HowTo: URL rewrite to redirect HTTP to HTTPS for non-local address
Below is an answer on how to redirect from HTTP to HTTPS using the URL Rewrite module for IIS, but ignoring local addresses used when debugging one’s app. Just contributed at https://stackoverflow.com/a/75898224/903783.
Needed it for an ASP.net MVC app I’m maintaining, since due to updated policy that the authenticating organisation had decided for the SSO (Apereo CAS) configuration, we couldn’t redirect anymore back to a non-HTTPs URL (had the user used plain HTTP to access our app that is), after signing in succesfully via the SSO.
Combined URL Rewrite based answers from How to redirect HTTP to HTTPS in MVC application (IIS7.5) and from the question’s page on StackOverflow, and added "127.0.0.1" apart from “localhost” for the ignored sites.
Note that the URL Rewrite approach is by far the simplest one to add and should kick in at the web server level before the web app has any chance to process the request.
I also see {REQUEST_URI} being used instead of {R:1} and pattern="^OFF$" instead of pattern="off".
At pattern added the ignoreCase="true" too, though it might be the default (same goes for enabled="true" for the rule, handy to have there if you want to turn some rule off when debugging some rule chain)
However, wondering based on https://serverfault.com/questions/224039/iis-url-rewrite-http-to-https-with-port/418530#418530 if one needs to use SERVER_NAME instead of HTTP_HOST in the pattern if non-default ports are used and specify the port in the Redirect url too
<system.webServer>
<!-- … -->
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect (excluding localhost)" enabled="true"
stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
<add input="{HTTP_HOST}" pattern="127.0.0.1" negate="true" />
</conditions>
<action type="Redirect" redirectType="Permanent"
url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
<!-- … -->
</system.webServer>
HowTo: HTTPS on IIS website with free auto-renewing certificate
Below is an image-based walk-through on how to configure HTTPS on an IIS website, making use of a free certificate for encryption from the non-profit Let’s Encrypt certificate authority, also configuring autorenewal of the certificate.
1) Download the win-acme client application (for the command-line).
There’s also a GUI app called IIS Crypto if you prefer. However, this article uses win-acme tool.
2) Run wacs.exe from the folder where win-acme tool is unpacked.
3) Follow same steps as below selecting your own site and binding.
Just press Q when finished and you’re done. No need to worry about next renewal (mentioned on the screen), will be done automatically.