How to Configure IIS URL Rewrite Module on Windows Server 2025

How to Configure IIS URL Rewrite Module on Windows Server 2025

The IIS URL Rewrite Module is one of the most powerful extensions available for Internet Information Services, enabling administrators and developers to define rules that modify incoming request URLs before IIS processes them. On Windows Server 2025, URL Rewrite is indispensable for enforcing HTTPS, canonicalizing domain names, building clean SEO-friendly URLs, and routing traffic to application frameworks such as WordPress or Laravel. This tutorial walks through every stage of URL Rewrite configuration — from installation through advanced regex-based rules, outbound rewriting, and production testing techniques.

Prerequisites

• Windows Server 2025 with IIS 10 installed and running
• A website configured in IIS with a valid Application Pool
• Administrator privileges on the server
• PowerShell 5.1 or later (included by default)
• Optional: Web Platform Installer (WebPI) or direct download access to the URL Rewrite MSI

Step 1: Install the URL Rewrite Module

Microsoft distributes URL Rewrite as a free IIS extension. There are two primary installation methods on Windows Server 2025.

Option A: Direct MSI Download

Download the latest URL Rewrite MSI directly from the IIS.net downloads page and install it silently:

# Run in an elevated PowerShell session
$msiUrl = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi"
$dest   = "$env:TEMPrewrite_amd64.msi"

Invoke-WebRequest -Uri $msiUrl -OutFile $dest
Start-Process msiexec.exe -ArgumentList "/i `"$dest`" /qn /norestart" -Wait
Write-Host "URL Rewrite Module installed successfully."

Option B: Web Platform Installer (WebPI) CLI

# If WebPI is already installed
WebpiCmd-x64.exe /Install /Products:"UrlRewrite2" /AcceptEula /SuppressPostFinish

After installation, restart IIS to load the module:

iisreset /noforce

Verify the module is loaded by checking the IIS Manager — navigate to your server node and confirm URL Rewrite appears in the IIS section of the features pane.

Step 2: Understand the web.config Structure

All URL Rewrite rules live inside your site’s web.config file under the system.webServer/rewrite element. The basic skeleton looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <!-- Inbound rules go here -->
      </rules>
      <outboundRules>
        <!-- Outbound rules go here -->
      </outboundRules>
    </rewrite>
  </system.webServer>
</configuration>

Each <rule> element contains a <match> element that tests the URL against a regex pattern, optional <conditions> that test server variables (such as HTTPS or HTTP_HOST), and an <action> element that defines what happens on a match.

Step 3: HTTP to HTTPS Redirect (301 Permanent)

Forcing all traffic through HTTPS is the most common URL Rewrite use case. Add the following rule as the first rule in your <rules> block:

<rule name="Force HTTPS" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTPS}" pattern="^OFF$" />
  </conditions>
  <action type="Redirect"
          url="https://{HTTP_HOST}/{R:1}"
          redirectType="Permanent" />
</rule>

The server variable {HTTPS} evaluates to OFF for plain HTTP requests. The capture group {R:1} preserves the full original path and query string in the redirected URL.

Step 4: www to Non-www Redirect

Canonical domain consolidation prevents duplicate content penalties. This rule redirects www.example.com to example.com:

<rule name="Canonical Non-WWW" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTP_HOST}" pattern="^www.(.+)$" />
  </conditions>
  <action type="Redirect"
          url="https://{C:1}/{R:1}"
          redirectType="Permanent" />
</rule>

{C:1} refers to the first capture group in the most recently matched condition — here it captures the domain without the www. prefix.

