Redirect HTTP to HTTPS

Topics: User Forum
Oct 16, 2008 at 1:04 PM

I am trying to redirect a site from HTTP to HTTPS.  IIRF seems to handle the clicking of links fine and redirects as expected using any of the stanzas from my IsapiRewrite4.ini below.  Unfortunately, the site has FQDN paths inside the HTML, specifically for the image source attributes, like <img src="http://server/images/foo.jpg" />.  My stanzas are not rewriting these requests when the browser requests them.  I get the IE notice about this page contains both Secured and Unsecured content.  Any and all help is much appreciated.

My IsapiRewrite4.ini (all commented out, becuase its not working)
# RewriteLog  c:\tmp\iirfLog.out
# RewriteLogLevel 3

# attempt 1 - errors in log to use RedirectRule
# This will force ANY http:// to https:
# RewriteCond %HTTPS off
# RewriteRule (.*) https://server$1 [I,RP]

# attempt 2
# This will force ANY http:// to https:
# RewriteCond %HTTPS off
# RedirectRule (.*) https://server$1 [I]

# attempt 3
# RewriteCond %{SERVER_PORT} ^80$
# RedirectRule ^/(.*)$ https://%{SERVER_NAME}/$1 [I,RP]
Oct 16, 2008 at 4:54 PM
Have you  looked in the log file?
Do you get any warnings from the ini file?
I would guess that you would.

First, your RewriteCond statements that include %HTTPS are going to be rejected.  There needs to be curly braces.
Also,what is RP?  I think that is intended to be "Redirect, Moved Permanently (301)".  But the syntax in IIRF for that is R=301, not RP.

There is a testparse.exe utility included in the IIRF download that will parse the ini file, and tell you if there are warnings, errors, etc.  

Now.... getting to your goals. . .
When you redirect a request from HTTP to HTTPS, that should work fine, I guess.
The URL address in the browser address bar gets updated.
the browser sends a new request to https://foo/bar/bam .

The server then responds with a page of content. Sounds like, within that page there are hard-coded http://foo/bar/bam URLs. 
At this point you will get a warning from IE saying "you have mixed content here."  This is because the page itself is being delivered via https, but the images are not.

The user can decide to go forward or not.  If he does not, then game over.
If he does go forward, then the browser will send out individual requests for each <img> in the page.
These are http requests.  If the IIRF ini file is written appropriately, these requests will then get redirected (or rewritten, your choice) to https. 

I think you may want to think about changing the page logic so that you use relative URLs in the <img> tags.  This eliminates the IE warning about mixed content.

Regardless what you decide to do on that, you will need to set up IIRF configuration to appropriately redirect and rewrite.