Forcing HTTP to HTTPS redirect on IIS via AWS Elastic Load Balancers
Today I replaced an aging ASP.NET web forms web application with a new static site which for now is just a landing page with a contact form and in doing so needed to force any insecure HTTP requests to HTTPS.
A bit of a gotcha was an error on the redirect and the issue was the HTTP_X_FORWARDED_PROTO
header also needed to be forwarded along with the redirect.
For example :
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" />
<add input="{HTTPS}" pattern="on" />
</conditions>
Next up, I needed to redirect any users who were going to .aspx
pages that no longer existed to a custom 404 HTML page not found page.
This just needed adding to web.config
like so :
<system.web>
<compilation targetFramework="4.0" />
<customErrors mode="On" redirectMode="ResponseRewrite">
<error statusCode="404" redirect="404.html" />
</customErrors>
</system.web>
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="404"/>
<error statusCode="404" path="/404.html" responseMode="ExecuteURL"/>
</httpErrors>
</system.webServer>
So here it is for the next time I have to do something similar, This is the full web.config
that needs to in the root folder of the site.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation targetFramework="4.0" />
<customErrors mode="On" redirectMode="ResponseRewrite">
<error statusCode="404" redirect="404.html" />
</customErrors>
</system.web>
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="404"/>
<error statusCode="404" path="/404.html" responseMode="ExecuteURL"/>
</httpErrors>
<rewrite>
<rules>
<rule name="HTTPS Rule behind AWS Elastic Load Balancer" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" />
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
And to test that the site works I entered it onto https://www.whynopadlock.com/ which gave me the confidence that all was well.
Success 🎉
Top comments (0)