IIS7 Redirect HTTP to HTTPS

Compare SSL Certificates

Redirecting all traffic from HTTP to HTTPS in IIS7 will make sure your users always access the site securely. There are many different ways to set up an IIS7 Redirect from HTTP to HTTPS and some are better than others. The ideal HTTP to HTTPS redirect would do the following:

  • Gently redirect users to HTTPS so users don’t have to type in “https” in the URL
  • Redirect users to the specific page that they were going to go to on HTTP (page.htm)
  • Save any variables passed in the query string (?page=2)
  • Work in all browsers
  • Transfer PageRank to the redirected page by using a 301 redirect, maintaining SEO
  • Allow specific parts of a site to force SSL but allow HTTP on other parts of the site
  • Redirect users from mydomain.com to www.mydomain.com

Unfortunately, there isn’t an easy way to satisfy all of these requirements, and most methods only satisfy a few of them. The best method of doing an HTTP to HTTPS redirect I’ve seen involves using ASP.Net to do the HTTP to HTTPS redirection.

But most people don’t need all of those features, so I have listed two of the best methods of redirecting HTTP to HTTPS in IIS 7. They are easy to set up and effective in most situations.

Method 1 – Using Microsoft URL Rewrite Module

For this method of redirecting from HTTP to HTTPS, you will need to do the following;

  1. Install the Microsoft URL Rewrite Module
  2. Install your SSL certificate in IIS 7 and bind it to your website
  3. Make sure Require SSL is NOT checked under SSL Settings for your website (uncheck the boxes that are checked in this screenshot)

  4. Copy and paste the following code between the <rules> and </rules> tags in your web.config file in your website root directory.

    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
      <match url="(.*)" />
        <conditions>
          <add input="{HTTPS}" pattern="off" ignoreCase="true" />
        </conditions>
      <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
    </rule>

  5. Test the site by going to http://www.yoursite.com and making sure it redirects

Method 2 – Setting up a Custom Error Page

The second method of setting up an IIS7 redirect HTTP to HTTPS is to Require SSL on the site or part of the site and set up a custom 403.4 error page. To do this, just following these steps:

  1. Install your SSL certificate in IIS 7 and bind it to your website
  2. In IIS, click on the site name, and go to the SSL Settings section

  3. Check Require SSL and Require 128-bit SSL and click Apply

  4. After doing this, users will normally receive this error:

  5. Create a new text file and paste the following into it:

    <html>
    <head><title>Redirecting...</title></head>
    <script language="JavaScript">
    function redirectHttpToHttps()
    {
        var httpURL= window.location.hostname + window.location.pathname + window.location.search;
        var httpsURL= "https://" + httpURL;
        window.location = httpsURL;
    }
    redirectHttpToHttps();
    </script>
    <body>
    </body>
    </html>

  6. Save the file as redirectToHttps.htm in your C:\Inetpub directory
  7. Back in IIS, click on the site name and double-click the Error Pages option

  8. Click Add… and enter 403.4 as the Status code. Browse for the redirectToHttps.htm file you just created and click OK


  9. Select the error code and press Edit Feature Settings…

  10. Click the Custom error pages option and again browse for the redirectToHttps.htm file

  11. Test the site by going to http://www.yoursite.com and making sure it redirects

A caveat of using a custom error page to do an IIS7 redirect from HTTP to HTTPS is that the web browser must have JavaScript enabled for the redirection to work.

Other Methods to IIS7 Redirect HTTP to HTTPS:

 Digg  del.icio.us  Reddit

Posted on September 26, 2008
Showing comments 1 to 20 of 33 | Next | Last
Cesar
Posts: 30
Comment
Lock Violation Fix
Reply #33 on : Fri March 21, 2014, 08:58:17
Don't change your applicationHost.config file because of the lock violation.

Simply use a relative path to refer to your redirectToHTTPS file in Step 8 then test. No need to do steps 9 & 10.
Robert
Posts: 3
Comment
Re: remove appended port number on the URL
Reply #32 on : Sun February 16, 2014, 11:09:41
I'm not aware of any way to do this, Jace. The port number has to remain in the URL if it is a non-standard port.
Jace
Posts: 30
Comment
remove appended port number on the URL
Reply #31 on : Tue February 11, 2014, 16:18:38
Hi Guys,

I was able to redirect http to https -non standard port(444)by adding rule on the web.config.When i visit the site, site1.com it redirects me to https://site1.com:444.

My question is, is there a way for me to hide or take away the appended port on the URL once it redirects to https?
Not really familiar with this, just copied a rule over the internet and pasted it on the web.config file.

<rule name="Redirect to port 442" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="^ON$" negate="true" />
<add input="{SERVER_PORT}" pattern="^444$" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}:444/{R:0}" />
</rule>

I have use the above code to make it worked for me.
Please advise.

