How to automatically change from http to https for a specific folder

In reality you can not have IIS change from http to https for a specific folder automatically because it is really a client issue.
One method which does work and may be an viable option is to change the IIS custom error page for the error 403.4
The default message is shown below:

The page must be viewed over a secure channel
The page you are trying to view requires the use of “https” in the address.

Please try the following:

  • Try again by typing https:// at the beginning of the address you are attempting to reach.

HTTP 403.4 – Forbidden: SSL required
Internet Information Services

What we can do is instead of providing this error message we could issue a redirect to allow the client to redirect to the secure page.

Add the following code to an asp page; name the ASP page JumpSSL.asp and save in the root folder of your web site (it must be within the web site because we need to point the custom error to it as a URL)

If Request.ServerVariables("SERVER_PORT")=80 Then
Dim strSecureURL
strSecureURL = strSecureURL & Request.ServerVariables("QUERY_STRING")
strSecureURL = Replace(strSecureURL, "http", "https")
strSecureURL = Replace(strSecureURL, "403;", "")
strSecureURL = Replace(strSecureURL, ":80", "")
Response.Redirect strSecureURL
End If

You now need to configure the directory to require SSL, right click the directory for the web site you are configuring and select properties.

Select the Directory Security tab and click the Edit button (This button is only enabled is SSL already configured for the site)

Select the SSL options that you require for the virtual directory; at a minimum click the Require Secure Channel (SSL)

Click OK to close the Secure Communications dialog

Now select the Custom Errors tab and then select the 403.4 HTTP error code and then click the Edit Properties button

Make the following changes:

  • Set Message Type to URL
  • Set URL to /JUMPSSL.ASP (or whatever file you created)

Click on OK to close the Error Mapping Properties Dialog

Click on OK to save all the changes to the web site.

Limitations of the custom error redirection.

  • No form data is preserved during the redirection
  • No query string parameters are preserved during the redirection
  • In IE 5 the URL in the address bar displays http:// instead of https:// but the page is secure; IE 5 shows the lock icon at the bottom of the browser window.