Redirect from HTTP to HTTPS using the IIS URL Rewrite module

A production deployment of SharePoint 2013 or 2016 should ensure that all HTTP traffic is encrypted in transit, however many users will still type http:// in their browser or have links that point to http:// instead of  https://. In these cases it can beneficial to automatically redirect users to the proper URL. One way of accomplishing this is the URL Rewrite module for IIS.

Key Terms

Rewrite - Modifies the incoming URL, the outgoing URL, or both.

Redirection - Uses HTTP status codes such as 301 or 302 to redirect the client to a different location. This involves an additional client round trip.

Supportability for SharePoint

The support for redirects and rewrites with SharePoint is documented in KB2818415. Since a HTTP 301/302 redirect to inform the browser of the updated URL is the preferred option for SharePoint, that will be the focus of this post. Please note that 301/302 redirects may not work with Office client applications.

Uses for redirect

In most cases a redirect is used for one of two reasons:

  1. Redirecting the user from http to https to enforce SSL communication. When a SharePoint farm is load balanced this is typically done using the load balancer but it some cases can be done on the SharePoint server or another server running IIS by using the IIS URL Rewrite module
  2. Redirecting a user who has a stale URL, typically when the name is changed during a farm migration or upgrade. This can also be done using a load balancer or any IIS server by implementing the URL Rewrite module.

Step by Step Instructions for HTTP to HTTPS redirect

#1 Download the URL Rewrite tool by following the instructions here

#2 Ensure that the IIS site you are using is configured for the proper port 80 binding. In this case we are listening for all traffic on port 80. But you could restrict this based on host header as needed


#3 Create a new URL rewrite rule




#4 Configure Rule Settings Exactly as follows





Note: In this example {HTTPS}, {HTTP_HOST}, and {REQUEST_URI} are all URL parts that can be accessed using the URL Rewrite module. More information on URL parts can be found here.


#5 Apply the rule


#6 From the top node disable and enable the rule (alternatively perform IISReset)




Note: web.config file modifications

The URL rewrite rules get written to the web.config file for the site you are working in. For example, the above configuration should result in this addition to the web.config file:

		<rule name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
			<match url="*" negate="false" />
			<conditions logicalGrouping="MatchAny">
				<add input="{HTTPS}" pattern="off" />
			<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />

Additional Resources

Creating Rewrite Rules for the URL Rewrite Module

Supportability of Rewrite and Redirects with SharePoint 2007/2010/2013

Mixed Http and Https Content with SharePoint 2010

URL Rewrite for IIS7 http to https redirection

URL Component Reference

Comments (12)
  1. Torsten Tiedt says:

    thanks for this post. It was helpfull. But there is an error. The regular expression must be “.*” instead “*”.
    This is from my failed request trace with “*” only:

    The expression “*” contains a repeat expression (one of ‘*’, ‘?’, ‘+’, ‘{‘ in most contexts) that is not preceded by an expression.


  2. BlueSky2010 says:

    Great article Damian!

    Would there be any performance implication due to this rule? Considering this as I’m looking to implement this to a site where we’ve 20K+ users.

    Any suggestion anyone? Appreciate any feedback!

    1. Damian Wiese says:

      I do not have any specific performance metrics for implementing the Rewrite module. In this case where we are doing a redirect only on the first request I wouldn’t expect it have a heavy impact.

  3. Matthias Abt says:

    Matches Wildcard did not work for me when there are Parameters like ?ID012345 i got a redirection to https://….?id=12345&ID=12345

    I chose to make a regular Expression instead of Wildcard and changed the pattern to (.*).

    The Redirect URL was changed to https://{HTTP_HOST}/{R:1} and now it works fine,

  4. MIke says:

    THis is close for me but my original url has port included http://xyz:8787 that is being appended to the final which of course makes ssl fail

  5. YimaDEY says:

    You can also config the redirect domain with or without www using URL rewrite. The SSL cert only include: www FQDN.

    web.config example:

    Extracted from:

  6. Juan Varelas says:

    Thanks for the example!!

  7. uaresoclever says:

    Thanks for this post. great article!

  8. Bo Chulindra says:

    If you use the redirect URL https://{HTTP_HOST}{REQUEST_URI} as is used in this article, make sure you uncheck the “Append query string” checkbox, otherwise your query string will be duplicated after the redirect. This is because REQUEST_URI already contains the query string.

  9. foxontherock says:

    If you use the “web.config” copy-paste instead of the wizard, as Bo Chulindra said, don’t forget to add
    to the action section, to avoid double querystring redirection.
    Also, I prefer redirecttype=Permanent.

    Complete action line:

  10. Ashish says:

    thanks for this post. It id helpfull.

  11. Kirill Zykov says:

    Thanks for this post!

Comments are closed.

Skip to main content