Tips and Resources

Automatically forward HTTP to HTTPS on IIS Windows Server

Guide for setting up IIS to automatically redirect HTTP to HTTPS. 

In this post, I'm setting up an existing internal IIS webserver without https support to accept secure https connections and to automatically forward requests for the insecure http site to https.

Install SSL certificate

The first step in this process is to obtain an SSL certificate for your domain. You can purchase these from certificate authorities online, or create your own using a service like https://letsencrypt.org/. Once you've got the certificate, import the certificate into the personal store of the webserver.

On your IIS server, press Win+R to open a run box. In the Open box, type mmc and click OK.

In the console window that appears, click File -> Add/Remove Snap-in...

In the Available snap-ins: list, click Certificates and click Add. In the Certificate snap-in popup window choose Computer Account and click Next. Choose Local computer and click Finish.

Back on the Add or Remove Snap-ins window, click OK.

Expand the Certificates item in the list, right click Personal  and choose All Tasks -> Import...

Once the Certificate Import Wizard pops up, click Next

Click Browse and choose the certificate file provided by your certificate issuer - Note this may be a .pfx file which isn't shown by default in the Open dialog box. Click Open. Back on the Certificate Import Wizard window, click Next.

If your certificate is password protected, enter the password and click Next.

Choose Place all certificates in the following store and choose Personal. Click Next. Click Finish. Click OK on the success message.

Add Bindings for HTTPS

Once the certificate has been installed into the Personal certificate store, it's time to enable https access to you site.

Click Start and type IIS. Click Internet Information Services (IIS) Manager.

Expand the list of sites and right click your site. Choose Edit Bindings.

On the Site Bindings window that pops up, click Add.

On the Add Site Binding window, choose https from the Type pull-down. Ensure All Unassigned is listed in the IP address field and the Port is set to 443. I assume you are only serving one website from this server, if so, leave the Host name field blank. Otherwise, enter the domain name of this website and tick the Require Server Name Identification box and leave the other tick boxes unticked. Choose the certificate you imported in the earlier step in the SSL certificate pull-down box. Click OK.

Once that's done, your website should now work on https! Try to navigate to it explicitly using https:// in the address - it should load up as expected.

Rewrite HTTP to HTTPS 

Now that you've tested the site works fine over https, the next step is to install the URL Rewrite module into the IIS server. The URL Rewrite module's job is to automatically direct site visitors that use the http URL to the https site instead, regardless of the URL the use to open the site.

On the IIS server, download urlrewrite2.exe from https://www.iis.net/downloads/microsoft/url-rewrite. Run urlrewrite2.exe and install the URL Rewrite 2.1 module when prompted.

After the install is complete, Open Internet Information Services (IIS) Manager, navigate the the site you wish to setup the redirection on, and double click the URL Rewrite Module.

In the top right corner of the window click Add Rules(s)... Under Inbound rules, click Blank rule.

On the Edit Inbound Rule page add the following details:

  • Name: Redirect to HTTPS

In the match URL section:

  • Ensure the Requested URL pulldown shows Matches the Pattern
  • Ensure the Using pulldown shows Regular Expressions
  • In the Pattern field, enter (.*)
  • Ensure the Ignore case field is ticked

Pulldown the Conditions section and click Add

  • In the Conditions input field, enter {HTTPS}
  • Ensure the Check if input string pulldown shows Matches the Pattern
  • In the Pattern field, enter OFF
  • Ensure the Ignore case field is ticked
  • Click OK to add the rule

Leave the Server Variables section blank

In the Action section

  • Change the Action type to Redirect
  • In the Redirect URL field enter https://{HTTP_HOST}{REQUEST_URI}
  • Untick the Append query string tick box
  • Set the Redirect type  to Permanent (301)

In the top right corner of the window, click Apply.

Clicking Apply adds the following code block to the Web.config file in the root folder of the website (Right click the site in the left hand column of the IIS window and choose Explore)

Open Web.config with a text editor (like notepad) and look for this code block:

<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="OFF" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
</rule>
</rules>
</rewrite>

Once that's done, you should now find that requests for your site over http should automatically be redirected to https. Test this out by going to your site using the full URL including the http:// and verify you are automatically redirected to the https:// version of your site. 

Redirect local devices to local network  IP

You may find that after setting up IIS for https access, you receive error messages / block pages in your browser when trying to access your webserver using it's internal address (either hostname or IP address) such as Your connection is not private or Warning: Potential Security Risk Ahead. This is because your SSL certificate only works when it's used with the domain name it was created for - your external, public facing domain name. When you access your site internally, the webserver serves up the certificate showing it's from your public domain name, which doesn't match the address you entered to access the site internally, which causes the browser to show a privacy/risk warning.

Depending on how your internal network DNS and public name server(s) are set up, you may also find that you can't access your website via it's external DNS name. To work around this, you can add a setting in your internal DNS server to forward devices inside your network to the internal IP address of the server when using the public facing URL.

Assuming you use Windows server to handle your internal DNS, open DNS Manager and right click Forward Lookup Zones. Click New Zone... 

The New Zone Wizard window will appear - click Next.

Choose Primary Zone and click Next. 

Choose all DNS servers running on the domain and click Next.

Enter the full domain name of the site's public URL (don't include the https:// or anything after and including the first forward slash /). Click Next.

Choose Allow only secure dynamic updates... and click Next. Click Finish.

Right Click the new forward lookup zone in the list and choose New Host (A or AAAA)...

In the New Host popup window, leave the Name field blank.

Enter the internal network IP address of the webserver into the IP Address field and click Add Host.

Now, when an internal network user accesses the web site using the public URL, they will be directed to the internal IP address of the webserver. As they are requesting the public URL, the certificate that is served from the webserver will match the requested URL, and won't trigger a security warning.  

References

https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference

https://serverfault.com/questions/893315/best-way-to-redirect-all-http-to-https-in-iis

https://stackoverflow.com/questions/21009834/installed-ssl-certificate-in-certificate-store-but-its-not-in-iis-certificate

https://www.digicert.com/kb/util/ssl-certificate-configuration-iis-8.htm

https://www.iis.net/downloads/microsoft/url-rewrite