89

We want ALL sites on our webserver (IIS 10) to enforce SSL (ie redirect HTTP to HTTPS).

We are currently 'Requiring SSL' on each site and setting up a 403 error handler to perform a 302 redirect to the https address for that specific site.

This works great. But it's a pain to do for every single site, there's plenty of room for human error.

Ideally I'd like to set up a permanent 301 redirect on all HTTP://* to HTTPS://*

Is there a simple way to do this in IIS ?

4
  • Can't you write a script to make this change for every site which would both reduce the administrative burden and also help prevent typos and mistakes? Commented Jan 23, 2018 at 14:03
  • 1
    The title is incorrect. I think it was intended to read "Best way to redirect all HTTP to HTTPS in IIS" Commented Jan 24, 2018 at 5:48
  • @ToddWilcox can you give an example of such a script? Commented Jan 24, 2018 at 10:02
  • Don't use IIS, :D Commented Oct 17, 2018 at 14:43

2 Answers 2

125
+50

The IIS URL Rewrite Module 2.1 for IIS7+ may be your friend. The module can be downloaded from IIS URL Rewrite. Using the URL Rewrite Module and URL Rewrite Module 2.0 Configuration Reference explain how to use the module.

Once the module is installed, you can create a host wide redirect using IIS Manager. Select URL Rewrite, Add Rule(s)..., and Blank rule.

Name:
Redirect to HTTPS

Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked

Conditions
Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked

Server Variables
Leave blank.

Action
Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)

Apply the rule and run IISReset (or click Restart in the IIS Manager)

Alternatively, after installing the module you could modify the applicationHost.config file as follows:

<system.webServer> <rewrite> <globalRules> <rule name="Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" ignoreCase="true" negate="false" /> <conditions logicalGrouping="MatchAny" trackAllCaptures="false"> <add input="{HTTPS}" ignoreCase="true" matchType="Pattern" negate="false" pattern="OFF" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" /> </rule> </globalRules> </rewrite> </system.webServer> 
16
  • Will this work for permanent 301 redirects ? Commented Jan 24, 2018 at 10:03
  • @userSteve as per the answer above, you can choose the redirect type. Commented Jan 24, 2018 at 15:38
  • @userSteve whoops, yeah you should be able to change the Redirect Type to 301 and get the same results Commented Jan 24, 2018 at 18:06
  • 4
    @sippybear one more question - what does input="{HTTPS}" mean? Should this be {HTTP} as that will be the input and HTTP the output? Commented Jan 30, 2018 at 18:10
  • 11
    {HTTPS} is a variable that you query to find out if the connection is secured. You can read more about it here: docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/… In this case, we're checking whether {HTTPS} is "off", and then redirecting if it is Commented Jan 30, 2018 at 21:41
8

My research shows that this might be a better way to the redirect:

<rewrite> <rules> <rule name="http to https" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" /> </rule> </rules> </rewrite> 
9
  • 5
    Can you explain why this is better? Commented Jun 12, 2018 at 14:49
  • 2
    do you have any sources? Commented Oct 26, 2018 at 1:38
  • 1
    This is exactly the same rule as in serverfault.com/a/893804/7184, but written using regular expressions and Match All grouping. One upside could be that the rule expression uses rule defaults and is terser. Commented Dec 28, 2018 at 23:11
  • 1
    @Jordan You need the Url Rewrite module to be installed on IIS, otherwise you will get 500.19 http code. Commented Sep 30, 2019 at 14:06
  • 1
    This answer is not the right one for all cases. It works only if the site is at the root. It doesn't work if you are running on a virtual folder/app. Then the parameter for the input is just the path after the virtual. The accepted answer works in both cases, root or virtual folder. Commented Sep 11, 2020 at 20:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.