Article

Redirect all HTTP to HTTPS on IIS

Google has updated their search results to give higher ranking to sites secured with HTTPS than to sites without. With a free certificate from Let’s Encrypt there really is no excuse for not having a cert now.

After installing a Let’s Encrypt certificate on your IIS Web Server (I use Certify to do so), you’ll want to start redirecting all traffic to use it. Create a new a rule in your web.config file in your site root folder by adding a new <rule> tag.

configuration > system.webServer > rewrite > rules >

First, notice the condition. This evaluates to true when the request to the website was made without https.

Second, the redirect action uses HTTPS – this sends all traffic to the HTTPS version of the site.

Deploy the changed web.config to the server and redirects should start working immediately – no restart required.

Among other things to watch out for is the Require SSL IIS setting. You may be tempted to turn it on, but be aware that if you do, then no content will be served over http, not even the redirect. Instead, your visitors trying to browse the website over unencrypted connection will see an error message like this:

403-forbidden

One more thing: if you use Server Name Indication (SNI) to host your secured websites, users of some very old web browsers (such as Internet Explorer (IE) running under Windows XP) will not be able to see your website at all. But that is not unexpected if you’re running a 15 year old operating system. Those users are going to find more and more does not work properly.

Comments Closed.