HTTP to HTTPS redirects on IIS 7.x and higher

  • [アーティクル]

***Updated post on 8th May 2017***

This is the most common requirement on most of the Exchange servers hosted on IIS. The server admins configure an http to https redirect.

Today I will be discussing few ways of doing this. I will keep updating this document as I find more ways to do so. I am considering OWA as a sub application under IIS for all the below examples. Here is the structuring of the Web Site:

In this case, we want all the requests (both HTTP & HTTPS) to be redirected on HTTPS to the application called "OWA" under the Default Web Site.

Method 1: Using IIS URL Rewrite Module

For this you will have to install the URL Rewrite module. (FYI, this is available for IIS 7 and higher only.)

Download from here: https://www.iis.net/downloads/microsoft/url-rewrite

Once installed, the URL Rewrite module would be listed under IIS section. There are few articles out there on this. Here are few to list:

  1. https://www.sslshopper.com/iis7-redirect-http-to-https.html
  2. https://www.jppinto.com/2010/03/automatically-redirect-http-requests-to-https-on-iis7-using-url-rewrite-2-0/

These articles are definitely a great repository, however I observed that they have not addressed an important factor.

As specified in the above links add the below section in the web.config at the root of the site:

In the above rule I'm checking whether the server variable "SERVER_PORT_SECURE" is set to 1 or 0. (I'm doing a permanent redirect in the above URL, it can be changed accordingly as per the requirement)

If you want to include the query string in the re-written url, then you can add appendQueryString="true" under the action section.

You can find the complete list of IIS Server variables here: https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx

SERVER_PORT_SECURE A string that contains either 0 or 1. If the request is being handled on the secure port, then this is 1. Otherwise, it is 0.

Alternatively, instead of the above server variable the following server variable "HTTPS" and "SERVER_PORT" can also be used correspondingly.

NOTE: Ensure the rewrite rule is disabled at each of the virtual directories/applications under the Default Web Site. Due to inheritance, the rule will cause the requests to end up in infinite loop calling itself repeatedly.

Method 2: Using IIS Default Document (a default.asp page)

In this method we will introduce a sample asp page at the root of the website and then add the following piece of code:

 

Alternatively you could use the port numbers in the above code to achieve the same (ensure to change the port numbers as per the website configuration).

Method 3: Using IIS HTTP Redirect Module

This is one of the simplest methods, but has a lot of limitations and ideally not used. Here is how we do it:

PRE-REQUISITES: HTTP Redirect module is installed and the website has a valid HTTPS binding in place.

  • Launch the IIS Manager.

  • Go to the HTTP Redirect module.

  • Fill the details as per the requirement as shown below:

This may not be ideal for all the scenarios as the user is redirected to a specified URL.

NOTE: Ensure the enforced redirection is removed from each of the virtual directories/applications under the Default Web Site. Due to inheritance, the requests will end up in an endless loop, redirecting to itself repeatedly.

Also ensure Require SSL is not checked at the Root of the website under SSL Settings, this may cause to throw an error page to the users when the browse the site over HTTP. It can be enforced at the application level.

There is another way using custom error pages which has been documented here:

The author in the 2nd link claims that it doesn't work on IIS 7.5 and higher versions due to updates in the configuration security.

I haven't found the time to test and write it up and neither am I sure if the above actually works. Once I have tested I will add it up here.

Comments

  • Anonymous
    May 29, 2013
    hi there just wanted to point out that ex 2013 from cu1 does this for you build in also does the /owa redirection

  • Anonymous
    May 29, 2013
    That's good to know. :)

  • Anonymous
    September 16, 2013
    I did as you advised and giving this infinite loop .. what should I do to resolve?

    • Anonymous
      May 31, 2017
      Got something here:https://books.google.co.in/books?id=TJ9CAwAAQBAJ&pg=PT355&lpg=PT355&dq=how+to+remove+enforced+redirection+from+virtual+directories&source=bl&ots=egyRS2F5y4&sig=uob79P0IUguxJ0HvCSwlCldDuLg&hl=en&sa=X&ved=0ahUKEwjkwO272pnUAhXH4CYKHWH5C-wQ6AEINjAD#v=onepage&q=how%20to%20remove%20enforced%20redirection%20from%20virtual%20directories&f=false

  • Anonymous
    September 17, 2013
    Alan, Which method did you use? Also did you go through the  NOTE section at the end. There is a possibility of the request going in a infinite loop if not setup correctly.

