So you have been using SSL on your IIS 7.5 or greater server for some time now; to get here you had to do a few things:
- You scrubbed your site content to ensure all URLs are using their relative form, e.g. “src=’//images\image.png” or explicitly reference the use of HTTPS.
- You have tested for certificate and SSL related problems like mixed content, appropriately tagging cookies as secure.
- You have ensured that you follow the best practices guidance for SSL server configuration and verified you get an A on SSLLabs.
Are you done? Not yet there are a few things left for you to do, the most obvious being redirecting all traffic to the SSL version of your site!
This is easy enough to accomplish but before you do so you should probably monitor your CPU usage during your peak so to ensure you have some headroom. This isn’t likely to be a problem as most web-servers are not CPU bound but it’s always good to check.
Once you know you are OK then it’s just a matter of deciding which approach to use, you have two choices:
- Dynamically rewriting via code in your ASPX pages
- Using the IIS URL Rewrite module
If you are familiar with the IIS configuration you’re probably asking yourself what about the “Require secure channel (SSL)” option in the IIS MMC? Unfortunately this doesn’t do redirecting it only requires the use of SSL on a given site/folder/file.
So how do you decide which approach to use? The answer to that question is dependent on both your environment and personal preference.
For example if 100% of your site is ASPX based (no static HTML), you have your code structured so that there is a common include and you are not already using the URL Rewrite module I would use method one based on KB239875.
I suspect that these conditions will not be met for most people so let’s focus on method two, using the URL Rewrite module.
This approach has a number of benefits, for one having this module allows you to leverage remapping for other purposes also for example maintaining old links that have SEO value. From a security standpoint it’s also a good approach as it keeps this decision one of policy that is enforced in a central place.
To use the URL rewrite approach you will need to do the following:
1. Install the URL Rewrite module (x86, x64).
2. Add a rule to rewrite all HTTP URLs to HTTPS.
a. Open your “web.config” with your favorite editor.
b. Find the “configuration\system.webserver\rewrite\rules” section.
c. Add the following text block:
<rule name=”Redirect to HTTPS” stopProcessing=”true”>
<match url=”(.*)” />
<conditions>
<add input=”{HTTPS}” pattern=”^OFF$” />
</conditions>
<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” redirectType=”Permanent” />
</rule>
3. Restart IIS.
Now just go to your website over HTTP and you will see you are redirected to the HTTPS instance of the site.
Ryan
Additional Resources
IIS Rewrite Module Configuration Reference
10 URL Rewriting Tips and Tricks
Automatically redirect HTTP requests to HTTPS on IIS7 using URL Rewrite 2.0