IIS SSL Is Not Functioning Properly

0
votes

I have a new SSL certificate that I'd like to assign to my website. I am managing this on a VPS server so I have full control of the environment. I've successfully followed instructions of GoDaddy to verify and install my SSL certificate. Now the problem is, I can still navigate to my website with HTTP and it becomes an unsafe website...

4 bindings are made in the IIS application

  • example.com (https, 443, certificate selected)
  • www.example.com (https, 443, certificate selected)
  • example.com (http, 80)
  • www.example.com (http, 80)

I've fiddled with the "SSL Settings" menu of my web application. If I check "Require SSL" with leaving "Accept" selected and if I try to access http://example.com, IIS returns 403 - Forbidden: Access is denied., but https://example.com works fine. If I disable it, both http and https works fine. But isn't it normally supposed to go to https connection automatically? If I remove the http domain bindings from the web app, naturally they end up getting 404 not found.

How am I going to achieve this? Server uses IIS 10 by the way.

Cheers.

3
ssliishttps

3 Answers

1
votes

But isn't it normally supposed to go to https connection automatically?

No. Adding a certificate to IIS does not mean it automatically starts redirecting. This is usually handled by either the application itself, or a rewrite method like IIS's URL Rewrite module.

If I check "Require SSL" with leaving "Accept" selected and if I try to access http://example.com

This is for client certificates. You likely don't want to enabled.

If I remove the http domain bindings from the web app, naturally they end up getting 404 not found.

You want both bindings enabled, and have something redirect from HTTP to HTTPS as described above.

1
votes

The "Require SSL" option will prevent all non-HTTPS requests from hitting the website at all in the first place, so your non-HTTPS bindings are useless in that case.

If you want to add automatic HTTP-to-HTTPS redirections, there are 2 ways of doing it:

Method 1

  1. Remove the HTTP bindings from the website.
  2. Leave the "Require SSL" option enabled on the secured website.
  3. Create a second website, and add the HTTP bindings to that website.
  4. Add an IIS Redirection to the second website. Use the "HTTP Redirect" tool.

Method 2

  1. Disable the "Require SSL" option.
  2. Ensure you have the "URL Rewriting" module installed.
  3. Open the URL Rewriting tool on the website and use the template for HTTP-to-HTTPS Redirection.
1
votes

isn't it normally supposed to go to https connection automatically?

No it will not automatically redirect.When you enable RequireSSL,you are just enforcing that the connection should be over SSL.

How am I going to achieve this?

You have to have both http and HTTPS binding and do not set RequireSSL.Now we have to configure automatic redirect using URLRewrite module explicitly.

  • Install URLREWRITE module

  • Add a rule as below to have http to HTTPS automatic redirection for any user who comes on http.

    <system.webServer> <rewrite> <rules> <rule name="Redirect to HTTPS" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" /> </rule> </rules> </rewrite> </system.webServer>