Redirecting from http to https in IIS7

I was thinking to write an HttpModule for IIS7 and wanted a simple, useful and easily understandable scenario. Working with IIS customers for last 3 years one of those common scenario came into my mind, Redirecting http traffic to https. Although this is pretty straight forward requirement, till IIS6 it was difficult to achieve. Check the following KB 839357 (specifically for OWA scenario) which explains the cumbersome steps .

(If you are looking for same functionality in prior versions of IIS, find it at the bottom of this post)

HttpModules are not something new if you are an ASP.NET developer. But there are some differences. In IIS7 because of integrated pipeline, HttpModule applies to any request not just ASP.NET and that includes htm,jpg,asp,aspx,asmx,php,jsp...

So let us get into action (I'm using C# for this sample)

  1. Download and Install IIS7 Managed Module Starter Kit
    (Not really a requirement but it would make developing IIS7 modules easier)
  2. Rename the default class name created to "redir.cs" and rename project/solution/namespace to "http2https"
  3. Add the following code in "Init" method

    // register for the BeginRequest event
    application.BeginRequest += new EventHandler(OnBeginRequest);

  4. Add the following method to implement "BeginRequest" event

    //BeginRequest implementation
    public void OnBeginRequest(Object sender, EventArgs e)
    {
    HttpApplication app = (HttpApplication)sender;
    string HttpUrl = app.Request.Url.ToString();

    if (HttpUrl.StartsWith("http:"))                                       //Redirection done only if URL starts with http:
    {
       HttpUrl = HttpUrl.Replace("http:", "https:");
       app.Response.Redirect(HttpUrl.ToString(), true);      //Redirecting (http 302) to the same URL but with https
       app.Response.End();                                                   //We don't want to any further so end
    }
    }

  5. Make sure you have the following in your web.config inside configuration tag
    <system.webServer>
    <modules>
    <add name="redir" type="http2https.redir" />
    </modules>
    </system.webServer>

Your http to https redirection sample is ready!!!


How to deploy the HttpModule
There are multiple ways you can deploy this component (I'm assuming that it's being deployed for "default website")

Method 1
Create a folder called "App_Code" inside "%systemdrive%\inetpub\wwwroot"
Copy "redir.cs" file into "App_Code" folder
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"

Method 2
Create a folder called "bin" inside "%systemdrive%\inetpub\wwwroot"
Compile "redir.cs" into "redir.dll" and copy it into "bin" folder (to compile -> csc.exe /out:redir.dll /target:library redir.cs)
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"

If you open IIS7 UI and go to Modules you can see your HttpModule listed there.


Redirection options for prior versions of IIS below (you need to search for these)

- ASP.NET URL mapping capability (HttpContext.RewritePath)
- IIS v6.0 Resource Kit includes the UrlRemap tool
- IISRewrite
- ISAPI_Rewrite - includes a "lite" version available for free.
- Mod_Rewrite 2
- Ionic's ISAPI Rewrite Filter

5 Comments

  • Perhaps this is just picky but I've found that relying on the URL isn't always accurate. For example, I've (rarely) seen some people do http://domain.com:443 which is the same as https://domain.com. I've opted for the following server variable in the past. Is this variable emitted by IIS7?

    private static bool IsRequestSecure(HttpRequest request)
    {
    if ((String.Compare(request.ServerVariables["HTTPS"], "on", true, CultureInfo.InvariantCulture) == 0) |
    (request.IsSecureConnection))
    return true;
    else
    return false;
    }

  • Colin,

    Your implementation of SSL checking looks fool proof.

    But just another point, although 443 is a well defined port, you can host non-SSL site on 443 as well. So your mention of both url to be same is true in an ideal world only.

    Just FYI, from 3500+ customer I have worked with (in last 3yrs), haven't seen anyone using http://domain:443 for ssl. Secondly I also wanted to make my sample simple to understand.

    Thanks for your comment!

  • I agree with you Sukesh, it's not common for customer to type in http://domain:443 I think it would be easier actually to tell customers to just type in https://domain or https://subdomain.domain then adding the 443 port to the end there. &nbsp;But it's a good start. &nbsp;

  • Hi, I have the same problem. I'm using IIS 6.0. After moving from HTTP to HTTPs session have been dropped. Help me to resolve this problem. Thanks in advance.

    Vladimir

  • This was a sample code to show how easy it is to do a redirection as IIS7 custom module.

    Since now you have url rewrite component available, I would suggest to go that route.

    A sample rule is given here...
    http://www.iis-aid.com/articles/how_to_guides/redirect_http_to_https_iis_7

Comments have been disabled for this content.