IIS/UrlRewrite Rule for redirecting website from HTTP to HTTPS

Article Id
kb296
Published
08 Nov 2017 at 12:29
Reading Time
2 minutes, 46 seconds

Introduction

This article describes the creation of a URL Rewrite rule that facilitates the manual verification of domains for a Let's Encrypt / SSLFORFREE SSL certificate. This rule is especially useful with websites that run exclusively in HTTPS/SSL (i.e. secure) connections or with sites that have expired SSL certificates.

This rule is useful as all domain verification requests are made using standard, non secure HTTP requests.

<rule name="HTTP to HTTPS" stopProcessing="true">
	<match url="(.*)" />
	<conditions>
		<add input="{HTTPS}" pattern="^OFF$" />
	</conditions>
	<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>

Creating the Rule

URL Rewrite rules have to be manually defined in a website's configuration file, web.config. It is not possible to configure URL Rewrite rules via the hosting control panel.

1. Download your website's web.config file and make a backup of the file. You can do this either via FTP or the file manager in the hosting control (Hosting Control Panel > Hosting Space > File Manager)

2. Amend your web.config file by inserting the following URL Rewrite rule. Be careful when editing a web.config file as it is an XML file and so the various values are case sensitive.

If your web.config does not contain the section, see the example below on how the web.config should be constructed.

<rule name="HTTP to HTTPS" stopProcessing="true">
	<match url="(.*)" />
	<conditions>
		<add input="{HTTPS}" pattern="^OFF$" />
	</conditions>
	<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>

3. Upload the altered web.config file and then visit your website to force the loading of the new setting. If there is a problem with your web.config (incorrect formatting or case etc), you will receive an HTTP 500 error.

Example

The following sample web.config includes two rules: The rule defined in this article and another rule that redirects HTTP requests (i.e. non secure) to an equivalent HTTPS (SSL secure) address. As indicated above, the SSLFORFREE rule should be the first defined rule to avoid unwanted behaviour. This is relevant in this example as the 2nd rule would redirect any requests to an HTTPS address.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
		<caching enabled="false" enableKernelCache="false" />
		<rewrite>
            <rules>
				<clear />
                <rule name="HTTP to HTTPS" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
                </rule>
            </rules>
        </rewrite>
        <directoryBrowse enabled="false" />
        <defaultDocument>
            <files>
                <clear />
                <add value="Default.htm" />
                <add value="Default.asp" />
                <add value="index.htm" />
                <add value="index.html" />
                <add value="iisstart.htm" />
                <add value="index.php" />
                <add value="default.aspx" />
            </files>
        </defaultDocument>
        <httpErrors errorMode="Off" existingResponse="Auto" />
    </system.webServer>
</configuration>
     
Copyright © 2011 - 2024 Calzada Media Limited. All Rights Reserved