Step 5: Remove Trailing Slashes

Trailing slashes can cause duplicate URL issues. The following rule strips trailing slashes from all URLs except the root path:

<rule name="Remove Trailing Slash" stopProcessing="true">
  <match url="(.+)/$" />
  <conditions>
    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
    <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
  </conditions>
  <action type="Redirect"
          url="{R:1}"
          redirectType="Permanent" />
</rule>

Step 6: Rewrite to index.php (WordPress / Laravel)

PHP frameworks use a single front-controller entry point. This rewrite rule sends all requests that do not match an existing file or directory to index.php, equivalent to the Apache mod_rewrite rules bundled with WordPress and Laravel:

<rule name="PHP Front Controller" stopProcessing="true">
  <match url="^(.*)$" />
  <conditions logicalGrouping="MatchAll">
    <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
  </conditions>
  <action type="Rewrite" url="/index.php" />
</rule>

Unlike a redirect, a Rewrite action is transparent — the browser URL does not change, but IIS internally routes the request to the target.

Step 7: Advanced Regex Pattern Matching

URL Rewrite supports full regular expressions. The following example rewrites legacy numeric product IDs to a new slug-based URL structure:

<rule name="Legacy Product URL Rewrite">
  <match url="^products/([0-9]+)$" />
  <action type="Rewrite" url="/products/detail.aspx?id={R:1}" />
</rule>

You can also use a 302 (temporary) redirect during A/B testing or migration periods by setting redirectType="Found".

Step 8: Outbound Rules — Modifying Response Content

Outbound rules rewrite content in the HTTP response body or headers. A common use case is rewriting absolute URLs in HTML responses to use HTTPS:

<outboundRules rewriteBeforeCache="true">
  <rule name="Rewrite HTTP to HTTPS in body" preCondition="IsHTML">
    <match filterByTags="A, Form, Img, Input, Link, Script"
           pattern="^http://www.example.com(.*)$" />
    <action type="Rewrite" value="https://www.example.com{R:1}" />
  </rule>
  <preConditions>
    <preCondition name="IsHTML">
      <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
    </preCondition>
  </preConditions>
</outboundRules>

Step 9: Testing Rules

Before deploying rules to production, use the IIS Manager’s built-in Test Pattern tool (available from the URL Rewrite feature pane) to validate regex patterns against sample URLs. From the command line, curl with verbose output reveals redirect chains:

# Test HTTP to HTTPS redirect
curl -v --max-redirs 5 http://example.com/some/path

# Verify final resolved URL
curl -Ls -o /dev/null -w "%{url_effective}" http://example.com/some/path

Check the IIS logs at C:inetpublogsLogFilesW3SVC1 to confirm the expected HTTP status codes (301, 302, 200) appear for the relevant requests.

Step 10: Complete web.config Example

The following is a production-ready web.config combining all rules from this tutorial in the recommended processing order:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Force HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$" />
          </conditions>
          <action type="Redirect"
                  url="https://{HTTP_HOST}/{R:1}"
                  redirectType="Permanent" />
        </rule>

        <rule name="Canonical Non-WWW" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTP_HOST}" pattern="^www.(.+)$" />
          </conditions>
          <action type="Redirect"
                  url="https://{C:1}/{R:1}"
                  redirectType="Permanent" />
        </rule>

        <rule name="Remove Trailing Slash" stopProcessing="true">
          <match url="(.+)/$" />
          <conditions>
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
          </conditions>
          <action type="Redirect" url="{R:1}" redirectType="Permanent" />
        </rule>

        <rule name="PHP Front Controller" stopProcessing="true">
          <match url="^(.*)$" />
          <conditions logicalGrouping="MatchAll">
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
          </conditions>
          <action type="Rewrite" url="/index.php" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

The IIS URL Rewrite Module on Windows Server 2025 gives you precise, performant control over how requests enter and leave your web application. By combining regex matching with server variable conditions and multiple action types, you can implement sophisticated routing logic entirely within IIS — without touching application code. Start with the HTTPS and canonical redirects covered here, validate each rule in isolation using the test tools, and layer in framework-specific rewrites as your deployment grows. Consistent URL canonicalization and transparent front-controller rewrites are foundational to both application security and search engine performance.