How to Auto-Redirect to a SSL-secured Site in IIS

2007-05-09 james 10 comments

I was recently asked how to configure a site to redirect automatically from HTTP to HTTPS. By this I mean when the user types in http://server.example.com/app/page.aspx,* the browser will automatically redirect to https://server.example.com/app/page.aspx. You can do it through code, but with a little ingenuity, you can do it strictly through IIS configuration. Let’s walk through the setup…

Open IIS Manager and select properties for the website for which you want to require SSL. For TCP port, enter any unused port other than port 80 (the default HTTP port). For example, use 8888. For SSL port, enter the default SSL port, which is 443. Now go to the Directory Security tab… Secure communications… Edit… Set the “Require secure channel (SSL)” (required) and “Require 128-bit encryption” (optional, but recommended). Restart IIS. Browse to http://server.example.com:8888 now and you will get “The page must be viewed over a secure channel”. So far, so good.

Create a brand new IIS website by right-clicking… New… Web site… Click Next and give the website a name such as “Redirect to SSL”. Click Next… For TCP port, choose port 80, the default HTTP port. For path, point it to c:\inetpub\wwwroot. (It doesn’t really matter as we’ll be changing this in a minute.) Click Next… Give it Read permissions. Click Next… Finish… to create the website. Right-click, properties on the new website. Select the Home Directory tab. Change “The content for this resource should come from:” to “A redirection to a URL”. In the “Redirect to:” textbox, enter https://server.example.com. You can also optionally select “A permanent redirection for this resource”, which will cause bookmarks to update to the new URL. DO NOT, I repeat, DO NOT select “The exact URL entered above” or “A directory below URL entered”. Restart IIS. Now browse to http://server.example.com and you’ll be redirected to the SSL site. Note that the path portion of the URL is preserved and only the protocol and server are modified. So http://server.example.com/some/path/deep/within/my/app.aspx will redirect to https://server.example.com/some/path/deep/within/my/app.aspx just by applying the redirection steps noted above.

N.B. The redirect URL is sent back to the client. So if you type https://localhost as the redirect, the client browser will try to redirect to localhost on the client’s machine, which probably won’t exist. Same thing goes for NetBIOS names. (e.g. https://server rather than https://server.example.com)

* Little known fact. Example.com, example.net, and example.org are reserved top level DNS names as specified in RFC 2606, Section 3 and are intended for – surprise, surprise – examples. This allows authors to create bogus URLs in books, blog posts, and elsewhere that are guaranteed to go nowhere, which is generally the author’s intent when creating a bogus URL.

ASP.NET, Security none

#1 | Written by Lec about 17 years ago. Reply

Awesome! thank you!
#2 | Written by Luke Drewer about 17 years ago. Reply

Will have to agree with Lec! saved me a lot of messing about.. it does what it says on the tin!

Many thanks,
Luke.
#3 | Written by Ruffy Chris Loquia about 16 years ago. Reply

Hi All,

I would like to ask what is the solution for redirecting just a sub page to https? I have a site with a lot of applications that can be accessed via: http://servername/appname. Each of them works independently. I have one application which needs to be in https and I want to auto redirect only that into https so that when a user entered http://servername/securedapp it will redirect to http://servername/securedapp and the rest will remain the same. Can this be achieved through IIS configuration? Done anyone has sound advice.

I will appreciate if you will email the answers to me directly at ruffy.loquia(at)gmail.com

Thanks a lot,
Ruffy Chris
#4 | Written by James Kovacs about 16 years ago. Reply

@Ruffy – You can use the exact same trick for virtual directories. Create two websites as above, a secure one requiring SSL on 443 (and some high numbered http port like 8888) and a regular one on port 80. Rather than specifying the redirect from the web root, specify it on the virtual directory. For example, if you browse to http://server.example.com/securedapp/SomePage.aspx, the redirect would be configured for https://server.example.com/securedapp. Note that we include the virtual directory name in the redirect. Hope that helps.
#5 | Written by John Homer about 16 years ago. Reply

We did the same using pure IIS and only 1 website. Here’s how:

1) Make a copy of the 403.4 error page (don’t trash the original) located at C:\WINDOWS\help\iisHelp\common\403-4.htm
2) Name this copy something like 403-4.redirect.htm and leave in the same folder.
3) Modify the copy and include the following javascript (asp won’t work):

This goes just below the line that says ‘<body bgcolor="FFFFFF">’

<script type="text/javascript">
loc = new String(window.location);
loc = loc.replace("http", "https");
document.location.href = loc;
</script>

4) In IIS manager, open the properties for the site you’re configuring and select the Custom Errors tab.
5) Modify the 403.4 error to point to your modified file and click OK.
6) Sit back and enjoy!

Now when any user hits the site using HTTP, the error page will run the javascript and redirect them to the HTTPS URL while preserving the URL and query string.
#6 | Written by John Homer about 16 years ago. Reply

Also, this solution can be applied to subfolders and even individual files as they all can have Custom Errors. i slo noticed my javascript is doing a stright replace on "http". it’s posible that the URL may have that string embedded elsewhere, in hich case, it would munge the URL (bad). So someone may want to take this javascript and run with it a little further but the basic concept is proven.
#7 | Written by John Homer about 16 years ago. Reply

One other thing. When using custom error pages, you really need to understand the following. Read closely as there are a lot of caveats in there. Also, I’m pretty sure this applies to IE7/Vista also.

http://support.microsoft.com/?kbid=218155

You can also find more information here:

http://www.issociate.de/board/post/454180/SSL_redirection_problem.html

Cheers,
John
#8 | Written by James Kovacs about 15 years ago. Reply

Sorry, but I’ve had to close down comments on this post as it is being spammed by a bot.
#9 | Written by Andy about 13 years ago. Reply

Thanks, this was just what I was looking for:-)

Cheers
Andy
#10 | Written by Trevor about 13 years ago. Reply

Awesome. Thank you for the clear and concise explanation.

James Kovacs' Weblog

Recent Posts

Browse by Tags

Archives

Categories

How to Auto-Redirect to a SSL-secured Site in IIS

Leave a Comment