Through Microsoft's URL Rewrite component, the actual effect is that the server returns http code 301 to the browser, and the browser makes a jump. As mentioned in the above article, add the following rule to the web.config (or add the rule through the URL Rewrite interface in IIS Manager):
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
The above rule is also very simple, (.*) means URL in all formats, {HTTPS} means an IIS server variable. All server variables and possible values are here . It can be seen that when connecting with http, the value of {HTTPS} is the string "off". {HTTP_HOST} represents the name of the web server.
Method 2 is fine when IIS is deployed on a single machine. However, when Alibaba Cloud's load balancing service SLB is involved, the situation is a bit more complicated.
There are usually multiple ECSs behind the SLB. If the SLB does not open the HTTPS port, instead of installing the certificate on the SLB, install the certificate on the IIS of each subsequent ECS, open the 443 port of IIS, and some browsers (such as the Mac Chorme) will get an expired certificate error. The exact reason is not very clear. Therefore, there is only another solution: instead of installing the certificate on the IIS of each ECS, open the HTTPS port of the SLB and install the certificate.
But under this scheme, the https request arriving at the SLB will be converted into an http request by the SLB:
To realize the jump from http to https, we have an additional task: distinguish the http request reaching IIS, whether it is the http request of the browser (to jump to https), or the http request converted from the https of SLB (do not jump , returns the site content). After thinking about it, I found that the two can only be distinguished by the port number. The specific configuration is as follows:
1. Open http ports 80 and 8123 on the IIS of ECS to ensure that they match the backend protocol ports of SLB.
2. Two listening ports are opened on SLB, front-end http 80+ back-end http 80, and front-end https 443+ back-end http 8123.
3. The rule of URL Rewrite is updated to: jump to https when encountering an http request that is not port 8123, otherwise it will not jump.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true"/>
<add input="{SERVER_PORT}" pattern="^8123$" negate="true"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>
</rule>
</rules>
</rewrite>
Now the whole process becomes: browser requests http 80 -> slb forward http 80 to IIS of ECS -> URL Rewrite redirects the request to https-> slb converts the request of https to http 8123 to ECS IIS-> IIS Return the real website content.
Only in this way, an additional http port of 8123 needs to be opened on IIS, which is not too safe when ECS has a public network address. I don't know if Alibaba Cloud has a better solution in the future.