IIS7 Redirect HTTP to HTTPS

Compare SSL Certificates

Redirecting all traffic from HTTP to HTTPS in IIS7 will make sure your users always access the site securely. There are many different ways to set up an IIS7 Redirect from HTTP to HTTPS and some are better than others. The ideal HTTP to HTTPS redirect would do the following:

Gently redirect users to HTTPS so users don’t have to type in “https” in the URL
Redirect users to the specific page that they were going to go to on HTTP (page.htm)
Save any variables passed in the query string (?page=2)
Work in all browsers
Transfer PageRank to the redirected page by using a 301 redirect, maintaining SEO
Allow specific parts of a site to force SSL but allow HTTP on other parts of the site
Redirect users from mydomain.com to www.mydomain.com

Unfortunately, there isn’t an easy way to satisfy all of these requirements, and most methods only satisfy a few of them. The best method of doing an HTTP to HTTPS redirect I’ve seen involves using ASP.Net to do the HTTP to HTTPS redirection.

But most people don’t need all of those features, so I have listed two of the best methods of redirecting HTTP to HTTPS in IIS 7. They are easy to set up and effective in most situations.

Method 1 – Using Microsoft URL Rewrite Module

For this method of redirecting from HTTP to HTTPS, you will need to do the following;

Install the Microsoft URL Rewrite Module
Install your SSL certificate in IIS 7 and bind it to your website
Make sure Require SSL is NOT checked under SSL Settings for your website (uncheck the boxes that are checked in this screenshot)
Copy and paste the following code between the <rules> and </rules> tags in your web.config file in your website root directory.
<rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" /> </rule>
Test the site by going to http://www.yoursite.com and making sure it redirects

Method 2 – Setting up a Custom Error Page

The second method of setting up an IIS7 redirect HTTP to HTTPS is to Require SSL on the site or part of the site and set up a custom 403.4 error page. To do this, just following these steps:

Install your SSL certificate in IIS 7 and bind it to your website
In IIS, click on the site name, and go to the SSL Settings section
Check Require SSL and Require 128-bit SSL and click Apply
After doing this, users will normally receive this error:
Create a new text file and paste the following into it:

<html> <head><title>Redirecting...</title></head> <script language="JavaScript"> function redirectHttpToHttps() { var httpURL= window.location.hostname + window.location.pathname + window.location.search; var httpsURL= "https://" + httpURL; window.location = httpsURL; } redirectHttpToHttps(); </script> <body> </body> </html>
Save the file as redirectToHttps.htm in your C:\Inetpub directory
Back in IIS, click on the site name and double-click the Error Pages option
Click Add… and enter 403.4 as the Status code. Browse for the redirectToHttps.htm file you just created and click OK
Select the error code and press Edit Feature Settings…
Click the Custom error pages option and again browse for the redirectToHttps.htm file
Test the site by going to http://www.yoursite.com and making sure it redirects

A caveat of using a custom error page to do an IIS7 redirect from HTTP to HTTPS is that the web browser must have JavaScript enabled for the redirection to work.

Other Methods to IIS7 Redirect HTTP to HTTPS:

Digg del.icio.us Reddit

Posted on September 26, 2008

Showing comments 1 to 20 of 25 | Next | Last

Tin
Posts: 23

Re: IIS7 Redirect HTTP to HTTPS
Reply #25 on : Thu July 12, 2012, 02:44:21

Thanks a lot. A combination of both solutions worked for me.

Vincent
Posts: 23

Code
Reply #24 on : Wed March 28, 2012, 10:27:12

Not sure why my code wasn't included in my previous comment but it was probably because of the html tags. Anyway let me try this again without the html tags. I was referring to the following javascript:

if(window.location.protocol != "https:"){
var oldURL = window.location.href
var newURL = oldURL.replace("http:","https:");
window.location = newURL;
}

Admin Edit: Thanks, Vincent. I added the code into your original comment.

Last Edit: March 28, 2012, 21:06:47 by siteadmin

Vincent
Posts: 23

If all else fails...
Reply #23 on : Tue March 27, 2012, 21:23:16

If you are like me and none of these solutions posted online are working for you (Yes, I've done it correctly and tried everything under the sun) there is another way to do it that is guaranteed to work because it doesn't rely on any server settings.

Unfortunately depending on how you've architected your site it might not be quick to implement. For my site it was quick because every page my visitors see is actually an "include" on one "mother" page (for lack of a better term). It's a great way to build a site by the way because you only have to define your header and menu and footer once. Anyway, so I simply added this code to the top of my mother page and voila.

if(window.location.protocol != "https:"){
var oldURL = window.location.href
var newURL = oldURL.replace("http:","https:");
window.location = newURL;
}

If you have actual unique pages that the visitors load then you have to add this code to the top of every page. A bit more tedious but it's still guaranteed to work.

Last Edit: March 28, 2012, 21:06:09 by siteadmin

Jackie Sheppard
Posts: 23

Dont do it. Method 1
Reply #22 on : Wed March 14, 2012, 18:00:26

This was very bad advice. Hosed my EMC and server. Had to call Microsoft.

