In the previous post, we saw as problems URL Canonicalization can be solved in a declarative means a component of IIS, called URL Rewrite Module, which can be configured by specifying the appropriate rules of web.config. Another typical requirement in the management of a website is to make sure that applications that involve sensitive data (such as a page for payment by credit card) are carried out using the HTTPS protocol. How can we manage, however, requests that are received incorrectly using HTTP? A first solution may be to set the flag RequireSSL IIS for the particular folder that we want to protect (or maybe of all the site), as shown below:

The effect of this setting is that if a user visits the page via HTTP, IIS will raise 403.4 HTTP status code (Forbidden), displaying the standard error (or a custom version, if specified):

An alternative certainly more pleasant for the user is that instead of automatically redirected to the HTTPS address and, for this purpose, we can exploit once again the URL Redirect Module, by setting a rule similar to the following:

<rule name="ToHttps" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{URL}" pattern="(secure/.*)" />
    <add input="{HTTPS}" pattern="ON" negate="true" />
  </conditions>
  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>

It applies to all addresses in input:

  • Pointing to a folder called secure
  • They are not using HTTPS

Hopefully we can eliminate the first condition, if we want the rule applies to the entire website and not to a particular folder. The final effect, specified in the node Action, is to perform a Redirect to the same page, but with the correct protocol.

Sometimes you may also need the opposite, ie postponing from HTTPS to HTTP. A typical example is when the SSL certificate covers only a subdomain of our site (for example secure.miosito.com) and therefore we want all the other pages are open in HTTP. In this case the rule to be created is very similar to the previous one:

<rule name="ToHttp" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{URL}" pattern="(secure/.*)" negate="true" />
    <add input="{HTTPS}" pattern="ON" />
  </conditions>
  <action type="Redirect" url="http://{HTTP_HOST}/{R:1}" />
</rule>

HostForLIFE.eu IIS 8.0 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.