Sysadmins of the North

Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security

How to redirect HTTP to HTTPS on IIS

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite. Where possible, use the IIS httpRedirect element for IIS HTTP to HTTPS redirection, and here is how:

The regular expression matching of an URL Rewrite rule makes a rewrite rule rather expensive, resource wise. I’ll provide an HTTP to HTTPS URL Rewrite example later in this post.

However, this httpRedirect should be a little bit more performing, even though it may not be really noticeable. Shaving off milliseconds from a request and redirect HTTP to HTTPS instead of rewriting gives you a tiny bit faster responding website.

The httpRedirect element configures settings for Internet Information Services (IIS) 7 that redirect client requests to a new location.

SSL in WordPress?

Looking to move WordPress to HTTPS? See this guide!

IIS httpRedirect HTTP to HTTPS

Let’s say we want to redirect http://www.example.com and http://example.com to https://example.com. To httpRedirect a HTTP request to HTTPS, you can add the following to your website’s web.config file, in the <system.webServer> </system.webServer> node:

<httpRedirect enabled="true" 
	destination="https://example.com" 
	httpResponseStatus="Permanent"
/>

There are three important options configurable for the httpResponseStatus:

IIS httpRedirect httpResponseStatus

  • Found: Returns a 302 status code, which tells the client to issue a new request to the location specified in the destination attribute.
  • Permanent: Returns a 301 status code, which informs the client that the location for the requested resource has permanently changed.
  • Temporary: Returns a 307 status code, which prevents the client from losing data when the browser issues an HTTP POST request.

Note: you may have to set up a new IIS Web Site and directory for the SSL website, to avoid a redirection loop.

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite.

Preserve URL Path Information and Query String in httpRedirect

Using a httpRedirect, you can preserve URL path information and URL query strings. Strangely enough, you need to set an exact destination for this:

exactDestination="true"

and you need to add $V$Q to the destination URL:

destination="https://example.com$V$Q"

This makes our complete httpRedirect element:

<httpRedirect enabled="true" 
	exactDestination="true" 
	destination="https://example.com$V$Q" 
	httpResponseStatus="Permanent"
/>

An URL with a query string, like http://www.example.com/page.php?foo=bar, is now redirected to https://example.com/page.php?foo=bar

How to disable the httpRedirect to HTTPS

If you – for some reason – want to disable the httpRedirect temporarily, just set enabled to false:

<httpRedirect enabled="false" 
	destination="https://example.com" 
	httpResponseStatus="Permanent"
/>

Redirect HTTP to HTTPS Using IIS URL Rewrite

Here you’ll find a ready to use IIS URL Rewrite rule for HTTP to HTTPS redirection. Depending on the particular situation, this solution might be preferred, and is easier to use than the aforementioned httpRedirect.

An easy to use IIS URL Rewrite rule

A ready to use IIS URL Rewrite rule to redirect HTTP to HTTPS is:

<!-- follow me on Twitter: @HertogJanR, https://twitter.com/HertogJanR -->
<rule name="Redirect-HTTP-HTTPS-IIS">
	<match url="(.*)" />
	<conditions>
		<add input="{HTTPS}" pattern="^OFFquot; ignoreCase="true" />
	</conditions>
	<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>

If necessary, you can also add appendQueryString="true" to the action, to append the query string to the rewritten URL.

You have to place the code in the system.webServer node of your web.config file.

Test your site, it should now redirect from HTTP to HTTPS. If you receive a too many redirects in your browser, you may have to add your domain name as an input condition.

<!-- redirect HTTP naar HTTPS for WordPress https://www.saotn.org/ssl-wordpress-move-wordpress-site-https-definitive-guide/ -->
	<!-- see https://www.saotn.org/redirect-http-to-https-on-iis/
	        for more information -->
<rule name="example.com http to https" stopProcessing="true">
	<match url="(.*)" ignoreCase="true" />
	<conditions logicalGrouping="MatchAll">
		<add input="{HTTP_HOST}" pattern="^(www.)?example\.com$" />
		<add input="{HTTPS}" pattern="off" />
		<add input="{URL}" pattern="(.*)" />
	</conditions>
	<action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
</rule>

This rule also automatically adds the request_uri ({URL}) to the redirected HTTPS URL.

Rewrite multiple sub domains in one URL Rewrite rule

To rewrite multiple sub domains in one single URL Rewrite rule you can use:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<system.webServer>
		<rewrite>
			<rules>
				<rule name="Rewrite multiple sub domains" stopProcessing="true">
						<match url=".*" ignoreCase="false" />
						<conditions trackAllCaptures="true">
							<add input="{HTTP_HOST}" pattern="^(?!www)([^.]+)\.(example\.com)quot; />
							<add input="{URL}" pattern="(.+)" ignoreCase="false" />
						</conditions>
						<action type="Rewrite" url="/{C:1}" appendQueryString="true" />
					</rule>
				</rules>
		</rewrite>
	</system.webServer>
</configuration>

Add appendQueryString="true" to the action to append the query string in your HTTPS rewrite.

Important note on HTTP Redirections

It is important to keep the following in mind for HTTP redirections:

Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request. Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, HSTS should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.

Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.

Basically, what this means is: Imagine you have www.example.com as your website. After setting up your SSL certificate, you have example.com and www.example.com available through HTTP, and example.com and www.example.com available through HTTPS.

This may interest you:   Secure WordPress uploads folder, disable PHP execution

Now if you want to set up proper HTTP to HTTPS redirects, you must follow the rule that sites that listen on port 80 should only redirect to the same resource on HTTPS.

Here is a schematic redirect path:

http://example.com > 301 > https://example.com
https://example.com > 301 > https://www.example.com
http://www.example.com > 301 > https://www.example.com

9 Comments

  1. “redirected you too many times” still in place/

  2. Hi Jan, great post but I’ve an answer:
    How I can redirect to https as describet below?
    http://example.com > 301 > https://www.example.com
    https://example.com > 301 > https://www.example.com
    http://www.example.com > 301 > https://www.example.com
    It is a little different to your example but I want work only on www. third level domain.
    Thanks!

  3. Thanks for a clear, up-to-date and precise knowhow article.

    I used your “An easy to use IIS URL Rewrite rule #” technique on my WP website: articles.celebrities-galore.com

    IIS 8.5 on Windows Server 2012 R2

    I used this technique after trying to set HTTP Redirect on the IIS itself, which gives too many redirects in return.

    I also tried a few WP plugins, but overhead is a bit to much to pay when your option does its job so well.

  4. Saeed Nemati

    2 April 2017 at 09:29

    I get redirect loop from https to https from https to https with your HTTP redirect recipe. Any idea?

    • Hi Saeed, thank you for your comment and I’m sorry to hear it gives you a redirect loop. Are you trying to use the “httpRedirect” recipe, or a rewrite?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

46 queries, 0.966 seconds running PHP version 7.2.9
shares