在IIS10 (Windows 10和Server 2016)中，从1709版本开始，有一个新的、更简单的选项可以为网站启用HSTS。

微软在这里描述了新方法的优点，并提供了许多不同的示例，说明如何通过编程或直接编辑ApplicationHost实现更改。配置文件(类似web。配置，但操作在IIS级别，而不是个别站点级别)。ApplicationHost。config可以在c:\ windows \ system32 \inetsrv\config目录下找到。

我在这里概述了避免链接失效的两个示例方法。

方法1 -编辑ApplicationHost。配置文件 在<site>标签之间，添加这一行:

<hsts enabled="true" max-age="31536000" includeSubDomains="true" redirectHttpToHttps="true" />

方法2—命令行: 从升高的命令提示符(即在CMD上用鼠标右键并以管理员身份运行)执行以下命令。请记住在IIS管理器中显示的站点名称与Contoso交换。

c:
cd C:\WINDOWS\system32\inetsrv\
appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.enabled:True" /commit:apphost
appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.max-age:31536000" /commit:apphost
appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.includeSubDomains:True" /commit:apphost
appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.redirectHttpToHttps:True" /commit:apphost

如果您处于访问受限的托管环境中，那么微软在文章中提供的其他方法可能是更好的选择。

请记住，IIS10版本1709现在可以在Windows 10上使用，但对于Windows Server 2016，它在不同的发布轨道上，并且不会作为补丁或服务包发布。点击这里了解1709年的详细信息。

我花了一些时间寻找有意义的最佳实践，发现下面的方法非常适合我。我希望这能帮你节省时间。

使用配置文件(例如asp.net网站) https://blogs.msdn.microsoft.com/kaushal/2013/05/22/http-to-https-redirects-on-iis-7-x-and-higher/

或者在你自己的服务器上 https://www.sslshopper.com/iis7-redirect-http-to-https.html

(简答) 下面的代码放在里面

<system.webServer> 
 <rewrite>
     <rules>
       <rule name="HTTP/S to HTTPS Redirect" enabled="true" 
           stopProcessing="true">
       <match url="(.*)" />
        <conditions logicalGrouping="MatchAny">
        <add input="{SERVER_PORT_SECURE}" pattern="^0$" />
       </conditions>
       <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" 
        redirectType="Permanent" />
        </rule>
       </rules>
 </rewrite>

这是基于@特洛伊·亨特的更全面的回答。将这个函数添加到Global.asax.cs中的WebApplication类中:

    protected void Application_BeginRequest(Object sender, EventArgs e)
    {
        // Allow https pages in debugging
        if (Request.IsLocal)
        {
            if (Request.Url.Scheme == "http")
            {
                int localSslPort = 44362; // Your local IIS port for HTTPS

                var path = "https://" + Request.Url.Host + ":" + localSslPort + Request.Url.PathAndQuery;

                Response.Status = "301 Moved Permanently";
                Response.AddHeader("Location", path);
            }
        }
        else
        {
            switch (Request.Url.Scheme)
            {
                case "https":
                    Response.AddHeader("Strict-Transport-Security", "max-age=31536000");
                    break;
                case "http":
                    var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery;
                    Response.Status = "301 Moved Permanently";
                    Response.AddHeader("Location", path);
                    break;
            }
        }
    }

(要在本地构建中启用SSL，请在项目的Properties dock中启用它)

这也取决于你的平衡器的品牌，对于web mux，你需要寻找http头x- webmux - ssl - terminate: true来计算传入的流量是ssl。详情:http://www.cainetworks.com/support/redirect2ssl.html

IIS7模块将允许您重定向。

    <rewrite>
        <rules>
            <rule name="Redirect HTTP to HTTPS" stopProcessing="true">
                <match url="(.*)"/>
                <conditions>
                    <add input="{HTTPS}" pattern="^OFF$"/>
                </conditions>
                <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>
            </rule>
        </rules>
    </rewrite>

I'm going to throw my two cents in. IF you have access to IIS server side, then you can force HTTPS by use of the protocol bindings. For example, you have a website called Blah. In IIS you'd setup two sites: Blah, and Blah (Redirect). For Blah only configure the HTTPS binding (and FTP if you need to, make sure to force it over a secure connection as well). For Blah (Redirect) only configure the HTTP binding. Lastly, in the HTTP Redirect section for Blah (Redirect) make sure to set a 301 redirect to https://blah.com, with exact destination enabled. Make sure that each site in IIS is pointing to it's own root folder otherwise the Web.config will get all screwed up. Also make sure to have HSTS configured on your HTTPSed site so that subsequent requests by the browser are always forced to HTTPS and no redirects occur.