HTTP to HTTPS (SSL) Web Request Redirection

HTTP to HTTPS (SSL) Web Request Redirection

  • Comments 13

We often get requests from our customers asking how they can seamlessly redirect web requests from HTTP to HTTPS, i.e. how they can redirect a non-SSL request to an SSL based request. Recently a colleague of mine got a similar issue and we decided to use some existing scripts that we had in our database. Unfortunately none could meet the requirement.

Basically the existing scripts redirected an HTTP request to another URL and that URL was not the original request user had asked for. It took us to let's say the homepage of the site and from there one again has to click on specific links to reach the desired page. So this will be a problem for users who have book-marked their desired web page.

Here are the steps you can try for your website such that all HTTP requests get translated to HTTPS requests and have the original URL intact.

Here are two sample codes which one can try. Both of them should *hopefully* work. First one uses VBScript in an ASP page and second one uses Javascript in an HTML page.

a).

redirectSSL.asp

<%@ Language=VBScript %>
<% 
strQueryString = Request.QueryString
sslPort = null
PlainURL = Right(strQueryString, len(strQueryString) - 4)
FindLastCOlon = InStrRev(PlainURL, ":")
FirstPart = Mid(PlainURL, 1, FindLastColon - 1)
LastPart = Mid(PlainURL, FindLastColon)
LastPart = (Mid(LastPart, InStr(LastPart, "/")))
 
'If the SSL Port is not the default 443, you need to uncomment the line below, by default SSL port is 443.
'sslPort = ":449"
if (sslPort = null) then
    url= FirstPart & LastPart
else
    url = FirstPart & sslPort & LastPart
end if 
strSecure = Replace(url, "http:", "https:", 1, 1)
Response.Redirect strSecure
%> 

Steps:

-- Copy the above code and put in a file redirectSSL.asp under your Website root directory for which you want redirection to work.

-- Force SSL on the web site. To do that follow the steps mentioned below:
      - Go to --> <Your_Web_Site> -> Properties -> Directory Security -> Edit (Secure Communications)
      - Select Require secure channel (SSL).

-- Uncheck "Require secure channel (SSL)" option for the redirectSSL.asp page. To achieve that:
     - Go to --> <Your_Web_Site> -> redirectSSL.asp -> Properties -> File Security -> Edit (Secure Communications)
     - Uncheck Require secure channel (SSL).

So now we are forcing SSL to be used for all of the website contents except the redirectSSL.asp page which can be accessed over non-SSL (HTTP).

-- In the IIS manager -> <Your_Web_Site> -> Properties -> Custom Errors, modify the entry for 403;4 to look like this:

image

Now if you try to browse to some URL, let's say http://www.abc.com/asp/test/ssl/iistsart.htm, you will be redirected to https://www.abc.com/asp/test/ssl/iistsart.htm, without you requiring to modify HTTP to HTTPS.

If your SSL port is not the default port 443 then you need to un-comment a line in the code as mentioned in there and it will redirect the request to the appropriate URL with corrected SSL port embedded in it.

b).

redirectSSL.html

<html>
<head>
 
<script language="javascript">
 
var currentURL=location.href.substring(0,5)
 
if(currentURL.toLowerCase()!="https")
{
currentURL = location.href.substring(4,location.href.lastIndexOf(''))
var portStartPos = currentURL.lastIndexOf(':')
var sslPort = null
if(portStartPos!=0)
{
var relativeURL = currentURL.substring(portStartPos)
var postPortURL = relativeURL.substring(relativeURL.indexOf('/'))
var URL = currentURL.substring(0,portStartPos)
// If you are running your SSL site on a non default port other than 443 then uncomment the next line and add the right Port number.
//sslPort = ":447"
if(sslPort == null)
    currentURL = URL + postPortURL
else
    currentURL = URL + sslPort + postPortURL
}
 
var targetURL = "https" + currentURL
window.location = targetURL
}
</script> 
 
</head>
</html>

Steps:

-- Copy the above code and put in a file redirectSSL.html under your Website root directory for which you want redirection to work.

