Configuring HTTP to SSL Redirects in IIS/Windows
Configuring websites to only allow SSL traffic is pretty much the norm these days (and if it isn’t, it should be). The problem with taking this route to secure your web traffic is that there really isn’t an intuitive way to then make sure all http (port 80) traffic then gets properly redirected over to https (SSL port 443) within IIS. Microsoft’s industrial strength firewall solutions had built in rules to enable this behavior, but they’ve all been discontinued or EOL’d. If redirects are not set up properly, users will get an error page when attempting to navigate to a site in IIS that is configured as SSL only, but accessed via standard http (port 80). The desired behavior is to properly redirect (either 301 or 302 response codes) all http traffic to https, and to be able to do this from within IIS itself. It’s not intuitive, but is fairly straightforward once the limitations of IIS itself are figured out.
The first thought might be to simply set up the redirect on the website itself within IIS, however this is incorrect and will lead to an endless redirect loop and will result in an error for the user. The trick is to set up a site to intercept all http traffic, and then redirect to the actual site that is SSL only. Another caveat is that when setting up a redirect in IIS via the HTTP Redirect property page in the site manager, and entry is written to the web.config file that looks like the following:
<httpRedirect enabled="true" destination="<siteName>" />
What this means is that when configuring the shell redirect sites, they need to be pointed to a physical path somewhere other than the site you are redirecting to, and separate from all other redirect sites. Here is the pattern I follow for all of my sites that need to have all traffic redirected from http to https (this can all be scripted out, just listing the steps here for brevity):
- Create a filesystem directory that will house all of the redirects: I usually create a directory called ‘redirects’ somewhere in the inetpub/wwwroot folder.
- Create empty directories for each site that need to have redirects implemented for them. This will house the web.config entry that is created by IIS manager.
- Remove non-SSL bindings for the sites that are to be redirected to.
- Configure the https sites to only allow SSL traffic within IIS in the SSL Settings configuration pane. This will ensure an http error is thrown if traffic comes across on standard http requests.
- Create a new website for each site to be redirected to in IIS. I name mine ‘<siteName> Redirect’ so that they are displayed under each corresponding SSL only site. Point each site to its unique redirect directory in the file path.
- Configure the redirect in the HTTP Redirect configuration pane in IIS Manager to point to https://<siteName> and leave all other options unchecked (this is important, otherwise it will no work properly). Select either 301 or 302 for the status code depending on your requirements (remember that 301 is a permanent redirect, 302 is a temporary redirect).
Of course there are other ways to accomplish this goal: I’ve written asp.net handlers in the past that act as global interceptors/redirectors for all sites (this is overkill in many cases), but the above will work with minimal overhead and configuration. Of course with large IIS installations this can become quite tedious, which is why it should be scripted out, but the steps above will properly redirect all http traffic over to https, including all subpages/subsites.