locked
http to https redirect need a how to for IIS 7.0, currently getting endless loop RRS feed

  • Question

  • User-1755612553 posted

    OK, moved static content driven website from iis 6.0 to iis 7.0. The site move was successful and all content is being served properly. We use an EV SSL Cert and need to have http to https redirection on the client side without the client noticing. This was easy enough for us to do in IIS 6.0, but we are having issues with basically IE endlessly looping on client machines when we attempt to implement this in IIS 7.0. Is there a specific FAQ to address this issue for IIS 7.0? We have searched and not had much luck.

    Friday, April 18, 2008 7:17 PM

Answers

All replies

  • User10285400 posted

    Can you send a snippet of your redirection settings?  Be sure that the target URL doesn't have any redirection settings set (perhaps for the server, site or the specific vdir). 

    Friday, April 18, 2008 7:25 PM
  • User-1755612553 posted
    Well let me ask this... is there a "best" way to do this in iis 7.0? If there built in redirection in the stack or is this still best dealt with by either a static html redirect or a a page using javascript? We initially tried the redirect function in iis itself, but then read that it was application specific? If I am butchering this, I apologize. Not a web dev/html guru, just a hapless sys admin trying to get this squared away.
    Saturday, April 19, 2008 3:10 AM
  • User1073881637 posted

    This might be a stretch, but what are you using in IIS 6?  If it's a server side code solution, maybe the code is having an issue with the Integrated Pipeline setting.  I would try setting the application pool to use Classic Mode.

    Open IIS Manager > Application Pools > Right click on your App Pool > Properties > Basic Settings > Managed Pipeline Mode.

    Hope that helps.

    Saturday, April 19, 2008 6:54 AM
  • User-1755612553 posted

    No longer have access to the old server. Again, what is the best way to do this in IIS 7.0? Give me a best practice here. Anything, lol....

    Monday, April 21, 2008 11:40 AM
  • User-1755612553 posted

    Found how we did it before, but having trouble applying it to IIS 7.0. We used the steps documented by James Kovacs on his blog here:

    http://www.jameskovacs.com/blog/CommentView.aspx?guid=4446091b-8616-4b37-bc2d-c8bc4a595b12#commentstart

     I was recently asked how to configure a site to redirect automatically from HTTP to HTTPS. By this I mean when the user types in http://server.example.com/app/page.aspx,* the browser will automatically redirect to https://server.example.com/app/page.aspx. You can do it through code, but with a little ingenuity, you can do it strictly through IIS configuration. Let's walk through the setup...

    Open IIS Manager and select properties for the website for which you want to require SSL. For TCP port, enter any unused port other than port 80 (the default HTTP port). For example, use 8888. For SSL port, enter the default SSL port, which is 443. Now go to the Directory Security tab... Secure communications... Edit... Set the "Require secure channel (SSL)" (required) and "Require 128-bit encryption" (optional, but recommended). Restart IIS. Browse to http://server.example.com:8888 now and you will get "The page must be viewed over a secure channel". So far, so good.

    Create a brand new IIS website by right-clicking... New... Web site... Click Next and give the website a name such as "Redirect to SSL". Click Next... For TCP port, choose port 80, the default HTTP port. For path, point it to c:\inetpub\wwwroot. (It doesn't really matter as we'll be changing this in a minute.) Click Next... Give it Read permissions. Click Next... Finish... to create the website. Right-click, properties on the new website. Select the Home Directory tab. Change "The content for this resource should come from:" to "A redirection to a URL". In the "Redirect to:" textbox, enter https://server.example.com. You can also optionally select "A permanent redirection for this resource", which will cause bookmarks to update to the new URL. DO NOT, I repeat, DO NOT select "The exact URL entered above" or "A directory below URL entered". Restart IIS. Now browse to http://server.example.com and you'll be redirected to the SSL site. Note that the path portion of the URL is preserved and only the protocol and server are modified. So http://server.example.com/some/path/deep/within/my/app.aspx will redirect to https://server.example.com/some/path/deep/within/my/app.aspx just by applying the redirection steps noted above.

