Ssl – How to enforce/redirect HTTP to HTTPS

httpsiis-6redirectssl

I've been hosting a domain on a Win2003 server for the last 3 or 4 years, but I now need to make this domain accessible only via HTTPS.

I've installed the certificate correctly and it works fine (the server hosts several domains, but this domain is hosted on a different public IP address), but I'm struggling to get IIS to just transfer all users who go to http://www.example.com to https://www.example.com.

I've found the "require secure channel" option in IIS, but checking this results in anyone who fails to type the https:// part seeing an error message (below). What's the best way to redirect users to the HTTPS site (without the user having to worry about it)?

The page must be viewed over a secure channel The page you are trying to
access is secured with Secure Sockets Layer (SSL).

Please try the following:

Type https:// at the beginning of the address you are attempting to reach
and press ENTER.

HTTP Error 403.4 – Forbidden: SSL is required to view this resource.

Best Answer

Redirecting HTTP to HTTPS using IIS

With SSL enabled, anytime you attempt to access a page via http, the server generates a 403.4 error. IIS is now configured to run your sslredirect.asp page every time this error occurs. The error page will include a querystring which contains the error number and the page causing the error, I.e. "403;http://www.whatever.com". Our ASP file uses a simple script to just trim off the beginning part (430;http), add the necessary "https", and redirect to whatever page the user requested using SSL. Voila!

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Nginx – How to redirect every https request to http in Nginx

You need to include all the ssl stuff for nginx in the server {}

You need at least

            ssl                  on;
            ssl_certificate      /etc/ssl/domain.com.crt;
            ssl_certificate_key  /etc/ssl/domain.com.key;

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Nginx – How to redirect every https request to http in Nginx

Related Topic