Home / server / Questions / 79828
Accepted
Dan
Asked: 2009-10-31 03:26:40 +0800 CST

How to enforce/redirect HTTP to HTTPS

  • 772

I've been hosting a domain on a Win2003 server for the last 3 or 4 years, but I now need to make this domain accessible only via HTTPS.

I've installed the certificate correctly and it works fine (the server hosts several domains, but this domain is hosted on a different public IP address), but I'm struggling to get IIS to just transfer all users who go to http://www.example.com to https://www.example.com.

I've found the "require secure channel" option in IIS, but checking this results in anyone who fails to type the https:// part seeing an error message (below). What's the best way to redirect users to the HTTPS site (without the user having to worry about it)?

The page must be viewed over a secure channel The page you are trying to access is secured with Secure Sockets Layer (SSL).

Please try the following:

Type https:// at the beginning of the address you are attempting to reach and press ENTER.

HTTP Error 403.4 - Forbidden: SSL is required to view this resource.

ssl

5 Answers

  1. Best Answer

    Redirecting HTTP to HTTPS using IIS

    With SSL enabled, anytime you attempt to access a page via http, the server generates a 403.4 error. IIS is now configured to run your sslredirect.asp page every time this error occurs. The error page will include a querystring which contains the error number and the page causing the error, I.e. "403;http://www.whatever.com". Our ASP file uses a simple script to just trim off the beginning part (430;http), add the necessary "https", and redirect to whatever page the user requested using SSL. Voila!

    • 5

  2. The cleanest way is to have a mod rewrite isapi filter installed. And redirect all http calls to https (or just those for a specific folder/page if you prefer).

    http://www.isapirewrite.com/

    Heres an article that explains how to do that + mentions some of the others suggested. http://www.iis-aid.com/articles/how_to_guides/three_methods_redirect_http_https

    • 3

  3. Check out the Microsoft Knowledgebase article How to redirect an HTTP connection to HTTPS for Outlook Web Access clients and how to redirect the Default Web Site to point to the Exchange virtual directory.

    There are a few steps to configure this correctly; the code is:

    <%

If Request.ServerVariables("HTTPS")  = "off" Then
Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & "/Exchange"
End If 

%>
    • 2

  4. Once you have your redirect setup, make sure to also add HSTS headers to your requests. This skips the redirect step entirely after users have visited your site once. So subsequent visits will not need to be redirected since browsers make a https connection right away.

    You can also get your site added to a preload service, which all major browsers include so that users connect to https even on their first visit.

    • 0

  5. Have your publishing firewall do the redirect. Having calls reaching the actual web server which it has no business dealing with seems unnecessary and may even pose a security risk.

    • -1