Redirecting HTTP to HTTPS on an IIS Web Site

Submitted by Joe Prevo on Fri, 03/04/2016 - 12:12

As a good security practice, all TechDoc traffic (and for that matter, almost all web application traffic) should be conducted over HTTPS. On Windows, TechDoc runs underneath IIS so almost all IIS features and capabilities can be applied to the TechDoc web application. One fix for HTTPS is to simply set your web site to require HTTPS only. While this will work, it is not very user-friendly to users who attempt to access TechDoc via HTTP. The user will simply receive an error in their web browser.

An alternate, more user-friendly approach is to leave HTTP enabled but redirect all HTTP traffic automatically to HTTPS. There are a couple ways to do this but the easiest and most effective way that we have found to do this is using Microsoft's URL Redirect Module for IIS. It works and has been tested with IIS on Windows Server 2008 R2 and Windows Server 2012 R2.

  1. If necessary, enable SSL on the IIS web site that TechDoc is hosted on in the normal manner.
  2. Use a web browser to verify that the web site works on both HTTP and HTTPS.
  3. Download and install Microsoft's URL Redirect Module from https://www.iis.net/downloads/microsoft/url-rewrite.
  4. Open IIS Manager, navigate to and click on the web site where TechDoc is hosted in the left panel to select the web site. Then double click on URL Rewrite in the center panel.
    Screen shot of selecting the web site and double click the URL Rewrite module
  5. Once URL Rewrite opens, click Add Rule(s)... on the right side.
    Screen shot of clicking Add Rule(s)...
  6. Once Add Rule(s) opens, select Blank rule under Inbound rules and click OK.
    Screen shot of clicking Blank rule and OK...
  7. Once Edit Inbound Rule opens, enter a name for the rule such as HTTP to HTTPS Redirect. Make sure Requested URL is set to Matches the Pattern and Using is set to Regular Expressions. For the pattern, enter (.*) which is open parenthesis, period, asterisk, and close parenthesis. Make sure Ignore case is checked. Then click on the down arrow to expand Conditions.
    Screen shot of editing rule, part 1...
  8. With Conditions expanded, make sure Logical grouping is set to Match All, make sure Track capture groups across conditions is unchecked, and then click Add...
    Screen shot of editing rule, part 2...
  9. Once Add Condition opens, enter {SERVER_PORT_SECURE} for Condition input, make sure Check if input string is set to Matches the Pattern, enter ^0$ which is circumflex, zero, and dollar sign for Pattern, make sure Ignore case is checked, and click OK.
    Screen shot of editing rule, part 3...
  10. Back on Edit Inbound Rule under Action, change Action type to Redirect, enter https://{HTTP_HOST}/{R:1} for Redirect URL, make sure Append query string is checked, make sure Redirect type is set to Permanent (301), and then click Apply on the right side.
    Screen shot of editing rule, part 4...
  11. After the rule has been applied, click on Back to Rules just under the Apply that you clicked in the previous step. If done correctly, your new rule should be displayed under the Inbound rules.
    Screen shot of the finished rule
  12. Now close IIS manager, open a web browser, and test several HTTP URLs to make sure they redirect to the HTTPS version of the URL. If not, retrace the steps in this article to make sure everything was done correctly.
Product Type: 
TechDoc