Showing posts with label HTTP to HTTPS redirects on IIS 7.x and higher. Show all posts
Showing posts with label HTTP to HTTPS redirects on IIS 7.x and higher. Show all posts

Redirect from HTTP to HTTPS using the IIS URL Rewrite module

A production deployment of SharePoint 2013 or 2016 should ensure that all HTTP traffic is encrypted in transit, however many users will still type http:// in their browser or have links that point to http:// instead of  https://. In these cases it can beneficial to automatically redirect users to the proper URL. One way of accomplishing this is the URL Rewrite module for IIS.

Key Terms

Rewrite - Modifies the incoming URL, the outgoing URL, or both.
Redirection - Uses HTTP status codes such as 301 or 302 to redirect the client to a different location. This involves an additional client round trip.

Supportability for SharePoint

The support for redirects and rewrites with SharePoint is documented in KB2818415. Since a HTTP 301/302 redirect to inform the browser of the updated URL is the preferred option for SharePoint, that will be the focus of this post. Please note that 301/302 redirects may not work with Office client applications.

Uses for redirect

In most cases a redirect is used for one of two reasons:
  1. Redirecting the user from http to https to enforce SSL communication. When a SharePoint farm is load balanced this is typically done using the load balancer but it some cases can be done on the SharePoint server or another server running IIS by using the IIS URL Rewrite module
  2. Redirecting a user who has a stale URL, typically when the name is changed during a farm migration or upgrade. This can also be done using a load balancer or any IIS server by implementing the URL Rewrite module.

Step by Step Instructions for HTTP to HTTPS redirect

#1 Download the URL Rewrite tool by following the instructions here

#2 Ensure that the IIS site you are using is configured for the proper port 80 binding. In this case we are listening for all traffic on port 80. But you could restrict this based on host header as needed

image

#3 Create a new URL rewrite rule

clip_image001
clip_image002
clip_image003

#4 Configure Rule Settings Exactly as follows

clip_image001[5]
clip_image002[5]
clip_image003[5]
clip_image004
Note: In this example {HTTPS}, {HTTP_HOST}, and {REQUEST_URI} are all URL parts that can be accessed using the URL Rewrite module. More information on URL parts can be found here.

#5 Apply the rule

image

#6 From the top node disable and enable the rule (alternatively perform IISReset)

clip_image001[9]
clip_image002[9]

Note: web.config file modifications

The URL rewrite rules get written to the web.config file for the site you are working in. For example, the above configuration should result in this addition to the web.config file:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 
   name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    url="*" negate="false" />
    logicalGrouping="MatchAny">
     input="{HTTPS}" pattern="off" />
   
    type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />

Additional Resources

Supportability of Rewrite and Redirects with SharePoint 2007/2010/2013http://support.microsoft.com/kb/2818415

HTTP to HTTPS redirects on IIS 7.x and higher



This is the most common requirement on most of the Exchange servers hosted on IIS. The server admins configure an http to https redirect.
Today I will be discussing few ways of doing this. I will keep updating this document as I find more ways to do so. I am considering OWA as a sub application under IIS for all the below examples. Here is the structuring of the Web Site:
In this case, we want all the requests (both HTTP & HTTPS) to be redirected on HTTPS to the application called “OWA” under the Default Web Site.

Method 1: Using IIS URL Rewrite Module

For this you will have to install the URL Rewrite module. (FYI, this is available for IIS 7 and higher only.)
Once installed, the URL Rewrite module would be listed under IIS section. There are few articles out there on this. Here are few to list:
  1. http://www.sslshopper.com/iis7-redirect-http-to-https.html
  2. http://www.jppinto.com/2010/03/automatically-redirect-http-requests-to-https-on-iis7-using-url-rewrite-2-0/
These articles are definitely a great repository, however I observed that they have not addressed an important factor.
As specified in the above links add the below section in the web.config at the root of the site:
xml
version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true"> <match url="(.*)" /> <conditions logicalGrouping="MatchAny"> <add input="{SERVER_PORT_SECURE}" pattern="^0$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" /> </rule> </rules> </rewrite> </system.webServer> </configuration>
view rawhttpsRedirectRule.xml hosted with ❤ by GitHub
In the above rule I’m checking whether the server variable “SERVER_PORT_SECURE” is set to 1 or 0. (I’m doing a permanent redirect in the above URL, it can be changed accordingly as per the requirement)
If you want to include the query string in the re-written url, then you can add appendQueryString=”true” under the action section.
You can find the complete list of IIS Server variables here: http://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx
SERVER_PORT_SECUREA string that contains either 0 or 1. If the request is being handled on the secure port, then this is 1. Otherwise, it is 0.
Alternatively, instead of the above server variable the following server variable “HTTPS” and “SERVER_PORT” can also be used correspondingly.

NOTE: Ensure the rewrite rule is disabled at each of the virtual directories/applications under the Default Web Site. Due to inheritance, the rule will cause the requests to end up in infinite loop calling itself repeatedly.

Method 2: Using IIS Default Document (a default.asp page)

In this method we will introduce a sample asp page at the root of the website and then add the following piece of code:
<%
If Request.ServerVariables("HTTPS") = "off" Then
Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & Request.ServerVariables("UNENCODED_URL")
ElseIf Request.ServerVariables("HTTPS") = "on" Then
Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & Request.ServerVariables("UNENCODED_URL")
End If
%>
view rawhttpsRedirect.vb hosted with ❤ by GitHub

Alternatively you could use the port numbers in the above code to achieve the same (ensure to change the port numbers as per the website configuration).

Method 3: Using IIS HTTP Redirect Module

This is one of the simplest methods, but has a lot of limitations and ideally not used. Here is how we do it:
PRE-REQUISITES: HTTP Redirect module is installed and the website has a valid HTTPS binding in place.
  • Launch the IIS Manager.
  • Go to the HTTP Redirect module.
  • Fill the details as per the requirement as shown below:
This may not be ideal for all the scenarios as the user is redirected to a specified URL.

NOTE: Ensure the enforced redirection is removed from each of the virtual directories/applications under the Default Web Site. Due to inheritance, the requests will end up in an endless loop, redirecting to itself repeatedly.
Also ensure Require SSL is not checked at the Root of the website under SSL Settings, this may cause to throw an error page to the users when the browse the site over HTTP. It can be enforced at the application level.
There is another way using custom error pages which has been documented here:
The author in the 2nd link claims that it doesn’t work on IIS 7.5 and higher versions due to updates in the configuration security.
I haven’t found the time to test and write it up and neither am I sure if the above actually works. Once I have tested I will add it up here.


Reference
https://blogs.msdn.microsoft.com/kaushal/2013/05/22/http-to-https-redirects-on-iis-7-x-and-higher/

Subscribe to: Posts (Atom)