In production environments, it is desired to redirect web requests from HTTP to HTTPS.
Running an ASP.NET Core application under IIS, HTTP to HTTPS redirection may be implemented in several ways:
- by IIS, using URL Rewrite
- by ASP.NET Core middleware
When a web request is processed, the sequence of stages checking for a secured connection are as follows:
If "Require SSL" is enabled, IIS rejects all HTTP requests with an error message:
HTTP Error 403.4 - Forbidden
The page you are trying to access is secured with Secure Sockets Layer (SSL).
If the following URL rewrite rule is added to the application web.config file, IIS redirects all HTTP web requests to HTTPS before the ASP.NET Core application is reached.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="http to https" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>If none of the above is configured, HTTP requests reach the ASP.NET application.
Use UseHttpsRedirection a/o UseHsts to have ASP.NET Core middleware redirect the client.
Using IIS setting "SSL Settings" in IIS Manager seems unrewarding as it leads to a HTTP error response.
Using URL Rewrite may be beneficial with high traffic applications as it is processed before the ASP.NET Core application is reached and, thus, presumably processed faster.
If you, however, prefer to configure your application in one place, using ASP.NET Core middleware is the way to go.