Iis – Best way to redirect all HTTP to HTTPS in IIS

301-redirecthttphttpsiisredirect

We want ALL sites on our webserver (IIS 10) to enforce SSL (ie redirect HTTP to HTTPS).

We are currently 'Requiring SSL' on each site and setting up a 403 error handler to perform a 302 redirect to the https address for that specific site.

This works great. But it's a pain to do for every single site, there's plenty of room for human error.

Ideally I'd like to set up a permanent 301 redirect on all HTTP://* to HTTPS://*

Is there a simple way to do this in IIS ?

Best Answer

The IIS URL Rewrite Module 2.1 for IIS7+ may be your friend. The module can be downloaded from IIS URL Rewrite. Using the URL Rewrite Module and URL Rewrite Module 2.0 Configuration Reference explain how to use the module.

Once the module is installed, you can create a host wide redirect using IIS Manager. Select URL Rewrite, Add Rule(s)..., and Blank rule.

Name:
Redirect to HTTPS

Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked

Conditions
Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked

Server Variables
Leave blank.

Action
Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)

Apply the rule and run IISReset (or click Restart in the IIS Manager)

Alternatively, after installing the module you could modify the applicationHost.config file as follows:

<system.webServer>
  <rewrite>
    <globalRules>
      <rule name="Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" ignoreCase="true" negate="false" />
        <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
          <add input="{HTTPS}" ignoreCase="true" matchType="Pattern" negate="false" pattern="OFF" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
      </rule>
    </globalRules>
  </rewrite>
</system.webServer>

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

How to do a 301 redirect from http to https in a domino server

The 'Redirect TCP to SSL' option is on the Security tab of the WebSite/Internet Site document. However, I just checked this with Fiddler and it uses a 302 response code, not a 301.

Open the Internet Sites doc in question and click the Web Site... -> Create Rule button. Set the following field values:

Description: 301 Redir to SSL
Type of rule: Redirection
Incoming URL pattern: /*
Redirect to this URL: https://www.example.com/*
Send 301 Redirect: (checked)

Be sure to restart the HTTP task for these changes to take effect.

Further documentation on this can be found at the following links:
Creating a Web Site Rule document
Http 301 Redirection

Best Answer

Related Solutions

Nginx – In Nginx, how can I rewrite all http requests to https while maintaining sub-domain

Correct way in new versions of nginx

How to do a 301 redirect from http to https in a domino server

Related Topic