X
Popular Searches

Setting Up HTTPS Redirects in IIS and Securing Your URLs

Microsoft IIS.

In order to force your website to load over SSL, you will likely need to incorporate redirection to push all insecure URLs to their secure counterpart. This is necessary to be sure that all users and pages support and utilize your SSL certificate to encrypt communications between your web server and visitor.

Why Would I Need to Redirect from HTTP to HTTPS?

To properly secure your website with SSL certificates, you might decide to incorporate redirects on your website, forcing all http URLs to redirect to secure https URLs, (i.e., http://mydomain.com redirects to https://mydomain.com). This way, no matter what URL a user is visiting on your site, it will automatically be directed to the secured version of that page.

Without redirects in place, some users or pages may be accessing insecure URLs and will not receive the benefits of having an SSL certificate in place. Let’s take a look at how to incorporate these changes in IIS with the URL Rewrite Redirection Module!

Navigating to the Redirect Module

The first thing we will need to do is navigate to our Redirection Module. To do this, open up IIS Manager (inetmgr.exe), expand your server, and select the site you want to incorporate redirects on.

In the main window pane, scroll down until you find “URL Rewrite” under the IIS subcategory and double-click this icon.

Find "URL Rewrite" under the IIS subcategory.

If you do not see this module, you will have to install it from the official IIS site, here.

Note that the URL Rewrite module is only available for IIS 7 or higher.

Creating Your First Redirect Rule

Now that you have opened the URL Rewrite module, select “Add Rule(s)” from the upper-right actions menu. We are going to create a Blank Rule.

 Create a Blank Rule,

To create a redirect rule that forces all HTTP URLs to HTTPS, you will need to create a rule with the following settings:

Requested URL: Matches the Pattern
Using: Regular Expressions
Patten: (.*)

…with the “Ignore” Case box checked.

Create a rule with the "Ignore" Case box checked.

By setting the pattern to (.*) and matching to regular expressions, the redirect rule will match and process any URL that it receives. The (.*) regex pattern matches all possible combinations of characters in the URL.

Once these settings are in place, scroll down to the “Conditions” section and expand the drop-down menu.

Select “Add” and enter the following settings:

Condition Input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: ^OFF$

Select the "Conditions."

Click “OK.”

Now, on the “Edit Inbound Rule” page for our new rule, scroll down to the “Action” section.

You will be setting the Action Type as “Redirect” and enter the following URL under the redirect URL section:

https://{HTTP_HOST}{REQUEST_URI}

Be sure to uncheck “Append Query String” and make sure the Redirect Type is “Permanent (301).”

Note: In case you are having some difficulties with the redirect by the end of this article, another option to try for your redirect URL would be:

https://{HTTP_HOST}/{R:1}

Set the Action Type as "Redirect" and the Redirect Type as "Permanent (301)."

We are using Permanent (301) redirects for our site because we want all non-secure URLs to be automatically and permanently redirected to the secure https version of the URL. There are several other types of redirects available, but the 301 redirect will get our website behaving the way we want it it to for HTTPS.

Once you have confirmed that all of the above settings are correct, select “Apply” in the top-right Actions pane.

Testing Redirections to Confirm All Website URLs Redirect to HTTPS

Once you have applied the new redirect rule to your website, you are now able to test the redirection in your browser.

To be sure that your browser is not using cached data when being accessed, open a “Private” or “Incognito” window and navigate to any http URL on your site.

When accessing these URLs, it should automatically redirect to the HTTPS version of your page. Assuming you have already tested your SSL certificate prior to the redirect, when your non-secure URL is redirected, it should now show https and a secure lock icon by the URL bar.

If you are having difficulties with your redirect or you see it is not redirecting properly, it is in our interest to check the web.config file in the associated website to be sure that our redirect rule was properly added.

You can check this by navigating to your site in IIS, right-clicking on its name, and selecting “Explore.”

Check the web.config file in the associated website.

This will bring you to the root directory of your website where you will find a file named web.config. Open this file in Notepad to see it’s contents.

Your web.config should contain the following information somewhere inside its contents:

<rewrite>
<rules>
<rule name=”HTTPS force” enabled=”true” stopProcessing=”true”>
<match url=”(.*)” />
<conditions>
<add input=”{HTTPS}” pattern=”^OFF$” />
</conditions>
<action type=”Redirect” url=”https://{HTTP_HOST}{REQUEST_URI}” redirectType=”Permanent” />
</rule>
</rules>
</rewrite>

If you do not have a section that says this in your web.config file, add the above code block right before the closing </system.webServer> tag and save your file.

You should now be able to access any http URLs on your website and see that they redirect to the secured https URL! Congratulations, all pages on your site and URLs are being redirected to their secure counterpart!

Mike Sherman Mike Sherman
Mike Sherman worked as a lead Enterprise Server administrator for an international data center, as well as a technical consultant for a national MSP. He's got years of experience with hosting, security, and hands-on problem-solving. Read Full Bio »

The above article may contain affiliate links, which help support CloudSavvy IT.