Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


IIS redirect strange behavior

Posted on 2009-05-05
Medium Priority
Last Modified: 2012-05-06
I have redirection set up so that example.com is redirected to www.example.com. It is working for the most part but occasionally we detect that a connection is at www.example.com using the example.com header.

IIS7 on Windows Server 2008

web site #1
   bound to one IP address
   using host header www.example.com

web site #2
   bound to same IP address as web site #1
   using host header example.com
   has a different home directory than web site #1
   redirects to www.example.com

When we test, example.com always redirects to www.example.com. However, several times a day, the PHP script running on www.example.com detects that $_SERVER['HTTP_HOST'] is example.com (or sometimes the IP address).

How is this possible? Any ideas how I can configure IIS to reliably redirect every time?
Question by:cstobbe
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1

Expert Comment

ID: 24308829
Why can't you configure the example.com site to point to the same directory as www.example.com? Is there code in your site the specfically requires www.example.com?

I have multiple web sites that use either www.example.com or example.com - all produce the same web site.

Author Comment

ID: 24309073
In IIS6, example.com and www.example.com can have the same home directory.

In IIS7, the redirection configuration is set in web.config. If both example.com and www.example.com are sharing the same home directory, they will both read their configuration from the same web.config file. example.com would redirect to www.example.com, but www.example.com would redirect to itself.
There are 2 solutions to this:
1) Use a different home directory, or
2) Configure redirection on a site by site basis by manually editing applicationHost.config.
LVL 51

Expert Comment

by:Ted Bouskill
ID: 24342277
Wait a minute, why can't one site use two different host headers without using a redirect?  Do you want to automatically flip http://example.com to http://www.example.com?
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

LVL 37

Expert Comment

ID: 24344003

how are you monitoring "but occasionally we detect that a connection is at www.example.com using the example.com header"?

are you aware that when the user tries to go to "http://example.com" that this is still a normal http request - you will still see hits on that server and access will still be logged.  The only difference between the redirect hit and a www.example.com hit will be that the former results in a 302 response, and the latter results in a 200 result (or error)


Author Comment

ID: 24357344
We need a redirect because we do NOT want our visitors using example.com. We do this because of cookies. If the same user uses a mix of example.com and www.example.com it gets complicated because browsers make a distinction between the two. e.g. if we set a cookie at www.example.com and the visitor later returns to example.com, the browser is less likely to return the cookie.
Yes, we want to automatically flip http://example.com to http://www.example.com.

"we detect that a connection is at www.example.com using the example.com header" because the underlying PHP script sees that $_SERVER['HTTP_HOST'] contains "example.com". This should not be possible. If an incoming connection has a "example.com" host header, it should use an entirely different web site with its own home directory.
Yes, I am aware how the sites work. Actually, requests to example.com get a 301 response.

Accepted Solution

cstobbe earned 0 total points
ID: 24359256
I have found the cause of the problem. The pattern that I was missing until today is that all of the traffic that was slipping through the IIS redirection and meeting the PHP redirection was using HTTPS.

Here is the explanation.

example.com is listening on only port 80. www.example.com is listening on both port 80 and port 443.
- When a connection comes in to example.com:80, IIS sees the "example.com" host header and routes the connection to the "example.com" web site which redirects to www.example.com. Good.
- When a connection comes in to example.com:443, IIS does not look at the host header at all but it does see port 443 and routes the connection to www.example.com.

I don't think I can do redirection at the IIS level for HTTPS connections so the solution is probably to redirect at the web application level.

Thanks to those who submitted their comments.
LVL 51

Expert Comment

by:Ted Bouskill
ID: 24361025
I didn't get a chance to reply because I was waiting for the answer to my last question.  Doing it at the application level was what I would have recommended.
LVL 37

Expert Comment

ID: 24362999
hmmm...  you actually never mentioned that there was https involved ;-)

>> I don't think I can do redirection at the IIS level for HTTPS connections so the solution is probably to redirect at the web application level.

You can if you use independent IP addresses for the two hostnames.


Author Comment

ID: 24366404
I think there is probably less overhead if the redirection is done at the IIS level, which is why we prefer it. So we will compromise by having IIS redirect for HTTP and the application if it is HTTPS.

I knew that the web site serviced both HTTP and HTTPS, but It never occurred to me until yesterday that HTTPS was the major contributor to this problem. The web app was generating a log but this did not include the protocol. I added more and more to the logging until finally I saw that EVERY log entry was HTTPS. Then the 150W light bulb lit.
Yes, I thought about separate IP addresses for each web site. That would work but it would be an awkward configuration -- separately configuring the firewall and DNS server in addition to IIS. I think we will settle for redirecting at the app level for HTTPS.
LVL 37

Expert Comment

ID: 24370104

yes, I understand why you didn't mention SSL - I admit that I probably would not have immediately suspected that either.


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question