    Note that this worked beautifully in IIS 6.0, but with the GUI changes in IIS 7.0, I am having trouble finding how to implement this in IIS 7.0

    Monday, April 21, 2008 11:59 AM
  • User511787461 posted

    That method asks to create 2 web-sites, one bound to http://host and the other to https://host - then, you can setup a redirection on the first website to redirect to https://host, since the second website does not have any redirection set up, there should be no infinite redirection.

    It is not possible to do this using 1 website and the built-in httpredirection because there is no way to setup an HttpRedirction rule which applies to http://host but not to https://host because only the uri portion of the url is used by httpredirection wildcard rules.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, April 21, 2008 1:32 PM
  • User-1755612553 posted

    OK, this is where we stand now... we have IIS configured with two websites, both with identical content. One answering on http and one on https. We simply need to know how to configure this:

     The content for this resource should come from:" to "A redirection to a URL".

    In IIS 7.0.

    Honestly, I don't care how we do this. We simply want to implement the method described above or get a best practices response from MS. This should not be that hard. I don't care how we do it, I simply want the best/easiest way to do it as proscribed by MS. I will make whatever changes to our IIS config that I need to. So, please post the "best" way that MS proscribes.

    Monday, April 21, 2008 5:18 PM
  • User10285400 posted

    Here is the MSDN article how to specify the redirection variables.  It's fairly flexible, so the "best" way really depends on the scenario.  http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/41c238b2-1188-488f-bf2d-464383b1bb08.mspx?mfr=true 

    That said, I was pretty disappointed to see the lack of a simple example for your scenario which is quite common.  So I wrote up one that redirects to the HTTPS site.  Here is the entry added to my web.config file: 

        <system.webServer>
            <httpRedirect enabled="true" destination="https://www.website.com$S$Q" exactDestination="true" httpResponseStatus="Permanent" />
        </system.webServer>

    Here was the result:

    REQUEST: 

    GET http://www.website.com/mypath/myfile.htm HTTP/1.1\r\n
    Host: localhost\r\n
    Accept: */*\r\n
    \r\n

    RESPONSE:

    HTTP/1.1 301 Moved Permanently\r\n
    Content-Type: text/html; charset=UTF-8\r\n
    Location: https://www.website.com/mypath/myfile.htm\r\n
    Server: Microsoft-IIS/7.0\r\n
    X-Powered-By: ASP.NET\r\n
    Date: Mon, 21 Apr 2008 21:44:29 GMT\r\n
    Content-Length: 164\r\n
    \r\n
    <head><title>Document Moved</title></head>\n<body><h1>Object Moved</h1>This document may be found <a HREF="https://www.website.com/mypath/myfile.htm">here</a></body

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, April 21, 2008 5:47 PM
  • User-1755612553 posted

    So because I technically only have one site, I need to set up a second site, point it to its own directory and its own web.config with your code and this should work? Am I understanding this correctly or making it too complicated.

    Monday, April 21, 2008 6:05 PM
  • User-1755612553 posted

    OK, using your method above is no different than what the GUI does and is what we originally used. I end up in this odd endless loop issue with the redirect and perhaps I am just doing it incorrectly. In this case, We create a directory under inetpub called redirect to ssl. Copy the valid web.config from the working website and use the redirect code in the webconfig. Point the Redirect to SSL website to this web.config and restart IIS. Website endlessly loops under IE and Firefox gives a redirection error.

     

    Monday, April 21, 2008 6:17 PM
  • User-1755612553 posted

    Let me ask again, is there a method as described in the article that I posted above? That method worked very well for us in IIS 6.0. As it is, we are thinking of simply going back to IIS6.0 as we were familiar with it and these things simply were not an issue for us.

    Monday, April 21, 2008 6:21 PM
  • User511787461 posted

    The method that Dave gave you is the exact equivalent of what the article you posted suggests.

    Monday, April 21, 2008 6:51 PM
    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, April 21, 2008 11:00 PM