Solved

Disabling or Routing HTTP/1.0 in IIS

Posted on 2009-05-12
13
2,767 Views
Last Modified: 2013-11-22
Hello,

We have an issue using our IIS server. If you send a request to IIS using HTTP/1.0 and do not provide a HOST in the headers of the request the server responds with the internal IP of the server.

We have to block this.  We've found the only way to block it is to either use ASP pages that spew out the .htm page.  

This only happens when requesting .htm or .html pages.

What I'm really looking for is a way to either stop it from returning the internal IP, or to return 1.1 responses to a 1.0 request.

And yes, I do know there is a way to disable it one way through the metabase. But the issue is the server variables always return that hard coded value. So we never know if they are on the IP, domain, or sub domain, or anything.

Our software requires that knowledge to function because it does redirects and acts differently if you are on a temporary domain, as opposed to a fully functional one.

Anyone have some ideas?
0
Comment
Question by:digitalpacman
  • 6
  • 4
  • 3
13 Comments
 
LVL 22

Accepted Solution

by:
cj_1969 earned 500 total points
Comment Utility
0
 

Author Comment

by:digitalpacman
Comment Utility
Thats the solution we've known about.

The problem is it forces you to hard code the SERVER_NAME environment variable.
That means a website cannot run under multiple host names if the software relies on the SERVER_NAME to be different, which we do.

We allow the customer to run under the IP, a temporary dynamic name given by us, and also the domain if they have one. We redirect the user to the appropriate URL (ip to domain, ect) if they land on it that way. But we cannot check the server_name variable if do the feature suggested in the article.
0
 
LVL 22

Expert Comment

by:cj_1969
Comment Utility
I'm confused.
My understanding of the variable is that it lets you over ride the default host name of the actual machine and returns this as the SERVER_NAME variable that is used when creating the header, if you have enabled the UseHostName variable, there by not returning the actual machine name or its IP in the header information.

From your response, are you saying that you use the variable and need it to reflect the actual machine name?  In which case, I understand that this is not an option for you.

If you are not using the variable then this should work.  According to the KB, this in no way changes the response of the server or how the server handles the requests.  This just places different information in that header field over riding the default that would normally be used by the server.
0
 

Author Comment

by:digitalpacman
Comment Utility
SERVER_NAME returns the DOMAIN NAME, not the actual server name.

If you visit a server and pass Host: www.abc.com
SERVER_NAME is equal to www.abc.com
If you visit a server and pass Host: sub.abc.com
SERVER_NAME is equal to sub.abc.com
If you visit a server and pass Host: 172.0.0.1
SERVER_NAME is equal to 172.0.0.1

If you enable UseHostName  you are forced to set it to something. Lets say its www.abc.com
Then when you request SERVER_NAME, no matter what the HOST: is, it will ALWAYS be www.abc.com

The user can be visiting the IP address and the server code will think its running under www.abc.com

These are the results of our tests. There is a way around it, but it requires an infrastructure change on our part. The only reason we do this method of redirect (by code) is so we don't have to have 3 websites (1 real, 2 redirect) per customer. We are a hosting provider and already have like 200-300 websites on each web server.
0
 

Author Comment

by:digitalpacman
Comment Utility
Oh,

Its also read only, you can't set it.
0
 
LVL 22

Expert Comment

by:cj_1969
Comment Utility
If you are using the variable in your code and the value gets changed before the code execution then when using the UseHostName option then according to MS's KB on this there is only one way to handle this ... using an ASP page to create a custom header and setting the value that way on a per request basis.
Even this would have to be tested.  If setting the custom header changes the server variable then this might not work for you either unless you can run your code / import the page and then set the content header in the ASP page as the last thing right before sending the page back to the client.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:digitalpacman
Comment Utility
The only way to fix it is to remove the feature of having multiple domains available to a single website.

You can't have an ASP page that sets any environment variables because ASP doesn't and won't know what to set it too.

This is the only solution, using that patch.
We would have to remove the ability to run a single website under multiple domains. But, we can't. So we'd have to move it to IIS level redirects, as I think I stated before.

IP Website > Redirect to www.domain.com
Auto Generated Domain Name -> Redirect to www.domain.com
www.domain.com > runs the actual website
------
My post is really to find a method to get AROUND from having to do this. It takes like 10x more work and time in my company to get the IT department and DEV department working together to get things like that done wide scale. If I could just find something different, maybe code based only, that can do it, it would be awesome.

Maybe like setting the .htm processor DLL to be the ASP one. Or something like that. And change the host header server side.
0
 
LVL 22

Expert Comment

by:cj_1969
Comment Utility
I am curious ... are you sure you are using the variable that they reference?
Typically if you are looking at the header information that the request is coming in on your are parsing the actual URL/URI request string and pulling the value from there, not take it from a system level / web server level variable.

I'll think about this and see if I can come up with something ... from what I have read nobody else has suggested any other work-arounds though.
0
 
LVL 3

Expert Comment

by:Router_Monkey
Comment Utility
I am having the same issue with a web site. I ran the fix listed in the MS KB article (UseHostName) and it fixed the issue for port 80. no more private IP address being returned. But an HTTP request over port 443/SSL still gets a private IP returned. I am using openssl to perform the test. I opened a ticket with Microsoft and this is what the tech said, "It seems openssl is trying to connect using the HTTP 1.0 which is obsolete now. The best way to avoid this issue is by preventing the HTTP 1.0 requests on IIS. You may need to write a ISAPI to do it or you may use a 3rd party one."

From windows, "openssl s_client -connect [ip address]:443"
and then, "GET /scripts" command.

So is there a way to prevent HTTP1.0 on IIS6?
0
 
LVL 3

Expert Comment

by:Router_Monkey
Comment Utility
Found some info here. There is an IIS6 hotfix that may help with this issue.
http://forums.iis.net/t/1151137.aspx
http://support.microsoft.com/kb/935469
0
 

Author Comment

by:digitalpacman
Comment Utility
All I can see in those posts is that you have to install the hotfix.

I no longer work for the company so I no longer care for a resolution... I am going to accept the answer given by the first person.

The real answer is upgrade to IIS7. IIS7 doesn't have this bug.
0
 
LVL 3

Expert Comment

by:Router_Monkey
Comment Utility
Microsoft support is telling me I should add an ISAPI filter to the web server and that the issue is due to HTTP1.0. This filter they provided will block http1.0.

<rules>
   <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" />
         <conditions>
            <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
         </conditions>
      <action type="AbortRequest" />
   </rule>
</rules>
</rewrite>
</system.webServer>
0
 

Author Comment

by:digitalpacman
Comment Utility
Is that for ASP.NET? That looks like web.config XML ...
The site uses ASP
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Online collaboration is quickly becoming embedded in the workplace, and its benefits are tangible. See what the current landscape looks like and what the future holds for collaboration tools and the future of work.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now