  • Anonymous
    October 04, 2013
    I have multiple local web applications hosted at IIS server with custom ports, only one web application is SSL enabled with port 82, how can I redirect http://<servername / IP Address>:82 request to https://<servername / IP Address>:82, because I have recently installed SSL certificate and it is working fine, now the users who have bookmark the site with http are facing issue. please guide.  

  • Anonymous
    October 22, 2013
    Note that if you use URL rewrite and ONLY want to redirect from http to https (e.g. http://login.test.com to https://login.test.com). Then remove <add input="{SERVER_PORT_SECURE}" pattern="^1$" />

  • Anonymous
    November 13, 2013
    Thanks for the suggestion Hakan.

  • Anonymous
    February 10, 2014
    Hi Guys, Just need some advise/clarification. Just wanted to ask if there is a way to take out the port number on the URL (https://testsite.com:444). I have added a redirection rule from http to https - non-standard port(444). Thanks, jace

    • Anonymous
      November 02, 2017
      You have to specify port if you are not using standard protocol like http (80port) / https (443port) / ftp (21port)

  • Anonymous
    September 15, 2014
    Using Method 2 above I get redirected to HTTPS but not to my sub-directories specified after the trailing backslashes. Any idea why not? <%         If Request.ServerVariables("HTTPS")  = "off" Then                 Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & "/RDWeb"         ElseIf Request.ServerVariables("HTTPS")  = "on" Then                 Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & "/RDWeb"         End If %>

  • Anonymous
    September 27, 2014
    Same issue as John, except I'm using Method 1. I can't get it to redirect to a subdirectory. It keeps defaulting back to the root directory. i.e. https://localhost/   I've set the rewrite up on a subdirectory as I'm not interested in securing the whole site, only a particular subdirectory. so.. below is where the server takes me when I enter in an address. http://localhost/test = https://localhost/ http://localhost = http://localhost https://localhost/test = https://localhost/test code below            <rules>                <remove name="HTTP/S to HTTPS Redirect" />                <rule name="HTTP/S to HTTPS Redirect" enabled="true" patternSyntax="Wildcard" stopProcessing="true">                    <match url="(.*)/test/" />                    <conditions logicalGrouping="MatchAny">                        <add input="{SERVER_PORT_SECURE}" pattern="^1$" />                        <add input="{SERVER_PORT_SECURE}" pattern="^0$" />                        <add input="{HTTPS}" pattern="^OFF$" />                    </conditions>                    <serverVariables />                    <action type="Redirect" url="https://{HTTP_HOST}/test" appendQueryString="true" redirectType="SeeOther" />                </rule> i've tried <action type="Redirect" url="https://{HTTP_HOST}/test" ..... <action type="Redirect" url="https://{HTTP_HOST}{R:0}" ..... <action type="Redirect" url="https://{HTTP_HOST}{R:1}" ..... <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" ..... <action type="Redirect" url="https://{HTTP_HOST}{R:1}/test" ..... <action type="Redirect" url="https://{HTTP_HOST}{R:1}/test/" ..... redirectType="SeeOther" redirectType="Permanent" redirectType="Found" Any idea's on what I'm doing wrong? Thanks! Troy

  • Anonymous
    February 03, 2015
    i found that having Require SSL ticked on for the web site prevented any rules from working

  • Anonymous
    March 17, 2015
    I've struggled with the infinite loop issue for a while now and this post was the only one I found that mentions something about it. "Ensure the rewrite rule is disabled at each of the virtual directories/applications under the Default Web Site. Due to inheritance, the rule will cause the requests to end up in infinite loop calling itself repeatedly." How would you go about fixing this if you didn't have access to IIS, say for example hosting a site in a shared hosting environment or a cloud service such as Azure?

  • Anonymous
    March 20, 2015
    @Werner you do have access to IIS on Cloud Services. Launch a run prompt and type "inetsrv". This will take you to the default installation folder of IIS. Under this browse to the config folder. Here you will find the ApplicationHost.config. this is the config file used by IIS. You could also type "inetmgr" which would launch the IIS Manager console. HTH

  • Anonymous
    May 25, 2015
    The comment has been removed

  • Anonymous
    May 27, 2015
    The ASP redirect works perfectly for some basic OWA port redirection... just remember to install the ASP feature on the web server though as it took me far longer than it should of to realise that's why it wasn't working at first haha!

  • Anonymous
    June 15, 2015
    This works perfectly, the only issue I have now is that is also trying to redirect to https when I'm running in local host. I have to comment out that section in web.config in order to continue working. How to redirect ONLY when the application is deployed in server and not when is running in local host? Thanks

  • Anonymous
    June 16, 2015
    Hi, regarding my previous comment. I found a way to accomplish this. Instead of adding this rule in Web.config, I add it to Web.Release.config under <system.webServer> and is only active when I deploy the application to the server. Oh, and I'm using Method 1 by the way <system.webServer>    <rewrite xdt:Transform="Insert">        .............    </rewrite> </system.webServer> Thanks

  • Anonymous
    July 26, 2015
    Thanks, method 1 works well for me. A slight variation on that is to create the rule via URL Rewrite within the IIS Manager (if you don't have easy access to the Web.config code itself). The steps I found to work are here www.meltedbutter.net/wp though the end result is still the same, eg the module adds the required text to the site's Web.config, as such you may need to ensure you've downloaded an updated copy of the web.config (otherwise if you make changes and re-upload it from dev you may overwrite the new rule and lose the redirect).

  • Anonymous
    August 11, 2015
    Hitting the Redirect Loop issue which you took the time to advise watching out for. Trying to use Url Rewrite method. But I don't comprehend your suggested fix. I can find the ApplicationHost.config file, but what good is the knowledge of the location of that file? How do I fix it?

  • Anonymous
    August 13, 2015
    For what it's worth, only way I got this to work was to not require SSL, and to redirect to this instead:  https://{HTTP_HOST}{HTTP_URL}

  • Anonymous
    December 14, 2015
    The IIS URL Rewrite module seems perfect except that it breaks client side caching.  I know this is an old post, but does anyone know if there is a way to fix this?  

  • Anonymous
    December 21, 2015
    Hello Kaushal, I have tried third option above but am getting Uncaught ReferenceError: WebForm_DoPostBackWithOptions is not defined error. I need to redirect http to https its working if i use your method but when i click any link button or anything i am getting error above.Please let me know if you have any solution on this.

  • Anonymous
    December 22, 2015
    What is the solution if we want to keep port 80 blocked.

  • Anonymous
    January 01, 2016
    I finally got the Redirect to work correctly!   The problem: The redirect works for ALL bindings on a site.  So if you add a redirect to a https://... and both http and https are both bound to the same site, then after the redirect from http to https occurs, then https also redirects to https!  Thus the endless loop. The fix: Create two sites, one for the redirect which has bindings ONLY for http, and then a second site which has bindings ONLY for https. Magic, it now works because the secure site has no redirect.  Everything which comes in on http goes to the insecure site which redirect to the secure site.  Everything which goes to the secure site, stays at the secure site. This IS the correct way to redirect from http to https.

  • Anonymous
    January 05, 2016
    Way to start the New Year @Greg Gum! He is correct. This is definitely the easiest way to redirect without the need to create and place new redirect files.

  • Anonymous
    January 10, 2016
    @Greg. that is the correct way. Ensure the redirection is a permanent redirect i.e., 301. belated new year wishes :)

  • Anonymous
    April 13, 2016
    I tried to print this page and got blank on every page, using both IE and Chrome. I had to copy and paste it into Word.

  • Anonymous
    August 11, 2016
    Method 2 works fine with brackets

  • Anonymous
    October 06, 2016
    This is perfectly working for me. Thanks for suggestion.

  • Anonymous
    November 30, 2016
    Using IIS 8.5 and the URL Rewrite you provide it redirects to the root of the site and removes the subfolder portion of the URL.http://test.example.edu/folder1/folder2/redirects tohttps://test.example.eduI have the rewrite in the subfolder "folder2" above so how can we have it redirect to the same subfolder? I also have Windows Authentication enabled for this folder.Thanks

  • Anonymous
    December 13, 2016
    We have a website that needs to be redirected from http to htts, but port 80 is disabled (recent company policy). My understanding that none of the above solutions will work, is that the right assessment?

