I recently ran into a situation the other day where a vendor requested that traffic from visitors be required to use HTTPS. Since most users don’t make a habit of knowing when (or that they have to) type https: in the browser to establish a secure connection, this seemed like a logical enough request. My first reaction was to simply drop a file on the server that would redirect the traffic to the https: site, but then I realized that method wouldn’t work, since we’re trying to change protocols, not content.
I did some quick Googling and the Internet seemed to suggest a fix that was roughly along the lines of my initial idea, by using a page to forcibly redirect the browser to the secure site. However, many of the fixes I ran across seem to rely on Javascript, which more paranoid browsers or plugins might disable. Something server-side could work, but if you don’t know how to write in ASP.NET, there is an easier way.
The fix:
Getting this to work is a two-step process.
First, we have to configure the website to use SSL only and ignore or deny regular HTTP requests. Easy enough. Fire up your IIS Manager, navigate to the website you’re working with, and double-click on the SSL Settings option under your IIS settings. Check the box to require SSL, and then click Apply over on the right. You’ll note if you attempt to go to your website now, you get a 403 Forbidden reply.
Second, double-click on the Error Pages option under your IIS settings, and then double-click on the 403 entry. The last option you should see at the bottom of the window that pops up is to reply with a 302 Redirect response. Just select that radio button and fill in the complete address, with https:, to enable the redirection. Switch to your browser, test it again, and you should find yourself automatically redirected.
I’m not entirely sure if this works in versions of IIS below 7.5. I’ll update as I find that out.
Leave a Reply