URL rewrite from http to https in iis

Hello,
I searched Experts and found a comment linking to documentation to set up URL rewrite:

Regarding the comment:

https://www.experts-exchange.com/questions/29093041/Server-2016-HTTP-2-HTTPS-redirect.html#a42565398

I'm trying to set a URL rewrite from http to https in IIS 8.5 using the steps outlined in the following article mentioned in the comment above.

https://blogs.technet.microsoft.com/dawiese/2016/06/07/redirect-from-http-to-https-using-the-iis-url-rewrite-module/

My settings are exactly the same, but it's not re-directing to the https, but just times out. Any ideas would be appreciated.

Debra
http.PNG
Debra TurnerWeb Specialist IIAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zc2Commented:
In the Match URL section do you have it set to "Wildcards"?
If you manually access the site via HTTPS, will it respond?
David Johnson, CD, MVPRetiredCommented:
Yes you also have to set ssl bindings
Debra TurnerWeb Specialist IIAuthor Commented:
Hi Zc2,

Yes it is set to wildcards and yes it responds when accessed through https (screenshot attached).
Thanks for taking a look.
https://casweb.memphis.edu

Debra
http-https.docx
CEOs need to know what they should worry about

Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those companies were forced to resign.

Debra TurnerWeb Specialist IIAuthor Commented:
David Johnson,

In SSL Settings, I checked the box for Require SSL - is that what I need to do?

FYI - I always do a restart on the server after making any of these changes.

debra
zc2Commented:
Try to check what is going on from the browser's perspective. In a browser, press F12, then go to the Network tab, make sure the log is on and won't flush between requests. Try to navigate to the site and see in the log is the redirection taking place.
Debra TurnerWeb Specialist IIAuthor Commented:
Here are the results when I used the F12 network log. I have no idea what I'm looking at - LOL
Can you explain please?
Thanks for your help!
debra
f12screenshot.PNG
zc2Commented:
Sorry, I did not realize that http://casweb.memphis.edu/ is actually the site you have problem with. I thought it some other internal site.
So, I see the server casweb.memphis.edu does not respond on a connection attempt to the http port 80
telnet casweb.memphis.edu 80
Connecting To casweb.memphis.edu...Could not open connection to the host, on port 80: Connect failed

Open in new window

That could be because you have a firewall where the inbound port 80 is closed or the IIS server simple does not have a proper binding.
Please read the following article:
https://manage.accuwebhosting.com/knowledgebase/2886/How-to-configure-IIS-to-access-website-using-IP-address.html
Debra TurnerWeb Specialist IIAuthor Commented:
Hi Zc2,
Thanks for your fast response -

I can access https://casweb.memphis.edu with no problems - What I want is for http://casweb.memphis.edu to redirect to https - I'm not having problems with accessing the https site.

Does that make sense? It's my understanding that it would be more secure to NOT allow users to access the site through http - but only through https. Is that right? (I'm trying to harden the IIS server security and am learning as I go)

Thanks for your help and I did look at the article, but am not sure it's what I need.

Debra
zc2Commented:
To let the URL rewrite rule work, you need to give the browser a chance to connect via http at least once. How else the browser would know your site prefers https over http ? For that the http connections to the port 80 should be enabled.

To prevent the browser any consequential attempt to use http, you could add an additional header parameter to your web site:
Strict-Transport-Security: max-age=31536000
Debra TurnerWeb Specialist IIAuthor Commented:
I'm sorry I don't understand. I thought using the URL Rewrite in the IIS manager was supposed to do the trick (sure did look like a simple solution to my problem!). I don't know how to add an additional header parameter ...

Could you please walk me through it? Where do I add it?

Will it redirect the site to https if a user enters http?

Thanks,
Debra
zc2Commented:
I thought using the URL Rewrite in the IIS manager was supposed to do the trick
Yes, URL Rewrite you created should redirect from http to https. But the http connection must be also enabled. The site's content won't be transferred via HTTP, don't worry. The very first HTTP request will be instantly redirected to HTTPS. But that very first HTTP request need to be possible to be done.

To add the header parameter you could follow the instructions from the following article:
https://www.xolphin.com/support/ssl/IIS_FAQ/IIS_-_Configuring_HTTP_Strict_Transport_Security

But before you do that, you need to make your site work.
Debra TurnerWeb Specialist IIAuthor Commented:
AHHHH, clearer now - okay, so back to this article...

https://manage.accuwebhosting.com/knowledgebase/2886/How-to-configure-IIS-to-access-website-using-IP-address.html

thanks,
I'll get back with you in a few minutes.

debra
Debra TurnerWeb Specialist IIAuthor Commented:
I just want to scream!

I've changed the settings as the article explained and http://casweb.memphis.edu is still not working  (https://casweb.memphis.edu is working) . I'm attaching the F12 screenshot if that helps. Also a screenshot of the binding settings for ports 81 and 443.

Could you please take a look.
debra
port81.PNG
port443.PNG
f12screenshot-again.PNG
zc2Commented:
Why port 81, not 80 ?
Debra TurnerWeb Specialist IIAuthor Commented:
The article says to use 81 (I don't know why!) I'm just following instructions :)
I wondered the same thing - I'll try 80!
deb
zc2Commented:
Yes, please, use the port 80.
Debra TurnerWeb Specialist IIAuthor Commented:
Now I get a 403
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

:(
zc2Commented:
Few questions:
1. Do you have single site with both http and https bindings or separate sites one with http and another with https?
2. Is the URLrewrite rule you created enabled?
3. Please also uncheck the "Require SSL" check box in the "SSL settings" feature. Once the rule is functioning, this would be redundant.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Debra TurnerWeb Specialist IIAuthor Commented:
Yes there is only one site for casweb.memphis.edu (http and https)

The URL rewrite rule is enabled

I unchecked the SSL Setting and it's working!

OMG I'm dancing in my office right now - finally!

Yay - thank you so much for your patience! You are my hero :)

Do you have any other suggestions for making the server more secure?
Debra
zc2Commented:
You welcome!
You wanted also add that header attribute.
Debra TurnerWeb Specialist IIAuthor Commented:
What does the header thing do?
debra
zc2Commented:
It instructs the browser never try to use http even when the user enters an http:// (not an https://) URL. It's like "URL rewrite rule" you made, but on the client side. The value of the header param is the timeout how long in the future the browser should remember to do this. I am not sure exactly, I guess the units are milliseconds.
Debra TurnerWeb Specialist IIAuthor Commented:
I did the Strict-Transport-Security: max-age=31536000 and the site is working fine.

There is a final part after the Strict-Transport... instructions and it caused the site to stop working. So I didn't complete that step.

This was the step:
Redirecting visitors to the HTTPS URL
Open the Internet Information Services (IIS) Manager via Start → Administrative Tools → IIS Manager.

Click on HTTP Redirect.
Check the Redirect box and enter the target URL (HTTPS). Set the status to permanent redirect (301)


Site is working now.
Thanks!

Debra
zc2Commented:
That's fine. That second part makes no sense if you have the http->https URL rewrite rule.
Debra TurnerWeb Specialist IIAuthor Commented:
Agreed
zc2Commented:
I just checked, the Strict-Transport-Security works. When I access http://casweb.memphis.edu/ in Chrome, it does not even try to establish a connection, goes by its internal redirection to https://casweb.memphis.edu/
Debra TurnerWeb Specialist IIAuthor Commented:
Awesome - thanks for checking that. Did you use the F12 to see that? or some other way?
debra
zc2Commented:
Yes,  F12 and an awesome tool called Telerik Fiddler
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTTP Protocol

From novice to tech pro — start learning today.