Setting up an HTTP/HTTPS redirect in IIS
Once the SSL certificate is installed, your site still remains accessible via a regular insecure HTTP connection. To connect securely, visitors must specify the https:// prefix manually when entering your site’s address in their browsers.
In order to force a secure connection on your website, it is necessary to set up a certain HTTP/HTTPS redirection rule. This way, anyone who enters your site using a link like “yourdomain.com” will be redirected to “https://yourdomain.com” or “https://www.yourdomain.com” (depending on your choice) making the traffic encrypted between the server and the client side.
Below are steps to setup a IIS HTTPS redirect:
- Download and install the “URL Rewrite” module.
- Open the “IIS Manager” console and select the website you would like to apply the redirection to in the left-side menu:
- Double-click on the “URL Rewrite” icon.
- Click “Add Rule(s)” in the right-side menu.
- Select “Blank Rule” in the “Inbound” section, then press “OK”:
- Enter any rule name you wish.
- In the “Match URL” section:- Select “Matches the Pattern” in the “Requested URL” drop-down menu
– Select “Regular Expressions” in the “Using” drop-down menu
– Enter the following pattern in the “Match URL” section: “(.*)”
– Check the “Ignore case” box - In the “Conditions” section, select “Match all” under the “Logical Grouping” drop-down menu and press “Add”.
- In the prompted window:
– Enter “{HTTPS}” as a condition input
– Select “Matches the Pattern” from the drop-down menu
– Enter “^OFF$” as a pattern
– Press “OK” - In the “Action” section, select “Redirect” as the action type and specify the following for “Redirect URL”:https://{HTTP_HOST}{REQUEST_URI}
- Check the “Append query string” box.
- Select the Redirection Type of your choice. The whole “Action” section should look like this:
- Click on “Apply” on the right side of the “Actions” menu.
The IIS redirect can be checked by accessing your site via http:// specified in the URL. To make sure that your browser displays not the cached version of your site, you can use anonymous mode of the browser.
The rule is created in IIS, but the site is still not redirected to https://
Normally, the redirection rule gets written into the web.config file located in the document root directory of your website. If the redirection does not work for some reason, make sure that web.config exists and check if it contains the appropriate rule.
To do this, follow these steps:
- In the sites list of IIS, right-click on your site. Choose the “Explore” option:
- “Explore” will open the document root directory of the site. Check if the web.config file is there.
- The web.config file must have the following code block: <configuration>
<system.webServer>
<rewrite>
<rules>
<rule name=”HTTPS force” enabled=”true” stopProcessing=”true”>
<match url=”(.*)” />
<conditions>
<add input=”{HTTPS}” pattern=”^OFF$” />
</conditions>
<action type=”Redirect” url=”https://{HTTP_HOST}{REQUEST_URI}” redirectType=”Permanent” />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration> - If the web.config file is missing, you can create a new .txt file, put the aforementioned code there, save and then rename the file to web.config.