Blog

Forcing HTTPS in IIS 6.0

Posted by Nick Linnell on June 28, 2007

We don’t seem to do much with IIS now which I am very thankful for but every now and again I have to dive back into that scary world. Today I had to force a site to use HTTPS instead of HTTP, a task that is nice and easy in Apache but seems to be something of a complex issue for IIS.

The first thing needed to redirect HTTP to HTTPS is a script that will redirect your pages to the secure channel. I found a script written by Dagar in Michael Coates’s blog post on this subject which worked well for me, thanks Dagar:

<SCRIPT type=text/javascript>
<!--
if (location.protocol != 'https:')
{
window.location = 'https://'+ location.host + location.pathname + location.search;
//alert(location.host + location.pathname + location.search); Just for sanity check}
// -->
</SCRIPT>

Save this as something like ssl_redirect.html on your webserver. I wanted to use this script for more than one site and for the redirect to work correctly it needs to be available in a relative path to each site, so, add the directory the script is located in to your site as a virtual directory:
  1. Right click on the site root and choose New>Virtual Directory…
  2. Follow the wizard and create an alias of ssl_redirect
  3. Choose the path to the directory where the redirect script is located
Set the root of the site to require HTTPS:
  1. Right click on the site root again and choose Properties
  2. Click the Directory Security tab
  3. In the Secure Communications select Edit
  4. Turn on Require secure channel (SSL)
This now makes your site only available on HTTPS and will return a 403.4 (Forbidden – SSL required) if you try and connect to it using HTTP. To fix this we need to point this error to our redirect script, back in site root properties:
  1. Click the Custom Errors tab
  2. Look down the list of error messages and select the 403;4 error
  3. Click Edit
  4. Change the Message Type to URL
  5. Enter the relative path to the redirect script, for me it was /ssl_redirect/ssl_redirect.html
  6. Click OK and close the properties dialog box
The last thing to do is to remove the inherited Require secure channel property from the redirect script:
  1. Navigate to the redirect script in IIS
  2. Right click and choose Properties
  3. Click the File Security tab
  4. In the Secure Communications select Edit
  5. Turn off Require secure channel (SSL)

This allows the script to be run with HTTP. Now when a page is accessed using HTTP the script will run and redirect the page using HTTPS.

Tags:

6 comments

  1. B.Prakash commented on November 19, 2007 at 11:15 AM

    Very Nice…Thx

  2. Steve commented on January 02, 2008 at 09:15 PM

    tried for over an hour with no luck… I was trying to force bookmarks to SSL, but this didn’t work

  3. Eric commented on March 05, 2008 at 12:46 PM

    It is working great. Thanks for it.

  4. Dynamics commented on July 04, 2008 at 11:06 AM

    Is there some forcing code for Firefox?

  5. Ricomyer commented on July 10, 2008 at 07:27 PM

    I was unable to get Message Type of URL to work, but it worked with File, using a .asp javascript file for IE. I then had to change the .asp to a .html file and both IE and Firefox were happy.

  6. Mythili commented on July 28, 2008 at 02:56 PM

    I tried this as is and it did not work for me . Is there something else I need to do. Please help

Post a comment