IIS7: HTTP->HTTPS Cleanly
https://stackoverflow.com/questions/46347
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is there a clean way to redirect all attempts to going to an HTTP:// version of a site to its HTTPS:// equivalent?
Solution
I think the cleanest way is as described here on IIS-aid.com. It's web.config only and so if you change server you don't have to remember all the steps you went through with the 403.4 custom error page or other special permissions, it just works.
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
OTHER TIPS
The most easy and clean solution I found was to
In SSL Settings -> require SSL
In Error Pages -> On 403.4 error -> Redirect to the HTTPS site
In Error Pages -> Edit Features Settings... -> Set Detailed errors for local requests and custom error pages for remote request
The benefit is that it requires no extra lines of code. Downside is that it redirects you to an absolute url.
A clean way changes only the URL scheme from http -> https and leaves everything else equivalent. It should be server-side so that there are no browser issues.
JPPinto.com has Step-By-Step instructions on how this is done, except that they use javascript (HttpRedirect.htm) instead of a server-side redirect. For some reason, I couldn't get IE run the javascript if you have ‘Show friendly HTTP error messages’ enabled, which is on by default. Another thing with the script is that redirection to path didn't work even in FF or Chrome. The script always redirects to root. (Maybe I have missed something, because it should redirect to path.)
For these reasons I have used an ASP page for the redirect. The downside is of course that this requires classic ASP to be enabled on the server.
OpsanBlog has an ASP script and instructions that work well with IIS6.
I've had a few issues using this method with IIS7. User interface issues mostly, since IIS7 makes it really easy to miss something.
- First, you need to install ASP as a web server role feature.
- Second, using a virtual directory didn't not work as expected in IIS7 and I didn't try to debug this. Instead, I put the file in the root folder of the site and used the url '/SSLRedirect.asp' in the 403.4 error page to reference it.
- Last, the most tricky part, you must NOT enforce SSL for SSLRedirect.asp. Otherwise you'll get an 403.4 error. To do this you pick the file in IIS7 'Content View', and switch to 'Features View' so that you can edit the SSL settings for the single file and disable 'Require SSL' checkbox.
IIS manager should show the file name in the header.
Global.asax
protected void Application_BeginRequest()
{
if (!Context.Request.Url.AbsoluteUri.Contains("localhost") && !Context.Request.IsSecureConnection)
Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
}
I use classic asp (intranet) and on pages that requires login the logon include file does the redirect:
if Request.ServerVariables("SERVER_PORT_SECURE") <> "1" or Request.ServerVariables("HTTPS") <> "on" then
Response.Redirect "https://" & Request.ServerVariables("SERVER_NAME") & Request.ServerVariables("URL")
end if
This of course does not include GET or POST data. So in effect it's a clean redirect to your secured page.
I think by 'cleanly' you mean like with a 300 redirect. Config for a lot of servers & languages here.
