Prerequisite

If you are using SSL on your IIS 8.5 (from 7.5 or greater) server for some time now; to get here you had to do a few things:

  1. You scrubbed your site content to ensure all URLs are using their relative form, e.g. “src=’//images\image.png” or explicitly reference the use of HTTPS.
  2. You have tested for certificate and SSL related problems like mixed content, appropriately tagging cookies as secure.
  3. You have ensured that you follow the best practices guidance for SSL server configuration and verified you get an A on  SSLLabs.

there are a few things left for you to do, the most obvious being redirecting all traffic to the SSL version of your site! You should probably monitor your CPU usage during your peak so to ensure you have some headroom. This isn’t likely to be a problem as most web-servers are not CPU bound but it’s always good to check.

 

Once you know you are OK then it’s just a matter of deciding which approach to use, you have two choices:

  1. Dynamically rewriting via code in your ASPX pages
  2. Using the IIS URL Rewrite  module

If you are familiar with the IIS configuration you’re probably asking yourself what about the “Require secure channel (SSL)” option in the IIS MMC? Unfortunately this doesn’t do redirecting it only requires the use of SSL on a given site/folder/file.

So how do you decide which approach to use? The answer to that question is dependent on both your environment and personal preference, but this time we will show how to do using the method two

IIS URL Rewrite Module

since in this article we will showed you to use the second choice, using the IIS URL Rewrite module, you can check the steps below

This approach has a number of benefits, for one having this module allows you to leverage remapping for other purposes also for example maintaining old links that have SEO value. From a security standpoint it’s also a good approach as it keeps this decision one of policy that is enforced in a central place.

To use the URL rewrite approach you will need to do the following:

  1. Install the URL Rewrite module (x86, x64).
  2. Add a rule to rewrite all HTTP URLs to HTTPS.
    1. Open your “web.config” with your favorite editor.
    2. Find the “configuration\system.webserver\rewrite\rules” section.
    3. Add the following text block:
      <rule name=”Redirect to HTTPS” stopProcessing=”true”>
      <match url=”(.*)” />
      <conditions>
      <add input=”{HTTPS}” pattern=”^OFF$” />
      </conditions>
      <action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” redirectType=”Permanent” />
      </rule>
  3. Restart IIS

Now you can go to your website over HTTP and you will see you are redirected to the HTTPS instance of the site.