-- Force SSL on the web site. To do that follow the steps mentioned below:
      - Go to --> <Your_Web_Site> -> Properties -> Directory Security -> Edit (Secure Communications)
      - Select Require secure channel (SSL).

So now we are forcing SSL to be used for all of the Website contents.

-- In the IIS manager -> <Your_Website> -> Properties -> custom Errors, modify the entry for 403;4 to look like this:

image

You need not follow the step below since we are using File Type for custom error page and not a URL as shown above in the picture. If you select URL as Type above then you will need to follow the step below.

"-- Uncheck "Require secure channel (SSL)" option for the redirectSSL.html page. To achieve that:
      - Go to --> <Your_Web_Site> -> redirectSSL.asp -> Properties -> File Security -> Edit (Secure Communications)
      - Uncheck Require secure channel (SSL).
"

 

This is all you need and you should see your URL changing automagically from HTTP to HTTPS (SSL).

Hope this helps...

Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
  • PingBack from http://msdn.blogsforu.com/msdn/?p=4526

  • Thanks man, that (javascript) worked a treat for me on a server we use for a client.

  • Just what I was looking for (the Javascript) - thanks!

  • Thanx bunches.  The VBScript was just what I was looking for!

  • Is there no other way found by Microsoft to accomplish this task, in .NET3.5 or IIS 7?

  • Dear Mr. Singh,

    I tried your method using redirectSSL.html and it worked perfectly.  Thank you very much and keep the great ideas coming!

    George

  • This is a works when you get "HTTP Error 403.3 - Forbidden: Write access is denied." when you enable Require secure channel (SSL) on the default website as well. That's exactly what I was trying to fix.

  • Great job!!! I have tried many other resources and yours is the first one to work with subfolders and query strings.

  • Cool its helped me to implement in time

  • Worked great!. Thanks. Saved lot of time.

  • Thanks Saurabh.

    I wanted a C# version that does the same. Based on your approach, here's my RedirectToSSl.aspx.

    <%@ Page Language="C#" %>

    <%

    // This page redirects http requests to corresponding https locations

    //

    // Sample querystring format: 403;http://jiminy.cricket.com/a/b/xyz?param1=val1&param2=val2

    // Sample urls after conversion:

    //    https://jiminy.cricket.com/a/b/xyz?param1=val1&param2=val2

    //    https://jiminy.cricket.com:444/a/b/xyz?param1=val1&param2=val2    

    int? sslPort = null;   // If your SSL port is not the default 443, specify it here

    string queryString = Request.QueryString.ToString();  

    Uri originalUri = new Uri

       (

           System.Web.HttpUtility.UrlDecode

           (

               queryString

               .Remove // Strip off anything before the first "http"

               (

                   0,

                   queryString.IndexOf("http", StringComparison.OrdinalIgnoreCase)

               )

           )

       );

    Uri secureUri = new Uri

       (

           String.Format

           (

               "https://{0}{1}{2}",

               originalUri.DnsSafeHost,

               (sslPort.HasValue ? String.Format(":{0}", sslPort) : String.Empty),

               originalUri.PathAndQuery

           )

       );

    Response.Redirect(secureUri.ToString(), true);

    %>

  • The code above really kind of over complicates what's necessary in most situations.  All most really need to do is to create a replacement for the custom error message as shown above simply using the following.

    &lt;html&gt;

    &lt;head&gt;

    &lt;script language="javascript" type="text/javascript"&gt;

       var currentURL = location.href.replace("http", "https");

       window.location = currentURL;

    &lt;/script&gt;  

    &lt;/head&gt;

    &lt;/html&gt;

  • Thanx for the information. HTTPS error code can be edited was an useful information. But is o\it requires to do at client side or server side? Please provide more information over it. Provide links to related topics if posiible.

Page 1 of 1 (13 items)