URL rewrite from http to https in iis

Debra Turner
Debra Turner used Ask the Experts™
on
Hello,
I searched Experts and found a comment linking to documentation to set up URL rewrite:

Regarding the comment:

https://www.experts-exchange.com/questions/29093041/Server-2016-HTTP-2-HTTPS-redirect.html#a42565398

I'm trying to set a URL rewrite from http to https in IIS 8.5 using the steps outlined in the following article mentioned in the comment above.

https://blogs.technet.microsoft.com/dawiese/2016/06/07/redirect-from-http-to-https-using-the-iis-url-rewrite-module/

My settings are exactly the same, but it's not re-directing to the https, but just times out. Any ideas would be appreciated.

Debra
http.PNG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
In the Match URL section do you have it set to "Wildcards"?
If you manually access the site via HTTPS, will it respond?
Top Expert 2016

Commented:
Yes you also have to set ssl bindings
Debra TurnerWeb Specialist II

Author

Commented:
Hi Zc2,

Yes it is set to wildcards and yes it responds when accessed through https (screenshot attached).
Thanks for taking a look.
https://casweb.memphis.edu

Debra
http-https.docx
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Debra TurnerWeb Specialist II

Author

Commented:
David Johnson,

In SSL Settings, I checked the box for Require SSL - is that what I need to do?

FYI - I always do a restart on the server after making any of these changes.

debra
Try to check what is going on from the browser's perspective. In a browser, press F12, then go to the Network tab, make sure the log is on and won't flush between requests. Try to navigate to the site and see in the log is the redirection taking place.
Debra TurnerWeb Specialist II

Author

Commented:
Here are the results when I used the F12 network log. I have no idea what I'm looking at - LOL
Can you explain please?
Thanks for your help!
debra
f12screenshot.PNG
Sorry, I did not realize that http://casweb.memphis.edu/ is actually the site you have problem with. I thought it some other internal site.
So, I see the server casweb.memphis.edu does not respond on a connection attempt to the http port 80
telnet casweb.memphis.edu 80
Connecting To casweb.memphis.edu...Could not open connection to the host, on port 80: Connect failed

Open in new window

That could be because you have a firewall where the inbound port 80 is closed or the IIS server simple does not have a proper binding.
Please read the following article:
https://manage.accuwebhosting.com/knowledgebase/2886/How-to-configure-IIS-to-access-website-using-IP-address.html
Debra TurnerWeb Specialist II

Author

Commented:
Hi Zc2,
Thanks for your fast response -

I can access https://casweb.memphis.edu with no problems - What I want is for http://casweb.memphis.edu to redirect to https - I'm not having problems with accessing the https site.

Does that make sense? It's my understanding that it would be more secure to NOT allow users to access the site through http - but only through https. Is that right? (I'm trying to harden the IIS server security and am learning as I go)

Thanks for your help and I did look at the article, but am not sure it's what I need.

Debra
To let the URL rewrite rule work, you need to give the browser a chance to connect via http at least once. How else the browser would know your site prefers https over http ? For that the http connections to the port 80 should be enabled.

To prevent the browser any consequential attempt to use http, you could add an additional header parameter to your web site:
Strict-Transport-Security: max-age=31536000
Debra TurnerWeb Specialist II

Author

Commented:
I'm sorry I don't understand. I thought using the URL Rewrite in the IIS manager was supposed to do the trick (sure did look like a simple solution to my problem!). I don't know how to add an additional header parameter ...

Could you please walk me through it? Where do I add it?

Will it redirect the site to https if a user enters http?

Thanks,
Debra
I thought using the URL Rewrite in the IIS manager was supposed to do the trick
Yes, URL Rewrite you created should redirect from http to https. But the http connection must be also enabled. The site's content won't be transferred via HTTP, don't worry. The very first HTTP request will be instantly redirected to HTTPS. But that very first HTTP request need to be possible to be done.

To add the header parameter you could follow the instructions from the following article:
https://www.xolphin.com/support/ssl/IIS_FAQ/IIS_-_Configuring_HTTP_Strict_Transport_Security

But before you do that, you need to make your site work.
Debra TurnerWeb Specialist II

Author

Commented:
AHHHH, clearer now - okay, so back to this article...

https://manage.accuwebhosting.com/knowledgebase/2886/How-to-configure-IIS-to-access-website-using-IP-address.html

thanks,
I'll get back with you in a few minutes.

debra
Debra TurnerWeb Specialist II

Author

Commented:
I just want to scream!

I've changed the settings as the article explained and http://casweb.memphis.edu is still not working  (https://casweb.memphis.edu is working) . I'm attaching the F12 screenshot if that helps. Also a screenshot of the binding settings for ports 81 and 443.

Could you please take a look.
debra
port81.PNG
port443.PNG
f12screenshot-again.PNG
Why port 81, not 80 ?
Debra TurnerWeb Specialist II

Author

Commented:
The article says to use 81 (I don't know why!) I'm just following instructions :)
I wondered the same thing - I'll try 80!
deb
Yes, please, use the port 80.
Debra TurnerWeb Specialist II

Author

Commented:
Now I get a 403
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

:(
Few questions:
1. Do you have single site with both http and https bindings or separate sites one with http and another with https?
2. Is the URLrewrite rule you created enabled?
3. Please also uncheck the "Require SSL" check box in the "SSL settings" feature. Once the rule is functioning, this would be redundant.
Debra TurnerWeb Specialist II

Author

Commented:
Yes there is only one site for casweb.memphis.edu (http and https)

The URL rewrite rule is enabled

I unchecked the SSL Setting and it's working!

OMG I'm dancing in my office right now - finally!

Yay - thank you so much for your patience! You are my hero :)

Do you have any other suggestions for making the server more secure?
Debra
You welcome!
You wanted also add that header attribute.
Debra TurnerWeb Specialist II

Author

Commented:
What does the header thing do?
debra
It instructs the browser never try to use http even when the user enters an http:// (not an https://) URL. It's like "URL rewrite rule" you made, but on the client side. The value of the header param is the timeout how long in the future the browser should remember to do this. I am not sure exactly, I guess the units are milliseconds.
Debra TurnerWeb Specialist II

Author

Commented:
I did the Strict-Transport-Security: max-age=31536000 and the site is working fine.

There is a final part after the Strict-Transport... instructions and it caused the site to stop working. So I didn't complete that step.

This was the step:
Redirecting visitors to the HTTPS URL
Open the Internet Information Services (IIS) Manager via Start → Administrative Tools → IIS Manager.

Click on HTTP Redirect.
Check the Redirect box and enter the target URL (HTTPS). Set the status to permanent redirect (301)


Site is working now.
Thanks!

Debra
That's fine. That second part makes no sense if you have the http->https URL rewrite rule.
Debra TurnerWeb Specialist II

Author

Commented:
Agreed
I just checked, the Strict-Transport-Security works. When I access http://casweb.memphis.edu/ in Chrome, it does not even try to establish a connection, goes by its internal redirection to https://casweb.memphis.edu/
Debra TurnerWeb Specialist II

Author

Commented:
Awesome - thanks for checking that. Did you use the F12 to see that? or some other way?
debra
Yes,  F12 and an awesome tool called Telerik Fiddler

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial