Best way to redirect all HTTP to HTTPS in IIS
Solution 1
The IIS URL Rewrite Module 2.1 for IIS7+ may be your friend. The module can be downloaded from IIS URL Rewrite. Using the URL Rewrite Module and URL Rewrite Module 2.0 Configuration Reference explain how to use the module.
Once the module is installed, you can create a host wide redirect using IIS Manager. Select URL Rewrite, Add Rule(s)..., and Blank rule.
Name:
Redirect to HTTPS
Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked
Conditions
Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked
Server Variables
Leave blank.
Action
Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)
Apply the rule and run IISReset (or click Restart in the IIS Manager)
Alternatively, after installing the module you could modify the applicationHost.config file as follows:
<system.webServer>
<rewrite>
<globalRules>
<rule name="Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" ignoreCase="true" negate="false" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{HTTPS}" ignoreCase="true" matchType="Pattern" negate="false" pattern="OFF" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
</globalRules>
</rewrite>
</system.webServer>
Solution 2
My research shows that this might be a better way to the redirect:
<rewrite>
<rules>
<rule name="http to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
Related videos on Youtube
userSteve
Updated on September 18, 2022Comments
-
userSteve over 1 year
We want ALL sites on our webserver (IIS 10) to enforce SSL (ie redirect HTTP to HTTPS).
We are currently 'Requiring SSL' on each site and setting up a
403 error
handler to perform a302 redirect
to the https address for that specific site.This works great. But it's a pain to do for every single site, there's plenty of room for human error.
Ideally I'd like to set up a permanent
301 redirect
on allHTTP://*
toHTTPS://*
Is there a simple way to do this in IIS ?
-
Todd Wilcox over 6 yearsCan't you write a script to make this change for every site which would both reduce the administrative burden and also help prevent typos and mistakes?
-
Mick over 6 yearsThe title is incorrect. I think it was intended to read "Best way to redirect all HTTP to HTTPS in IIS"
-
userSteve over 6 years@ToddWilcox can you give an example of such a script?
-
Admin over 5 yearsDon't use IIS, :D
-
-
userSteve over 6 yearsWill this work for permanent 301 redirects ?
-
BE77Y over 6 years@userSteve as per the answer above, you can choose the redirect type.
-
sippybear over 6 years@userSteve whoops, yeah you should be able to change the Redirect Type to 301 and get the same results
-
sippybear over 6 years@userSteve any luck?
-
userSteve over 6 years@sippybear havent yet tested because the rewrite module will not install on IIS 10 without a registry hack which I'm reluctant to do just yet. stackoverflow.com/questions/35319942/…
-
userSteve over 6 yearsI found a later version of the rewrite module which works with II 10 and the above steps work great for me. Thanks ! What I've done is associated the rewrite rules with an empty 'catch all' website (HTTP empty binding). This then catches any attempts to browse to a http url that is not already bound to a site and redirects it to https. Now all I need to worry about is the bindings of each site depending on if they are https only or not - much simpler!
-
userSteve over 6 years@sippybear one more question - what does input="{HTTPS}" mean? Should this be {HTTP} as that will be the input and HTTP the output?
-
sippybear over 6 years{HTTPS} is a variable that you query to find out if the connection is secured. You can read more about it here: docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/… In this case, we're checking whether {HTTPS} is "off", and then redirecting if it is
-
userSteve over 6 years@sippybear I wonder if you could help my some other rewriter questions of mine? serverfault.com/questions/895205/redirect-www-urls-in-iis , serverfault.com/questions/895002/… , serverfault.com/questions/895000/…
-
userSteve almost 6 yearsCan you explain why this is better?
-
Fallen Angel almost 6 yearsI am sorry I can not explain it my self, just read in few places that is syntax is better.
-
dangel over 5 yearsdo you have any sources?
-
bzlm over 5 yearsThis is exactly the same rule as in serverfault.com/a/893804/7184, but written using regular expressions and Match All grouping. One upside could be that the rule expression uses rule defaults and is terser.
-
Kunal about 5 yearsIf you use
REQUEST_URI
instead ofURL
make sure you setappendQueryString="false"
as discussed here - stackoverflow.com/a/48478980/846727 -
Jordan Ryder almost 5 yearsI'm on IIS 10 and the selected answer didn't work for me. For some reason IIS didn't recognize the syntax as a valid rule. I pasted your code in and it worked immediately, thanks for sharing.
-
Rumplin over 4 years@Jordan You need the Url Rewrite module to be installed on IIS, otherwise you will get 500.19 http code.
-
Floris Devreese about 4 yearsI had to use
{SERVER_NAME}
instead of{HTTP_HOST}
in the Redirect URI. This because myhttp
endpoind used port8080
, and the{HTTP_HOST}
included that port. So the redirect was tohttps://example.com:8080
which didn't work. The{SERVER_NAME}
variable doesn't include the port. -
duct_tape_coder almost 4 yearsThis sort of works. I see in Firefox dev tools network the connections are 301 redirected to HTTPS but the URL bar still shows HTTP and indicates 'not secure'. Any ideas what I'm missing? Is it necessary to implement HSTS for this to be complete?
-
Yush0 almost 4 years{R:1} did the trick for me when .net core was running inprocess and http->https redirects would get a magical second slash after the HTTP_HOST causing 404
-
Nelson Rodriguez over 3 yearsThis answer is not the right one for all cases. It works only if the site is at the root. It doesn't work if you are running on a virtual folder/app. Then the parameter for the input is just the path after the virtual. The accepted answer works in both cases, root or virtual folder.
-
Huron about 3 yearsThx @sippybear - I like to understand how things work and {HTTPS} matching ^OFF$ didn't twig until you mentioned it's testing a variable being equal to OFF
-
Nima Talebi over 2 yearsssl.com/how-to/redirect-http-to-https-with-windows-iis-10 or simpler way