How to redirect HTTP requests to HTTPS by using IIS URL Rewrite

One way to ensure that your visitors access to your website via secure connection is to redirect HTTP requests to HTTPS by using IIS URL Rewrite module. You will find step-by-step instructions to configure IIS in this post.

Note that you may need to spend some extra effort on configuration if you have a load balancer that hosts SSL certificates (SSL offloading). Please check the last section (“If your web server is behind a Load Balancer…”) at the end of this post for more information.

Looking for an alternative way to redirect HTTP requests to HTTPS? Check this post out.

Redirect HTTP requests to HTTPS by using IIS URL Rewrite

Follow the steps below to redirect all HTTP requests to your HTTPS URL.

  • Download and install URL Rewrite module
  • Make sure that your website is accessible via HTTP (Check Site Binding to make sure there is a binding for port 80)
Redirect HTTP requests to HTTPS by using IIS URL Rewrite
IIS site binding for HTTP requests
  • In server, site or application level, go to URL Rewrite feature
  • Click “Add Rule(s)” in the “Actions” pane
  • Select “Blank rule“. Click “OK
Create a rule to redirect HTTP requests to HTTPS by using IIS URL Rewrite
Create a new URL Rewrite rule
  • Select “Matches the Pattern” from “Requested URL” menu
  • Select “Wildcards” from “Using” menu
  • Enter * into “Pattern” field
  • Add a new condition with input {HTTPS}, type “Matches the Pattern“, pattern off. This condition will make sure to prevent indefinite loop from HTTPS to HTTPS. The condition will make sure the rule is executed if the request is not HTTPS
Inbound rule to redirect HTTP requests to HTTPS by using IIS URL Rewrite
Match URL and condition for URL Rewrite rule
  • In the “Action” section, select “Redirect” from “Action type” menu
  • Enter https://{HTTP_HOST}{REQUEST_URI} into “Redirect URL” field. Click here for more information about server variables and URL parts
Redirect URL to redirect HTTP requests to HTTPS by using IIS URL Rewrite
Redirection type and URL
  • Click “Apply” in the “Actions” pane
  • Try to access your site/application via HTTP URL and check if it is redirected to HTTPS

Web.config changes

When you add, edit or remove a URL Rewrite URL, corresponding web.config file is automatically updated. Go to application folder and open the web.config file if you want to view the changes.

<rewrite>
   <rules>
      <rule name="Redirect Subfolder" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
         <match url="*" ignoreCase="true" />
         <conditions logicalGrouping="MatchAny">
            <add input="{HTTPS}" pattern="off" />
         </conditions>
         <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
      </rule>
   </rules>
</rewrite>

Not working? Try these

If the URL Rewrite rule for redirection is not working (HTTP requests continue to go to HTTP site), I would recommend using Failed Request Tracing (FRT) to troubleshoot redirection. Here is a link for instructions to use FRT for URL Rewrite troubleshooting.

Additionally, try the recommendations below to solve the issue:

  • Make sure that “Require SSL” is unchecked in “SSL Settings” 
SSL settings to redirect HTTP requests to HTTPS by using IIS URL Rewrite
Uncheck “Require SSL”
  • Instead of a wildcard, try using a regex in “Match URL” section (Select “Regular Expressions” from “Using” list. Enter (.*) into “Pattern” field). More information
  • Try ^OFF$ pattern for the condition. More information
  • Previous URL Rewrite rule might have cached. Try to use server variable from this list that disable kernel mode caching for all requests. You can also try disabling internal cache of rewritten URLs. Here is a list of registry values for IIS URL Rewrite.

If your web server is behind a Load Balancer…

Many companies leverage load balancers to distrubute workload amond several web servers. If this is the case in your environment, you may need to change the server variable you use in the condition of your URL Rewrite rule. 

In the instructions above, we used {HTTPS} header to check the usage of HTTPS protocol. The load balancer in your network may remove this header from requests. A better practice in this scenario is to use {HTTP_X_FORWARDED_PROTO} header. Click here for more information.

Here is the web.config entry for an example URL Rewrite rule using {HTTP_X_FORWARDED_PROTO} header:

<rewrite>
  <rules>
    <rule name="HTTPS Redirect" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" negate="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
    </rule>
  </rules>
</rewrite>

References

Leave a Reply