Any help is much appreciated

jace
mjac
Posts: 30
Comment
IIS redirect
Reply #30 on : Wed January 29, 2014, 04:12:28
Thanks for help
Dan
Posts: 30
Comment
Method 2 worked at server level but not at website level
Reply #29 on : Wed January 22, 2014, 23:04:31
I couldn't get method 2 to work at the website level but when I set up the error page at the server level it was fine.
FSBarker
Posts: 30
Comment
Thanks alot!
Reply #28 on : Fri October 04, 2013, 12:05:00
We were down to the wire at 6:30Am and had to deal with the http to https issue and two of use fount this article. I implemented method 1 and it works like a charm! Thanks so much for a complete and concise article.
Pecos Bill
Posts: 30
Comment
Method THREE
Reply #27 on : Wed September 25, 2013, 15:33:16
In IIS7, I created a site just to redirect 80 to 443 (https). I then bound that site to 80, left the real site bound to 443 WITH SSL REQUIRED, replaced the custom error page on the new site for error 403 to respond with a 302 and entered the https path I wanted. Lastly, I removed any access to the bogus site for IIS_USER to ensure it hit the error.

None of this required the rewrite module nor any files.
chandra
Posts: 30
Comment
Thanks
Reply #26 on : Wed September 25, 2013, 06:06:22
Great help!!!
Tin
Posts: 30
Comment
Re: IIS7 Redirect HTTP to HTTPS
Reply #25 on : Thu July 12, 2012, 02:44:21
Thanks a lot. A combination of both solutions worked for me.
Vincent
Posts: 30
Comment
Code
Reply #24 on : Wed March 28, 2012, 10:27:12
Not sure why my code wasn't included in my previous comment but it was probably because of the html tags. Anyway let me try this again without the html tags. I was referring to the following javascript:

if(window.location.protocol != "https:"){
var oldURL = window.location.href
var newURL = oldURL.replace("http:","https:");
window.location = newURL;
}

Admin Edit: Thanks, Vincent. I added the code into your original comment.
Last Edit: March 28, 2012, 21:06:47 by siteadmin  
Vincent
Posts: 30
Comment
If all else fails...
Reply #23 on : Tue March 27, 2012, 21:23:16
If you are like me and none of these solutions posted online are working for you (Yes, I've done it correctly and tried everything under the sun) there is another way to do it that is guaranteed to work because it doesn't rely on any server settings.

Unfortunately depending on how you've architected your site it might not be quick to implement. For my site it was quick because every page my visitors see is actually an "include" on one "mother" page (for lack of a better term). It's a great way to build a site by the way because you only have to define your header and menu and footer once. Anyway, so I simply added this code to the top of my mother page and voila.

if(window.location.protocol != "https:"){
var oldURL = window.location.href
var newURL = oldURL.replace("http:","https:");
window.location = newURL;
}

If you have actual unique pages that the visitors load then you have to add this code to the top of every page. A bit more tedious but it's still guaranteed to work.
Last Edit: March 28, 2012, 21:06:09 by siteadmin  
Jackie Sheppard
Posts: 30
Comment
Dont do it. Method 1
Reply #22 on : Wed March 14, 2012, 18:00:26
This was very bad advice. Hosed my EMC and server. Had to call Microsoft.
???
Posts: 30
Comment
Redirection from http to https
Reply #21 on : Sun February 05, 2012, 12:53:20
For everyone having issues i simply followed this tutorial and it worked great the only thing i forgot to do was to make sure you have both bindings and once i added both binding http 80 and https 443 it worked thanks so much for a job well done
C4Gamer
Posts: 30
Comment
Thank You Mani Bhushan
Reply #20 on : Thu December 08, 2011, 14:42:15
Your solution was the simplest and works beautifully.
Thomas
Posts: 30
Comment
http to https redirection sharepoint
Reply #19 on : Wed November 30, 2011, 13:45:16
Method 1 worked great for me on our sharepoint 3 website!
Sohail
Posts: 30
Comment
Please Help
Reply #18 on : Wed October 12, 2011, 00:17:42
After doing all steps in Method 2 i faced this error someone please help.

Error Summary
HTTP Error 500.19 - Internal Server Error
Absolute physical path "C:\inetpub\redirectToHttps.htm" is not allowed in system.webServer/httpErrors section in web.config file. Use relative path instead.
Evgeniy
Posts: 30
Comment
About "Lock violation" in IIS 7.5 (Method 2)
Reply #17 on : Mon August 29, 2011, 04:25:31
All you need to do is to open file "%windir%\System32\inetsrv\config\applicationHost.config" and remove defaultPath from the following line:

<httpErrors lockAttributes="allowAbsolutePathsWhenDelegated,defaultPath">

Thanks to this Thread: http://forums.iis.net/t/1159721.aspx
Samuel
Posts: 30
Comment
Re: IIS7 Redirect HTTP to HTTPS
Reply #16 on : Tue August 23, 2011, 05:01:22
how to modify the rule for subdomain redirection to https? thank you
Erik B
Posts: 30
Comment
Thanks
Reply #15 on : Thu July 28, 2011, 19:24:38
Very Helpful, thank you Mani!
Pawel
Posts: 30
Comment
Re: IIS7 Redirect HTTP to HTTPS
Reply #14 on : Fri June 17, 2011, 12:40:43
The http page redirection method no longer works in IIS 7.5 there are changes to security. You will get a lock violation error
Showing comments 1 to 20 of 33 | Next | Last

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment