Enforcing HTTPS, and your main/simple URL in IIS

As I’m working on another app with a website, there are things I wanted to do as I was setting it up:

  1. If the users navigates to http:// I want to redirect to https:// (for any URL on the site)
  2. If the user navigates to example.com instead of http://www.example.com, I want to redirect them to http://www.example.com

So no matter what, you’ll always end up https://www.example.com/ and whatever the rest of the URL was. But how do you do this?

In short, in IIS, you can use URL Rewrite module.

Making the change in IIS Manager:
I followed the instructions from this blog post:

Automatically Redirect HTTP requests to HTTPS on IIS 7 using URL Rewrite 2.0
http://www.jppinto.com/2010/03/automatically-redirect-http-requests-to-https-on-iis7-using-url-rewrite-2-0/

However, I noticed upon the next deployment that my changes were lost. Like most things in IIS, your settings are stored in the web.config. So, when I pushed out a new version of the site, that overwrote the changes.

Making the change in your web.config:
So that we don’t overwrite the changes every time we publish a new version of the site, it would be better to include this setting in our application’s root web.config. That way, this configuration can be persisted.

Here are the two rules I use:

<system.webServer>
  <rewrite>
    <rules>
      <clear/>
      <rule name="Redirect to Main Site" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
          <add input="{HTTP_HOST}" pattern="^www.example.com$" negate="true" />
        </conditions>
        <action type="Redirect" url="https://www.example.com/{R:1}" />
      </rule>
      <rule name="Redirect to HTTPS" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
          <add input="{HTTPS}" pattern="^OFF$" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

The first rule “Redirect to Main Site” can be used to redirect other catch-all domains to your primary site. For example, you might want http://example.com and http://othernameexample.com to always redirect to http://www.example.com.

The second rule “Redirect to HTTPS” checks to make sure that you are always going to https. If not, it redirects you to the same URL, except to the https version of the URL. In this particular case, I want users to always go to the https version of the site, 100% of the time. You can tweak these rules, as required.

Bottom line:
I’ve seen many different ways to address this, but this is a pretty-complete solution. This stops the request right at the web server, and gets the URL straightened out before you even get into your application. I know I am going to forget this syntax in the future, so this blog post is mostly for you, Future-Robert, reading this blog post!

Posted in Computers and Internet, General, Infrastructure, Uncategorized, Windows
2 comments on “Enforcing HTTPS, and your main/simple URL in IIS
  1. Patricia says:

    Hi Bobby,
    Long time. How are you? This is your old friend from SOCAL PacifiCare.

    Like

    • Robert Seder says:

      Hey Patricia! Long time no hear, I hope you are well. Give me a holler at robseder at outlook dot com if you want to catch up. Take care!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2 other followers

%d bloggers like this: