Three methods to redirect HTTP to HTTPS
A few weeks ago a friend asked me what the best way was for redirecting a HTTP request to HTTPS. As always the "best" way depends totally on the environment in which it is to be implemented into. I decided to have a bit of a closer look into this as it is quite a common requirement and there is no simple way to do this redirection through the IIS administration GUI. What I found was there are three methods of redirection commonly in use, all of which are discussed in this article.
Redirect via a landing page
The simplest method to redirect a HTTP request to HTTPS is to create a landing page. With this method the IIS web server accepts the HTTP request, passes it to the default document for your site (if set) which is then redirected to HTTPS. This method is easy to write, easy to deploy and generally very hassle free. Below is a small PHP script which can be used to redirect a HTTP request to HTTPS.
$url = "https://". $_SERVER['SERVER_NAME'] . ":443".$_SERVER['REQUEST_URI'];
Redirect via a custom error
There is a shortcoming with using the landing page method though, and that is if you have IIS set to require a secure connection for your site. This is a problem because the HTTP request is intercepted prior to it reaching your landing page, so the redirection can never take place.
However there is a way around this. When you try and access a site via HTTP that is set to require a HTTPS connection you are given a 403.3 error (Write access forbidden). With IIS you can define your own custom error pages or even redirect to an alternate URL. From here you can simply set a custom error for the 403.3 error code which either redirects to the HTTPS site required, or use the file option to use a script such as above to do the redirection for you.
Redirect via URL manipulation
Although functional, the custom error method is not exactly what you'd call a clean solution. Probably the cleanest and my personal favorite method of redirection is to use URL manipulation to seamlessly rewrite all HTTP requests to HTTPS. The only problem with this is that URL manipulation is not supported in IIS without 3rd party tools. I use ISAPI Rewrite to do all my URL manipulation, and below you can find the code needed to redirect HTTP to HTTPS. Simply place this code in a file called httpd.ini in the root of your website and you're away.
# Defend your computer from some worm attacks
RewriteRule .*(?:global.asa|default\.ida|root\.exe|\.\.).* . [F,I,O]
# Block external access to the httpd.ini and httpd.parse.errors files
RewriteRule /httpd(?:\.ini|\.parse\.errors).* / [F,I,O]
# redirect all http requests to https
RewriteCond %HTTPS (?!on).*
RewriteCond Host: (.*)
RewriteRule (.*) https\://$1$2 [I,RP]
There are probably several other ways you can redirect HTTP to HTTPS, and I'd love to hear them if you have suggestions. However, the above three methods should be able to get you the desired result regardless of what IIS environment you are wanting to implement it in.