IIS 7 / 8 HTTP to HTTPS Redirecting

In the past I’ve set up some simple redirects that will automatically take a user from http://somewebsite.com to https://somewebsite.com (this is very simple with HTTP redirects in IIS). But for the first time recently I needed to redirect a user from http://somewebsite.com/default.aspx?somequerystring=value to https://somewebsite.com/default.aspx?somequerystring=value. I needed to maintain the actual page and query string value. After a little bit of googling I found this article on SSL Shopper.

http://www.sslshopper.com/iis7-redirect-http-to-https.html

This gives you two solutions to the problem. The first is to download and install the Microsoft URL Rewrite Module. With that installed you can set up a rule that will redirect any requests to an http resource to https. This seemed a little bit heavy handed to me. Having to install a whole separate module just to achieve something so simple?

The second solution was a bit better. It involved forcing the site to require SSL and then setting up a custom error page for 403.4 that would redirect the user to the https version of the page they are looking for. For those of you that don’t know 403.4 is the “You need to use SSL with this site” or put slightly better “SSL Required” error. It’s an IIS sub code for the 403 Forbidden HTTP status code.

This seemed like the way to go. I didn’t need to install anything and it leveraged what was already there (custom errors). However looking at the solution a bit longer it appeared that the custom error page was using JavaScript to perform the redirect. The first problem I could see with that was if the user didn’t have JavaScript turned on they just wouldn’t be redirected. Granted, I’d be surprised to find a normal person (as in not really tech savvy or in a really restrictive environment) that didn’t have JavaScript enabled. But still. It’d affect all sorts of other thing such as search engines etc. Plus on top of that when you actually visit the page you’re still getting the 403.4 even if you are redirected. I want to the redirect to be seamless to the users. Users or whoever or whatever else that is connecting doesn’t care that the server requires SSL they just want to be forwarded to the correct page.

Rather than redirecting via JavaScript and because I already had ASP.net install I whipped up a quick ASP.net script to do the redirect.

Rather than using the “Insert content from static file into the error response” in IIS I switched it to “Execute a URL on this site”  and pointed that to my redirect script.

It’s very simple but does the job. It checks to see if the connection is secured (using SSL) if it isn’t it takes the current request and redirects it from http to https. Take a look…


<%@ Page Language="C#"  %>
<script language="c#" runat="server">
	public void Page_Load(object sender, EventArgs e)
	{
		if(!Request.IsSecureConnection)
		{
			Response.RedirectPermanent("https://" + HttpContext.Current.Request.Url.Host + Request.RawUrl, true);
		}
	}
</script>


Just save that off as a .aspx page and point to it in IIS and you’re good to go.

You’ll notice that I’m using Response.RedirectPermanent. This was new in .NET 4. Rather than sending a 302 “Moved Temporarily” like Response.Redirect it’ll send a 301 “Moved Permanently”. This has implications for things like SEO as it’s basically saying “This page is now located here…”

There you have it, very simple but works well.

No comments yet.

Leave a Comment