IIS7: HTTP->HTTPS Cleanly

Solution 1:

I think the cleanest way is as described here on IIS-aid.com. It's web.config only and so if you change server you don't have to remember all the steps you went through with the 403.4 custom error page or other special permissions, it just works.

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
            <conditions>
              <add input="{HTTPS}" pattern="off" ignoreCase="true" />
            </conditions>
            <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Solution 2:

The most easy and clean solution I found was to

  1. In SSL Settings -> require SSL

  2. In Error Pages -> On 403.4 error -> Redirect to the HTTPS site

  3. In Error Pages -> Edit Features Settings... -> Set Detailed errors for local requests and custom error pages for remote request

The benefit is that it requires no extra lines of code. Downside is that it redirects you to an absolute url.

Solution 3:

A clean way changes only the URL scheme from http -> https and leaves everything else equivalent. It should be server-side so that there are no browser issues.

JPPinto.com has Step-By-Step instructions on how this is done, except that they use javascript (HttpRedirect.htm) instead of a server-side redirect. For some reason, I couldn't get IE run the javascript if you have ‘Show friendly HTTP error messages’ enabled, which is on by default. Another thing with the script is that redirection to path didn't work even in FF or Chrome. The script always redirects to root. (Maybe I have missed something, because it should redirect to path.)

For these reasons I have used an ASP page for the redirect. The downside is of course that this requires classic ASP to be enabled on the server.

OpsanBlog has an ASP script and instructions that work well with IIS6.

I've had a few issues using this method with IIS7. User interface issues mostly, since IIS7 makes it really easy to miss something.

  • First, you need to install ASP as a web server role feature.
  • Second, using a virtual directory didn't not work as expected in IIS7 and I didn't try to debug this. Instead, I put the file in the root folder of the site and used the url '/SSLRedirect.asp' in the 403.4 error page to reference it.
  • Last, the most tricky part, you must NOT enforce SSL for SSLRedirect.asp. Otherwise you'll get an 403.4 error. To do this you pick the file in IIS7 'Content View', and switch to 'Features View' so that you can edit the SSL settings for the single file and disable 'Require SSL' checkbox.

IIS manager should show the file name in the header.