We want ALL sites on our webserver (IIS 10) to enforce SSL (ie redirect HTTP to HTTPS).
We are currently 'Requiring SSL' on each site and setting up a 403 error
handler to perform a 302 redirect
to the https address for that specific site.
This works great. But it's a pain to do for every single site, there's plenty of room for human error.
Ideally I'd like to set up a permanent 301 redirect
on all HTTP://*
to HTTPS://*
Is there a simple way to do this in IIS ?
The IIS URL Rewrite Module 2.1 for IIS7+ may be your friend. The module can be downloaded from IIS URL Rewrite. Using the URL Rewrite Module and URL Rewrite Module 2.0 Configuration Reference explain how to use the module.
Once the module is installed, you can create a host wide redirect using IIS Manager. Select URL Rewrite, Add Rule(s)..., and Blank rule.
Name:
Redirect to HTTPS
Match URL
Requested URL:
Matches the Pattern
Using:
Wildcards
Pattern:
*
Ignore case: Checked
Conditions
Logical grouping:
Match Any
Condition input:
{HTTPS}
Check if input string:
Matches the Pattern
Pattern:
OFF
Ignore case: Checked
Track capture groups across conditions: Not checked
Server Variables
Leave blank.
Action
Action type:
Redirect
Redirect URL:
https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type:
Permanent (301)
Apply the rule and run IISReset (or click Restart in the IIS Manager)
Alternatively, after installing the module you could modify the applicationHost.config file as follows:
My research shows that this might be a better way to the redirect: