Is there a clean way to redirect all attempts to going to an HTTP:// version of a site to its HTTPS:// equivalent?
I think by 'cleanly' you mean like with a 300 redirect. Config for a lot of servers & languages here.
The most easy and clean solution I found was to
In SSL Settings -> require SSL
In Error Pages -> On 403.4 error -> Redirect to the HTTPS site
In Error Pages -> Edit Features Settings... -> Set Detailed errors for local requests and custom error pages for remote request
The benefit is that it requires no extra lines of code. Downside is that it redirects you to an absolute url.
A clean way changes only the URL scheme from http -> https and leaves everything else equivalent. It should be server-side so that there are no browser issues.
JPPinto.com has Step-By-Step instructions on how this is done, except that they use javascript (HttpRedirect.htm) instead of a server-side redirect. For some reason, I couldn't get IE run the javascript if you have ‘Show friendly HTTP error messages’ enabled, which is on by default. Another thing with the script is that redirection to path didn't work even in FF or Chrome. The script always redirects to root. (Maybe I have missed something, because it should redirect to path.)
For these reasons I have used an ASP page for the redirect. The downside is of course that this requires classic ASP to be enabled on the server.
OpsanBlog has an ASP script and instructions that work well with IIS6.
I've had a few issues using this method with IIS7. User interface issues mostly, since IIS7 makes it really easy to miss something.
IIS manager should show the file name in the header.
I use classic asp (intranet) and on pages that requires login the logon include file does the redirect:
if Request.ServerVariables("SERVER_PORT_SECURE") <> "1" or Request.ServerVariables("HTTPS") <> "on" then
Response.Redirect "https://" & Request.ServerVariables("SERVER_NAME") & Request.ServerVariables("URL")
end if
This of course does not include GET or POST data. So in effect it's a clean redirect to your secured page.
Global.asax
protected void Application_BeginRequest()
{
if (!Context.Request.Url.AbsoluteUri.Contains("localhost") && !Context.Request.IsSecureConnection)
Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
}
I think the cleanest way is as described here on IIS-aid.com. It's web.config only and so if you change server you don't have to remember all the steps you went through with the 403.4 custom error page or other special permissions, it just works.
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>