for your question, yes, for the 3rd method to work you must install a URL manipulation tool such as ISAPI Rewrite.
----------------
Dominic Ryan
4 x Microsoft IIS MVP, MCSE, MCSA
IIS Aid owner/webmaster

Anonymous's picture

Thanks

Used the landing page option at the top and it worked the first time. Thanks.

Anonymous's picture

Redirect code

Thank you very much for this redirect code it is very usefull

Anonymous's picture

Thank you!

option #1 was EXACTLY what i was looking for. just wanted certain pages https only! thanks a million!

Anonymous's picture

HTTP to HTTPS redirect

Another way to do this all within IIS is as follows:

1. remove http host headers from actual site or change existing one to say "dummy" or "notused" etc.

2. Set up new website with original host header on it and update redirect url on "Home Directory" tab to https://yoururl.

Anonymous's picture

thanks

thanks a lot

the Redirect via a landing page helped!

Anonymous's picture

for login page

Hi,
This helped me for my login page. Now If I access my login page it is always in ssl.

Thanks a lot.
Regards,
Rani

Anonymous's picture

work perfect doesnt take

work perfect doesnt take long to load up page too. u r true expert. thank you
unlockman