Redirecting traffic from http to https with zero coding in IIS

When you want to enforce https on users and you want to redirect any URL being hit on http to the exact counterpart of https, then usually you do it with some HttpModule written in .NET, or install some URL Redirector module in IIS, or setup a dummy website on http and then use meta refresh tag to send traffic to https. There are many solutions out there which requires some amount of coding skill. Let me show you a zero coding redirection setup.

First, go to the properties of the real website which is now listening on both http and https. Change the http port to something dummy like 8083. This will prevent the website from holding onto port 80.

Now create a new website on an empty folder that has read permission on NETWORK SERVICE account. The new website will have the same host headers as the real one, say omaralzabir.com. But it will listen on port 80 only. It won’t listen on https port 443.

Once created, go to properties and Home Directory tab. And do the following:

IIS website properties to redirect from http to https

Things to do here:

  • Select the “A redirection to a URL” option.
  • Enter the https://yourdomain.com and then $S$Q. Remember, there’s no trailing slash after the domain.
  • Select “The exact URL entered above"”
  • Select “A permanent redirection for this resource”
  • Set Execute permission to None.
  • You can select the same app pool as the original one.

That’s it.

Update:

The $S puts the subdirectories. If you have hit http://omaralzabir.com/subdir/anotherdit, $S = /subdir/anontherdir. And the $Q represents the query string. Together, they represent the whole path and query string.

8 thoughts on “Redirecting traffic from http to https with zero coding in IIS”

  1. It’s fairly straightforward to do on IIS 7.

    When you get to the bit that says “Go to properties and Home Directory tab”, instead click on the new website and then double-click on “HTTP Redirect” on the central pane.

    Enter “https://******$S$Q” as described in the top textbox and tick “Redirect requests to this destination:” Then tick “Redirect all requests to exact destination (instead of relative to destination)”, don’t tick the next one and then choose Status Code “Permanent (301)”.

    And that’s it. Great tip. Thanks Omar.

  2. Seems a bit overkill to me, when just require SSL for either the entire site or just a part of it.

    The following does the same thing, in a more simple manner in my opinion:
    1. Goto “Directory Security”-tab.
    2. Click the “Edit”-button.
    3. Check the “Require secure channel (SSL)”-checkbox.
    (above for Windows 2003 / IIS 6).

    See screenshots here for simple explanation:
    http://img7.imageshack.us/g/20082.png/

Leave a Reply to Tom Chantler Cancel reply