We want all sites on our webserver (iis 10) to enforce ssl (ie redirect http to https).

We are currently 'Requiring SSL' on each site and setting up a 403 error handler to perform a 302 redirect to the https address for that specific site.

This is great But it's a pain to do for every single site, there's plenty of room for human error.

Ideally I'd like to set up a permanent 301 redirect on all HTTP://* to HTTPS://*

Is there any way to do that in iis?

Best Answer

The IIS URL Rewrite Module 2.1 for IIS7+ may be your friend. The module can be downloaded from IIS URL Rewrite . Using the URL Rewrite Module and URL Rewrite Module 2.0 Configuration Reference explain how to use the module.

Once the module is installed you can create a hostwide redirect using iis manager Select URL Rewrite , Add Rule(s)... , and Blank rule .

Redirect to HTTPS

Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked

Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked

Server Variables
Leave blank.

Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)

Apply the rule and run IISReset (or click Restart in the IIS Manager)

Alternatively, after installing the module you could modify the applicationHost.config file as follows:

      <rule name="Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" ignoreCase="true" negate="false" />
        <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
          <add input="{HTTPS}" ignoreCase="true" matchType="Pattern" negate="false" pattern="OFF" />
        <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />