79

We want ALL sites on our webserver (IIS 10) to enforce SSL (ie redirect HTTP to HTTPS).

We are currently 'Requiring SSL' on each site and setting up a 403 error handler to perform a 302 redirect to the https address for that specific site.

This works great. But it's a pain to do for every single site, there's plenty of room for human error.

Ideally I'd like to set up a permanent 301 redirect on all HTTP://* to HTTPS://*

Is there a simple way to do this in IIS ?

parkamark
  • 1,118
  • 6
  • 11
userSteve
  • 1,503
  • 4
  • 20
  • 32

2 Answers2

113

The IIS URL Rewrite Module 2.1 for IIS7+ may be your friend. The module can be downloaded from IIS URL Rewrite. Using the URL Rewrite Module and URL Rewrite Module 2.0 Configuration Reference explain how to use the module.

Once the module is installed, you can create a host wide redirect using IIS Manager. Select URL Rewrite, Add Rule(s)..., and Blank rule.

Name:
Redirect to HTTPS

Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked

Conditions
Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked

Server Variables
Leave blank.

Action
Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)

Apply the rule and run IISReset (or click Restart in the IIS Manager)

Alternatively, after installing the module you could modify the applicationHost.config file as follows:

<system.webServer>
  <rewrite>
    <globalRules>
      <rule name="Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" ignoreCase="true" negate="false" />
        <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
          <add input="{HTTPS}" ignoreCase="true" matchType="Pattern" negate="false" pattern="OFF" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
      </rule>
    </globalRules>
  </rewrite>
</system.webServer>
Ryan Prechel
  • 103
  • 6
sippybear
  • 2,997
  • 1
  • 12
  • 12
  • Will this work for permanent 301 redirects ? – userSteve Jan 24 '18 at 10:03
  • @userSteve as per the answer above, you can choose the redirect type. – BE77Y Jan 24 '18 at 15:38
  • @userSteve whoops, yeah you should be able to change the *Redirect Type* to 301 and get the same results – sippybear Jan 24 '18 at 18:06
  • @userSteve any luck? – sippybear Jan 30 '18 at 00:43
  • @sippybear havent yet tested because the rewrite module will not install on IIS 10 without a registry hack which I'm reluctant to do just yet. https://stackoverflow.com/questions/35319942/url-rewrite-does-not-install-on-windows-10-iis-10 – userSteve Jan 30 '18 at 16:51
  • I found a later version of the rewrite module which works with II 10 and the above steps work great for me. Thanks ! What I've done is associated the rewrite rules with an empty 'catch all' website (HTTP empty binding). This then catches any attempts to browse to a http url that is not already bound to a site and redirects it to https. Now all I need to worry about is the bindings of each site depending on if they are https only or not - much simpler! – userSteve Jan 30 '18 at 18:10
  • 3
    @sippybear one more question - what does input="{HTTPS}" mean? Should this be {HTTP} as that will be the input and HTTP the output? – userSteve Jan 30 '18 at 18:10
  • 9
    {HTTPS} is a variable that you query to find out if the connection is secured. You can read more about it here: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference#Accessing_URL_Parts_from_a_Rewrite_Rule In this case, we're checking whether {HTTPS} is "off", and then redirecting if it is – sippybear Jan 30 '18 at 21:41
  • @sippybear I wonder if you could help my some other rewriter questions of mine? https://serverfault.com/questions/895205/redirect-www-urls-in-iis , https://serverfault.com/questions/895002/what-happens-after-a-rewrite-rule-is-processed-in-iis , https://serverfault.com/questions/895000/what-does-the-https-variable-actually-represent – userSteve Feb 01 '18 at 16:27
  • If you use `REQUEST_URI` instead of `URL` make sure you set `appendQueryString="false"` as discussed here - https://stackoverflow.com/a/48478980/846727 – Kunal Feb 16 '19 at 00:19
  • I had to use `{SERVER_NAME}` instead of `{HTTP_HOST}` in the Redirect URI. This because my `http` endpoind used port `8080`, and the `{HTTP_HOST}` included that port. So the redirect was to `https://example.com:8080` which didn't work. The `{SERVER_NAME}` variable doesn't include the port. – Floris Devreese Apr 30 '20 at 06:03
  • This sort of works. I see in Firefox dev tools network the connections are 301 redirected to HTTPS but the URL bar still shows HTTP and indicates 'not secure'. Any ideas what I'm missing? Is it necessary to implement HSTS for this to be complete? – duct_tape_coder Jun 18 '20 at 17:58
  • Thx @sippybear - I like to understand how things work and {HTTPS} matching ^OFF$ didn't twig until you mentioned it's testing a variable being equal to OFF – Rob Nicholson Mar 28 '21 at 13:50
7

My research shows that this might be a better way to the redirect:

<rewrite>
    <rules>
        <rule name="http to https" stopProcessing="true">
            <match url="(.*)" />
            <conditions>
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
    </rules>
</rewrite>
KyleMit
  • 488
  • 4
  • 9
  • 21
Fallen Angel
  • 79
  • 1
  • 1
  • 4
    Can you explain why this is better? – userSteve Jun 12 '18 at 14:49
  • I am sorry I can not explain it my self, just read in few places that is syntax is better. – Fallen Angel Jun 13 '18 at 15:39
  • 2
    do you have any sources? – dangel Oct 26 '18 at 01:38
  • 1
    This is exactly the same rule as in https://serverfault.com/a/893804/7184, but written using regular expressions and Match All grouping. One upside could be that the rule expression uses rule defaults and is terser. – bzlm Dec 28 '18 at 23:11
  • I'm on IIS 10 and the selected answer didn't work for me. For some reason IIS didn't recognize the syntax as a valid rule. I pasted your code in and it worked immediately, thanks for sharing. – Jordan Ryder Jul 12 '19 at 18:46
  • 1
    @Jordan You need the Url Rewrite module to be installed on IIS, otherwise you will get 500.19 http code. – Rumplin Sep 30 '19 at 14:06
  • {R:1} did the trick for me when .net core was running inprocess and http->https redirects would get a magical second slash after the HTTP_HOST causing 404 – Yush0 Jul 13 '20 at 07:23
  • This answer is not the right one for all cases. It works only if the site is at the root. It doesn't work if you are running on a virtual folder/app. Then the parameter for the input is just the path after the virtual. The accepted answer works in both cases, root or virtual folder. – Nelson Rodriguez Sep 11 '20 at 20:26
  • https://www.ssl.com/how-to/redirect-http-to-https-with-windows-iis-10/ or simpler way – Nima Talebi Jan 03 '22 at 07:52