Solved

IIS redirect strange behavior

Posted on 2009-05-05
11
619 Views
Last Modified: 2012-05-06
I have redirection set up so that example.com is redirected to www.example.com. It is working for the most part but occasionally we detect that a connection is at www.example.com using the example.com header.

IIS7 on Windows Server 2008

web site #1
   bound to one IP address
   using host header www.example.com

web site #2
   bound to same IP address as web site #1
   using host header example.com
   has a different home directory than web site #1
   redirects to www.example.com

When we test, example.com always redirects to www.example.com. However, several times a day, the PHP script running on www.example.com detects that $_SERVER['HTTP_HOST'] is example.com (or sometimes the IP address).

How is this possible? Any ideas how I can configure IIS to reliably redirect every time?
0
Comment
Question by:cstobbe
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 8

Expert Comment

by:Pete_Zed
Comment Utility
Why can't you configure the example.com site to point to the same directory as www.example.com? Is there code in your site the specfically requires www.example.com?

I have multiple web sites that use either www.example.com or example.com - all produce the same web site.
0
 

Author Comment

by:cstobbe
Comment Utility
In IIS6, example.com and www.example.com can have the same home directory.

In IIS7, the redirection configuration is set in web.config. If both example.com and www.example.com are sharing the same home directory, they will both read their configuration from the same web.config file. example.com would redirect to www.example.com, but www.example.com would redirect to itself.
There are 2 solutions to this:
1) Use a different home directory, or
2) Configure redirection on a site by site basis by manually editing applicationHost.config.
0
 
LVL 51

Expert Comment

by:tedbilly
Comment Utility
Wait a minute, why can't one site use two different host headers without using a redirect?  Do you want to automatically flip http://example.com to http://www.example.com?
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
hi,

how are you monitoring "but occasionally we detect that a connection is at www.example.com using the example.com header"?

are you aware that when the user tries to go to "http://example.com" that this is still a normal http request - you will still see hits on that server and access will still be logged.  The only difference between the redirect hit and a www.example.com hit will be that the former results in a 302 response, and the latter results in a 200 result (or error)

Cheers.
0
 

Author Comment

by:cstobbe
Comment Utility
tedbilly,
We need a redirect because we do NOT want our visitors using example.com. We do this because of cookies. If the same user uses a mix of example.com and www.example.com it gets complicated because browsers make a distinction between the two. e.g. if we set a cookie at www.example.com and the visitor later returns to example.com, the browser is less likely to return the cookie.
Yes, we want to automatically flip http://example.com to http://www.example.com.

meverest,
"we detect that a connection is at www.example.com using the example.com header" because the underlying PHP script sees that $_SERVER['HTTP_HOST'] contains "example.com". This should not be possible. If an incoming connection has a "example.com" host header, it should use an entirely different web site with its own home directory.
Yes, I am aware how the sites work. Actually, requests to example.com get a 301 response.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Accepted Solution

by:
cstobbe earned 0 total points
Comment Utility
I have found the cause of the problem. The pattern that I was missing until today is that all of the traffic that was slipping through the IIS redirection and meeting the PHP redirection was using HTTPS.

Here is the explanation.

example.com is listening on only port 80. www.example.com is listening on both port 80 and port 443.
- When a connection comes in to example.com:80, IIS sees the "example.com" host header and routes the connection to the "example.com" web site which redirects to www.example.com. Good.
- When a connection comes in to example.com:443, IIS does not look at the host header at all but it does see port 443 and routes the connection to www.example.com.

I don't think I can do redirection at the IIS level for HTTPS connections so the solution is probably to redirect at the web application level.

Thanks to those who submitted their comments.
0
 
LVL 51

Expert Comment

by:tedbilly
Comment Utility
I didn't get a chance to reply because I was waiting for the answer to my last question.  Doing it at the application level was what I would have recommended.
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
hmmm...  you actually never mentioned that there was https involved ;-)

>> I don't think I can do redirection at the IIS level for HTTPS connections so the solution is probably to redirect at the web application level.

You can if you use independent IP addresses for the two hostnames.

Cheers!
0
 

Author Comment

by:cstobbe
Comment Utility
tedbilly,
I think there is probably less overhead if the redirection is done at the IIS level, which is why we prefer it. So we will compromise by having IIS redirect for HTTP and the application if it is HTTPS.

meverest,
I knew that the web site serviced both HTTP and HTTPS, but It never occurred to me until yesterday that HTTPS was the major contributor to this problem. The web app was generating a log but this did not include the protocol. I added more and more to the logging until finally I saw that EVERY log entry was HTTPS. Then the 150W light bulb lit.
Yes, I thought about separate IP addresses for each web site. That would work but it would be an awkward configuration -- separately configuring the firewall and DNS server in addition to IIS. I think we will settle for redirecting at the app level for HTTPS.
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
G'day,

yes, I understand why you didn't mention SSL - I admit that I probably would not have immediately suspected that either.

Cheers!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now