  • Anonymous
    March 17, 2017
    Excellent article merci pour le partage

  • Anonymous
    April 19, 2017
    Your example, although helpful, is WAY too specific to a single application, yet the title of your post implies this is a generic solution. Had you considered that some of us (nay, maybe most of us) simply want to redirect from http to https, you could have written this with that in mind, OR titled your post appropriately! So, if I have this correct, in Method 1, you are redirecting BOTH http AND https to a single https path. YES! this will cause an infinite redirect all by itself, especially if you have other virtual directories. Hakan, makes this suggestion in comments, and you even acknowledged it, yet did NOT rewrite your post to make this clear? WOW! Perhaps you should delete this post and redirect this thread to https://blogs.technet.microsoft.com/dawiese/2016/06/07/redirect-from-http-to-https-using-the-iis-url-rewrite-module/

    • Anonymous
      May 08, 2017
      Thanks for pointing out. I am not working on IIS much these days. I have edited the rule to work correctly now. Thanks for the feedback.
      • Anonymous
        August 10, 2017
        Please help me. I have the exact code in method 2 but my code keeps returning "500 Internal Server Error". I have been struggling for days without success. My site is hosted with godaddy.

  • Anonymous
    May 28, 2017
    of course like your web-site however you have to test the spelling on quite a few of your posts. A number of them are rife with spelling problems and I in finding it very bothersome to tell the truth on the other hand I will surely come back again.

    • Anonymous
      June 07, 2017
      Thanks for the feedback. I will have to accept that I have been lazy enough to not correct the spelling mistakes.

  • Anonymous
    May 29, 2017
    This piece of writing is genuinely a good one it helps new net people, who are wishing in favor of blogging.

  • Anonymous
    May 31, 2017
    I'm really loving the theme/design of your blog.Do you ever run into any internet browser compatibility problems? A handful of my blog visitors have complained about my site not working correctly in Explorer but looks great in Firefox.Do you have any solutions to help fix this problem?

  • Anonymous
    June 02, 2017
    Excellent article merci pour le partage

  • Anonymous
    June 29, 2017
    Is Method #1 the most suitable way to make sure user is browsing securely on website,say when user type in to the browser address bar like example.com or example.com/page1/innerpage1 ?

  • Anonymous
    July 25, 2017
    Have you ever thought about including a little bit more than just your articles?I mean, what you say is fundamental and all. Nevertheless think of if you added some great photos or videos to give your posts more, "pop"! Your content is excellent but with pics and clips, this website could definitely be one of the best in its field.Wonderful blog!

    • Anonymous
      October 04, 2017
      Thanks for the feedback. I will include pics and try to come up with videos as time permits.

  • Anonymous
    August 09, 2017
    Or you just you a simple javascript code to redirect: var url = window.location.href; url = url.replace('http', 'https'); window.location.replace(url);

    • Anonymous
      October 04, 2017
      Not a clean solution, as it may not work as this has a client side dependency.

  • Anonymous
    August 12, 2017
    Thanks, using URL Rewrite solved my problem. but It was not clear for me because I'm not professional and found this step by step guide maybe is helpful for other guys here:https://www.day.ir/en-us/articles/ssl/redirect-http-https

  • Anonymous
    November 07, 2017
    We have added SSL Certification at the domain level. Therefore, all application under Default Website is https enable only. However, we want to redirect all HTTP traffic thru https. Is option to configuring HTTP Redirect with redirect URL is appropriate based on our scenario. Instead of configuring each application/website? How secure is HTTP Redirect method? Should we use URL Re-write?

  • Anonymous
    January 16, 2018
    Hey very cool site!! Man .. Excellent .. Superb .. I'll bookmark your website and take the feeds also? I am satisfied to seek out numerous useful info here in the post, we want work out extra techniques on this regard, thanks for sharing. . . . . .

  • Anonymous
    January 17, 2018
    Hi, I am using your URL rewrite and works fine for some cases.This works fine:http://mydomain.com/a/b redirects to https://mydomain.com/a/bBut the following doesn't work as expected:http://mydomain.com/a/b?p=1 redirects to https://mydomain.com/a/b?p=1&p=1Note how the query string got duplicated. I have played around with the appendQueryString attribute but get the same result whether true or false.Am I doing something wrong?Also, thanks for your blog post.Cheers

    • Anonymous
      January 22, 2018
      Can you try to change the URL under actions to this "https://{HTTP_HOST}/{R:0}"