???
Posts: 23

Redirection from http to https
Reply #21 on : Sun February 05, 2012, 12:53:20

For everyone having issues i simply followed this tutorial and it worked great the only thing i forgot to do was to make sure you have both bindings and once i added both binding http 80 and https 443 it worked thanks so much for a job well done

C4Gamer
Posts: 23

Thank You Mani Bhushan
Reply #20 on : Thu December 08, 2011, 14:42:15

Your solution was the simplest and works beautifully.

Thomas
Posts: 23

http to https redirection sharepoint
Reply #19 on : Wed November 30, 2011, 13:45:16

Method 1 worked great for me on our sharepoint 3 website!

Sohail
Posts: 23

Please Help
Reply #18 on : Wed October 12, 2011, 00:17:42

After doing all steps in Method 2 i faced this error someone please help.

Error Summary
HTTP Error 500.19 - Internal Server Error
Absolute physical path "C:\inetpub\redirectToHttps.htm" is not allowed in system.webServer/httpErrors section in web.config file. Use relative path instead.

Evgeniy
Posts: 23

About "Lock violation" in IIS 7.5 (Method 2)
Reply #17 on : Mon August 29, 2011, 04:25:31

All you need to do is to open file "%windir%\System32\inetsrv\config\applicationHost.config" and remove defaultPath from the following line:

<httpErrors lockAttributes="allowAbsolutePathsWhenDelegated,defaultPath">

Thanks to this Thread: http://forums.iis.net/t/1159721.aspx

Samuel
Posts: 23

Re: IIS7 Redirect HTTP to HTTPS
Reply #16 on : Tue August 23, 2011, 05:01:22

how to modify the rule for subdomain redirection to https? thank you

Erik B
Posts: 23

Thanks
Reply #15 on : Thu July 28, 2011, 19:24:38

Very Helpful, thank you Mani!

Pawel
Posts: 23

Re: IIS7 Redirect HTTP to HTTPS
Reply #14 on : Fri June 17, 2011, 12:40:43

The http page redirection method no longer works in IIS 7.5 there are changes to security. You will get a lock violation error

RSM032
Posts: 23

HTTP to HTTPS Redirect
Reply #13 on : Tue June 07, 2011, 04:44:16

Thank you very much @@@ ReZolve @@@

I went through the url you provide for manually and it done with success, i was trying it for more than 15 days, but finally done by your manual guide.

Thank you very much

Somnath Chandgude
Posts: 23

IIS7 Redirect HTTP to HTTPS
Reply #12 on : Tue May 24, 2011, 04:38:09

Hi Mani Bhushan,
Your suggestion is works. I am able to redirect on HTTPS for my login page... but when I redirected in HTTPS then not able to get in HTTP. we want only https for Login.aspx page...
please advice for the same.

Rick Hicks
Posts: 23

redirect
Reply #11 on : Thu May 05, 2011, 15:43:10

Method one seems to work fine and is easily done, but what i have noticed with IE and Mozilla Firefox is that the SSL lock no longer shows up in the browser. How can myself or user be sure the session is secure?

ReZolve
Posts: 23

<rules> tag in web.config
Reply #10 on : Wed April 20, 2011, 02:58:50

To answer Dave's query, The <rules> tag goes here:
<configuration>
<system.webServer>
<rewrite>
<rules>
...
</rules>
</rewrite>
</system.webServer>
</configuration>

Or see here for how to create the rule manually: http://www.jppinto.com/2010/03/automatically-redirect-http-requests-to-https-on-iis7-using-url-rewrite-2-0/

manisha
Posts: 23

Error in redirection
Reply #9 on : Thu March 03, 2011, 23:55:42

I have used method 2 but my web site is giving the error page as "The website cannot display the page"

Please help.

Jai-Jin Lim
Posts: 23

HTTPS to HTTP redirect scenario
Reply #8 on : Tue February 15, 2011, 04:46:40

Dear whom it may concern,

When server detects the TCP connection request on its port 443, is it possible to for server to send out first the HTTP 302 redirect right after ACK and before the client initiates the SSL handshake?

kk
Posts: 23

Method 2, successful browser switch http to https
Reply #7 on : Thu February 03, 2011, 14:04:47

I did follow up method 2 to switch http to https for company website just typed-in www.***.com at URL by using IIS 7.0 on Windows 2008 server. Thank you very much for sharing knowledge.

Robert
Posts: 2

Re: IIS7 Redirect HTTP to HTTPS
Reply #6 on : Sat January 15, 2011, 09:57:13

Hi Dave,

You can add the rules tag inside the rewrite tag. See http://learn.iis.net/page.aspx/557/translate-htaccess-content-to-iis-webconfig/ for an example.

Showing comments 1 to 20 of 25 | Next | Last

IIS7 Redirect HTTP to HTTPS

Method 1 – Using Microsoft URL Rewrite Module

Method 2 – Setting up a Custom Error Page

Write a comment