Best way to redirect all HTTP to HTTPS in IIS

redirect 301-redirect iis https http

182,237

Solution 1

The IIS URL Rewrite Module 2.1 for IIS7+ may be your friend. The module can be downloaded from IIS URL Rewrite. Using the URL Rewrite Module and URL Rewrite Module 2.0 Configuration Reference explain how to use the module.

Once the module is installed, you can create a host wide redirect using IIS Manager. Select URL Rewrite, Add Rule(s)..., and Blank rule.

Name:
Redirect to HTTPS

Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked

Conditions
Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked

Server Variables
Leave blank.

Action
Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)

Apply the rule and run IISReset (or click Restart in the IIS Manager)

Alternatively, after installing the module you could modify the applicationHost.config file as follows:

<system.webServer>
  <rewrite>
    <globalRules>
      <rule name="Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" ignoreCase="true" negate="false" />
        <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
          <add input="{HTTPS}" ignoreCase="true" matchType="Pattern" negate="false" pattern="OFF" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
      </rule>
    </globalRules>
  </rewrite>
</system.webServer>

Solution 2

My research shows that this might be a better way to the redirect:

<rewrite>
    <rules>
        <rule name="http to https" stopProcessing="true">
            <match url="(.*)" />
            <conditions>
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
    </rules>
</rewrite>

182,237

userSteve

Updated on September 18, 2022

Comments

userSteve over 1 year

We want ALL sites on our webserver (IIS 10) to enforce SSL (ie redirect HTTP to HTTPS).

We are currently 'Requiring SSL' on each site and setting up a 403 error handler to perform a 302 redirect to the https address for that specific site.

This works great. But it's a pain to do for every single site, there's plenty of room for human error.

Ideally I'd like to set up a permanent 301 redirect on all HTTP://* to HTTPS://*

Is there a simple way to do this in IIS ?
- Todd Wilcox over 6 years
  
  Can't you write a script to make this change for every site which would both reduce the administrative burden and also help prevent typos and mistakes?
- Mick over 6 years
  
  The title is incorrect. I think it was intended to read "Best way to redirect all HTTP to HTTPS in IIS"
- userSteve over 6 years
  
  @ToddWilcox can you give an example of such a script?
- Admin over 5 years
  
  Don't use IIS, :D
userSteve over 6 years

Will this work for permanent 301 redirects ?
BE77Y over 6 years

@userSteve as per the answer above, you can choose the redirect type.
sippybear over 6 years

@userSteve whoops, yeah you should be able to change the Redirect Type to 301 and get the same results
sippybear over 6 years

@userSteve any luck?
userSteve over 6 years

@sippybear havent yet tested because the rewrite module will not install on IIS 10 without a registry hack which I'm reluctant to do just yet. stackoverflow.com/questions/35319942/…
userSteve over 6 years

I found a later version of the rewrite module which works with II 10 and the above steps work great for me. Thanks ! What I've done is associated the rewrite rules with an empty 'catch all' website (HTTP empty binding). This then catches any attempts to browse to a http url that is not already bound to a site and redirects it to https. Now all I need to worry about is the bindings of each site depending on if they are https only or not - much simpler!
userSteve over 6 years

@sippybear one more question - what does input="{HTTPS}" mean? Should this be {HTTP} as that will be the input and HTTP the output?
sippybear over 6 years

{HTTPS} is a variable that you query to find out if the connection is secured. You can read more about it here: docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/… In this case, we're checking whether {HTTPS} is "off", and then redirecting if it is
userSteve over 6 years

@sippybear I wonder if you could help my some other rewriter questions of mine? serverfault.com/questions/895205/redirect-www-urls-in-iis , serverfault.com/questions/895002/… , serverfault.com/questions/895000/…
userSteve almost 6 years

Can you explain why this is better?
Fallen Angel almost 6 years

I am sorry I can not explain it my self, just read in few places that is syntax is better.
dangel over 5 years

do you have any sources?
bzlm over 5 years

This is exactly the same rule as in serverfault.com/a/893804/7184, but written using regular expressions and Match All grouping. One upside could be that the rule expression uses rule defaults and is terser.
Kunal about 5 years

If you use REQUEST_URI instead of URL make sure you set appendQueryString="false" as discussed here - stackoverflow.com/a/48478980/846727
Jordan Ryder almost 5 years

I'm on IIS 10 and the selected answer didn't work for me. For some reason IIS didn't recognize the syntax as a valid rule. I pasted your code in and it worked immediately, thanks for sharing.
Rumplin over 4 years

@Jordan You need the Url Rewrite module to be installed on IIS, otherwise you will get 500.19 http code.
Floris Devreese about 4 years

I had to use {SERVER_NAME} instead of {HTTP_HOST} in the Redirect URI. This because my http endpoind used port 8080, and the {HTTP_HOST} included that port. So the redirect was to https://example.com:8080 which didn't work. The {SERVER_NAME} variable doesn't include the port.
duct_tape_coder almost 4 years

This sort of works. I see in Firefox dev tools network the connections are 301 redirected to HTTPS but the URL bar still shows HTTP and indicates 'not secure'. Any ideas what I'm missing? Is it necessary to implement HSTS for this to be complete?
Yush0 almost 4 years

{R:1} did the trick for me when .net core was running inprocess and http->https redirects would get a magical second slash after the HTTP_HOST causing 404
Nelson Rodriguez over 3 years

This answer is not the right one for all cases. It works only if the site is at the root. It doesn't work if you are running on a virtual folder/app. Then the parameter for the input is just the path after the virtual. The accepted answer works in both cases, root or virtual folder.
Huron about 3 years

Thx @sippybear - I like to understand how things work and {HTTPS} matching ^OFF$ didn't twig until you mentioned it's testing a variable being equal to OFF
Nima Talebi over 2 years

ssl.com/how-to/redirect-http-to-https-with-windows-iis-10 or simpler way