Best way to redirect all HTTP to HTTPS in IIS

We want ALL sites on our webserver (IIS 10) to enforce SSL (ie redirect HTTP to HTTPS).

We are currently 'Requiring SSL' on each site and setting up a 403 error handler to perform a 302 redirect to the https address for that specific site.

This works great. But it's a pain to do for every single site, there's plenty of room for human error.

Ideally I'd like to set up a permanent 301 redirect on all HTTP://* to HTTPS://*

Is there a simple way to do this in IIS ?


Solution 1:

The IIS URL Rewrite Module 2.1 for IIS7+ may be your friend. The module can be downloaded from IIS URL Rewrite. Using the URL Rewrite Module and URL Rewrite Module 2.0 Configuration Reference explain how to use the module.

Once the module is installed, you can create a host wide redirect using IIS Manager. Select URL Rewrite, Add Rule(s)..., and Blank rule.

Name:
Redirect to HTTPS

Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked

Conditions
Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked

Server Variables
Leave blank.

Action
Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)

Apply the rule and run IISReset (or click Restart in the IIS Manager)

Alternatively, after installing the module you could modify the applicationHost.config file as follows:

<system.webServer>
  <rewrite>
    <globalRules>
      <rule name="Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" ignoreCase="true" negate="false" />
        <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
          <add input="{HTTPS}" ignoreCase="true" matchType="Pattern" negate="false" pattern="OFF" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
      </rule>
    </globalRules>
  </rewrite>
</system.webServer>

Solution 2:

My research shows that this might be a better way to the redirect:

<rewrite>
    <rules>
        <rule name="http to https" stopProcessing="true">
            <match url="(.*)" />
            <conditions>
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
    </rules>
</rewrite>