HTTP to HTTPS redirect using Iconic URL Rewriter

So, you have a site that needs to to run over SSL-only (shouldn’t they all?)? You don’t trust your clients to type that ever-important “s” after “http” (and why would they?)? You think they will get scared off by those “Secure connection required” error pages (they will!)? You are not running IIS7 (who is?)? Not using ASP.NET?

In the past we accomplished this using a client-side redirect, by creating a custom 404.3 error page with a Javascript redirect. This worked well, but what if you client systems won’t support javascript (i.e. it is a webdav connection)?

Codplex to the rescue! The venerable “Ionic URL Rewrite” ISAPI filter has been updated, and published on Codeplex:
Thanks, Cheeso!

IIRF now supports the ability to return URL redirects, in addition to simple rewrites.  To use IIRF to redirect a non-SSL URL to a secure version, follow the installation instructions included with IIRF.  Then:

  • Stop your production IIS site from listening on port 80 and enforce SSL usage.
  • Make sure that the production site is not using host headers that would override your port settings.
  • Set up a secondary IIS site which listens on port 80 only.  Add the IIRF ISAPI filter to this site.

Here is some sample entires you could use in the IsapiRewrite4.ini configration file to accomplish the redirect.  Note that [R] instead of [R=301] also works, but this performs a 302 “Temporary” redirect.  Conceptually I prefer a 301 (not that it matters because search crawlers are not hitting our Intranet sites):

# Following rule is activated if the incoming URL is not connecting to a secure port.
# Performs a Permanent Redirect (301) to the https version of the site if not secure.
RewriteCond %{SERVER_PORT_SECURE} ^0$
RedirectRule ^(.*)$ https://host.domain$1 [R=301]
# Following rule would do the same as above. I am not clear on the relative merrits of
RewriteCond %{HTTPS} off
RedirectRule ^(.*)$ https://host.domain$1 [R=301]
# Yet another variation, this one simply checking the number of the port being used,
# With no validation on SSL vs. clear-text
RewriteCond %{SERVER_PORT} ^80$
RedirectRule ^(.*)$ https://host.domain$1 [R=301]

Leave a Reply