Redirect pages to HTTPS in IIS

Some times there is a need for clients to have only particular pages protected by and SSL Cert. which means we need to create a redirect to HTTPS, this could be done on the page level through the code, but there is a better way, via IIS, let me show you how.

First thing is first ensure you have installed your  valid SSL onto your IIS Server, once its installed you should be able to view the certificate, and will look something like this:

image

 

Next you need to select which files or folders you want to have protected with your SSL, in other words which pages do you need to be HTTPS:// on, in this case I have selected the ‘login’ folder on my website, within IIS locate the folder or file right click on it and choose ‘Properties’ .

If you selected a folder look for the ‘Directory Security’ Tab

If you selected a file look for the ‘File Security’ Tab.

Select the appropriate tab, toward the bottom within the ‘Secure Communications’ you will see an ‘Edit’ button click this, you will then be prompted with a pop-up box with some additional options, here you will notice that ‘Require secure channel (SSL)’ and ‘Require 128-bit encryption’ are not ticked, tick both of these options, then press OK. And Ok once more.

image

 

Because all requests to the folder or file you have set now MUST use HTTPS, people by default will get a  generic IIS 403.4 error, to prevent this error and redirect the user to the HTTPS link you must perform a redirect. IIS can do this for you.

clip_image002

Above we show the HTTP errors that IIS contains, change the highlighted one to use a custom script for redirection to HTTPS:

I have called mine RedirectSSL.Htm and replaced the default 403.4.htm with the custom error.

Note: The above custom error should be set at the website level

Ensure the custom error has the following contents

<SCRIPT type=text/javascript>
<!–
if (location.protocol != ‘https:’)
{
window.location = ‘https://’+ location.host + location.pathname + location.search;
//alert(location.host + location.pathname + location.search); Just for sanity check
}
// –>
</SCRIPT>

This script will change your URL to add the HTTPS prefix, by using this as your landing page for the error 403.4 the user will be re-directed to the URL with HTTPS in front forcing them to use your SSL.

This entry was posted on Wednesday, October 21st, 2009 at 11:16 am . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply