Redirect HTTP to HTTPS on IIS

Reading Time: 8 Minutes

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite. Where possible, use the IIS httpRedirect element for IIS HTTP to HTTPS redirection, and here is how:

The regular expression matching of an URL Rewrite rule makes a rewrite rule rather expensive, resource wise. I’ll provide an HTTP to HTTPS rewrite example later in this post. However, this httpRedirect should be a little bit more performing, even though it may not be really noticeable.

Advertisement:

Shaving off milliseconds from a request and redirect HTTP to HTTPS instead of rewriting gives you a tiny bit faster responding website.

The httpRedirect element configures settings for Internet Information Services (IIS) 7 that redirect client requests to a new location.

Looking to move WordPress to HTTPS? See this guide!

IIS httpRedirect HTTP to HTTPS #

Let’s say we want to redirect http://www.example.com and http://example.com to https://example.com. To httpRedirect a HTTP request to HTTPS, you can add the following to your website’s web.config file, in the <system.webServer> </system.webServer> node:

<httpRedirect enabled="true" 
 destination="https://example.com" 
 httpResponseStatus="Permanent" />

There are three important options configurable for the httpResponseStatus:

IIS httpRedirect httpResponseStatus

  • Found: Returns a 302 status code, which tells the client to issue a new request to the location specified in the destination attribute.
  • Permanent: Returns a 301 status code, which informs the client that the location for the requested resource has permanently changed.
  • Temporary: Returns a 307 status code, which prevents the client from losing data when the browser issues an HTTP POST request.

Note: you may have to set up a new IIS Web Site and directory for the SSL website, to avoid a redirection loop.

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite.

Preserve URL Path Information and Query String in httpRedirect #

With a httpRedirect, you can also preserve URL path information and URL query strings. Strangely enough, you need to set an exact destination for this:

exactDestination="true"

and you need to add $V$Q to the destination URL:

destination="https://example.com$V$Q"

This makes our complete httpRedirect element:

<httpRedirect enabled="true" 
 exactDestination="true" 
 destination="https://example.com$V$Q" 
 httpResponseStatus="Permanent" />

An URL with a query string, like http://www.example.com/page.php?foo=bar, is now redirected to https://example.com/page.php?foo=bar

How to disable the httpRedirect to HTTPS #

If you – for some reason – want to disable the httpRedirect temporarily, just set enabled to false:

<httpRedirect enabled="false" 
 destination="https://example.com" 
 httpResponseStatus="Permanent" />

Redirect HTTP to HTTPS Using IIS URL Rewrite #

Here you’ll find a ready to use IIS URL Rewrite rule for HTTP to HTTPS redirection. Depending on the particular situation, this solution might be preferred, and is easier to use than the aforementioned httpRedirect.

An easy to use IIS URL Rewrite rule #

A ready to use IIS URL Rewrite rule to redirect HTTP to HTTPS is:

<rule name="Redirect-HTTP-HTTPS-IIS">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTPS}" pattern="^OFF$" ignoreCase="true" />
  </conditions>
  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>

If necessary, you can also add appendQueryString="true" to the action, to append the query string to the rewritten URL.

You have to place the code in the system.webServer node of your web.config file.

Test your site, it should now redirect from HTTP to HTTPS. If you receive a too many redirects in your browser, you may have to add your domain name as an input condition.

<!-- redirect HTTP naar HTTPS for WordPress https://www.saotn.org/ssl-wordpress-move-wordpress-site-https-definitive-guide/ -->
  <!-- see https://www.saotn.org/redirect-http-to-https-on-iis/
    for more information -->
<rule name="example.com http to https" stopProcessing="true">
  <match url="(.*)" ignoreCase="true" />
  <conditions logicalGrouping="MatchAll">
    <add input="{HTTP_HOST}" pattern="^(www.)?example\.com$" />
    <add input="{HTTPS}" pattern="off" />
    <add input="{URL}" pattern="(.*)" />
  </conditions>
  <action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
</rule>

This rule also automatically adds the request_uri ({URL}) to the redirected HTTPS URL.

Rewrite multiple sub domains in one URL Rewrite rule #

To rewrite multiple sub domains in one single URL Rewrite rule you can use:

<?xml version="1.0" encoding="UTF-8"?&gt;
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Rewrite multiple sub domains" stopProcessing="true">
                    <match url=".*" ignoreCase="false" />
                    <conditions trackAllCaptures="true">
                        <add input="{HTTP_HOST}" pattern="^(?!www)([^.]+)\.(example\.com)$" />
                        <add input="{URL}" pattern="(.+)" ignoreCase="false" />
                    </conditions>
                    <action type="Rewrite" url="/{C:1}" appendQueryString="true" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Add appendQueryString="true" to the action to append the query string in your HTTPS rewrite.

Important note on HTTP Redirections #

It is important to keep the following in mind for HTTP redirections:

Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request. Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, HSTS should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.

Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.

Basically, what this means is: Imagine you have www.example.com as your website. After setting up your SSL certificate, you have example.com and www.example.com available through HTTP, and example.com and www.example.com available through HTTPS.

Now if you want to set up proper HTTP to HTTPS redirects, you must follow the rule that sites that listen on port 80 should only redirect to the same resource on HTTPS.

Here is a schematic redirect path:

http://example.com > 301 > https://example.com
https://example.com > 301 > https://www.example.com
http://www.example.com > 301 > https://www.example.com

Hi! Join the discussion, leave a reply!