July 12, 2013

Redirect non-encrypted HTTP traffic to SSL-enabled HTTPS in IIS 7+

It used to be that redirecting HTTP traffic to the SSL-enabled equivalent was a convoluted process, especially in IIS 6 and previous versions. Weird tricks using error codes on specific default files in the web site, etc. Back in the IIS 6 days, it made me greatly miss using mod_rewrite with Apache on Linux.

Thankfully Microsoft caught on a few years back, and released an official IIS extension called URL Rewrite, which is essentially the equivalent of Apache’s mod_rewrite. Using URL_Rewrite, you can fairly easily implement a rule to detect if the browser session is using SSL, and if not, redirect it to wherever you want the browser to go.

Below are the steps to handle the SSL direct of a web site using URL_Rewrite within IIS:

  • Set up your web site to listen on both port 80 (HTTP) and port 443 (HTTPS), or whatever ports you are choosing to use. In the bindings, make sure you have associated a valid SSL certificate, etc. I’m kind of assuming you have already done this, and just want to handle a redirect at this point.
  • On your IIS 7+ web server(s), install URL Rewrite. My preferred method is to use the Microsoft Web Platform Installer, which will sometimes do some extra work for you beyond just installing an .msi file, depending on the IIS extension you are installing (like Web Deploy).
  • Once you have URL Rewrite installed, open the IIS Manager.
  • In the left-hand pane, select the web site you would like to apply the redirect rule to.
  • In the main window for the web site, under the IIS category, click the icon for URL Rewrite to add a new rule that only applies to this site.


  • You should see the URL Rewrite configuration screen for this web site. Under Actions on the right, click Add Rule(s)…


  • Go ahead and take the default rule template of Blank rule, and click OK.


  • In the Edit Inbound Rule screen, give a meaningful Name to the rule, such as “Redirect HTTP Traffic to HTTPS”.


  • Leave the Requested URL field set to “Matches the Pattern”, and leave the Using field set to “Regular Expressions”.


  • In the Pattern field, enter the pattern of (.*) because we want to match anything in the URL. We are more concerned about whether or not SSL is being used or not, rather than what is contained within the URL in this case.


  • Expand the Conditions section, and click Add.


  • In the Condition input field, enter {HTTPS}. This will detect if SSL is being used by the web browser session.

  • In the Pattern field, enter ^OFF$. This is what will trigger the rule if SSL is not being used for the web session. Then click OK.


  • Scroll down to the Action section, and change the Action type to Redirect.


  • In the Redirect URL field, enter the following: https://{HTTP_HOST}/{R:1}

  • This action does a couple things. The {HTTP_HOST} variable will assign whatever host name is being used by the web client. That way you don’t have to hard code a domain name in the rule – although you could if you wanted. The {R:1} variable takes whatever is after the host name, and appends it to the redirect URL. So for example, if the browser is calling, the {R:1} variable appends the highlighted section of the URL to the redirect URL.


  • Next, make sure to check the checkbox for Append query string. This will make sure any URL parameters will be automatically appended to the redirect URL. Using the previous example, if the URL is the checkbox ensures the highlighted section is automatically appended to the redirect URL.


  • The next step is to decide the HTTP redirect type code you want to send the browser. You could send a Permanent (301) code if you always browsers and search engines to consider the HTTP URL to be essential an old and “shouldn’t be used” URL. However, I typically prefer to us the code for See Other (303), as that allows some flexibility in the future. Choose whatever makes sense in your situation.


  • Then click Apply in the Actions menu on the right, and then Back to Rules.


  • When you return to the URL Rewrite rules screen, you should see a new entry for the redirect rule we just created:


Now, try browsing to your web site using the HTTP version of the URL. You should be able to see within the web browser the URL is changed dynamically to the HTTPS equivalent of whatever URL you used, even if it had a long path with URL parameters in it. Any previously created links or bookmarks should now dynamically redirect to the SSL-enabled equivalent of the web site.

One Comment on “Redirect non-encrypted HTTP traffic to SSL-enabled HTTPS in IIS 7+

December 10, 2013 at 2:03 am

Jess, thanks so much for this article. I have read so many similar tips for this topics so far – but your’s was the first that explained the different settings. It was great to finally understand what is going on behind the scenes. I just didn’t get the paragraph about the “redirect type”. Are there some words/parts missing? Thanks again!

Add a Comment