Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Disabling or Routing HTTP/1.0 in IIS

Posted on 2009-05-12
Medium Priority
Last Modified: 2013-11-22

We have an issue using our IIS server. If you send a request to IIS using HTTP/1.0 and do not provide a HOST in the headers of the request the server responds with the internal IP of the server.

We have to block this.  We've found the only way to block it is to either use ASP pages that spew out the .htm page.  

This only happens when requesting .htm or .html pages.

What I'm really looking for is a way to either stop it from returning the internal IP, or to return 1.1 responses to a 1.0 request.

And yes, I do know there is a way to disable it one way through the metabase. But the issue is the server variables always return that hard coded value. So we never know if they are on the IP, domain, or sub domain, or anything.

Our software requires that knowledge to function because it does redirects and acts differently if you are on a temporary domain, as opposed to a fully functional one.

Anyone have some ideas?
Question by:digitalpacman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
LVL 22

Accepted Solution

cj_1969 earned 2000 total points
ID: 24374351

Author Comment

ID: 24399801
Thats the solution we've known about.

The problem is it forces you to hard code the SERVER_NAME environment variable.
That means a website cannot run under multiple host names if the software relies on the SERVER_NAME to be different, which we do.

We allow the customer to run under the IP, a temporary dynamic name given by us, and also the domain if they have one. We redirect the user to the appropriate URL (ip to domain, ect) if they land on it that way. But we cannot check the server_name variable if do the feature suggested in the article.
LVL 22

Expert Comment

ID: 24412394
I'm confused.
My understanding of the variable is that it lets you over ride the default host name of the actual machine and returns this as the SERVER_NAME variable that is used when creating the header, if you have enabled the UseHostName variable, there by not returning the actual machine name or its IP in the header information.

From your response, are you saying that you use the variable and need it to reflect the actual machine name?  In which case, I understand that this is not an option for you.

If you are not using the variable then this should work.  According to the KB, this in no way changes the response of the server or how the server handles the requests.  This just places different information in that header field over riding the default that would normally be used by the server.
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.


Author Comment

ID: 24413689
SERVER_NAME returns the DOMAIN NAME, not the actual server name.

If you visit a server and pass Host: www.abc.com
SERVER_NAME is equal to www.abc.com
If you visit a server and pass Host: sub.abc.com
SERVER_NAME is equal to sub.abc.com
If you visit a server and pass Host:
SERVER_NAME is equal to

If you enable UseHostName  you are forced to set it to something. Lets say its www.abc.com
Then when you request SERVER_NAME, no matter what the HOST: is, it will ALWAYS be www.abc.com

The user can be visiting the IP address and the server code will think its running under www.abc.com

These are the results of our tests. There is a way around it, but it requires an infrastructure change on our part. The only reason we do this method of redirect (by code) is so we don't have to have 3 websites (1 real, 2 redirect) per customer. We are a hosting provider and already have like 200-300 websites on each web server.

Author Comment

ID: 24414099

Its also read only, you can't set it.
LVL 22

Expert Comment

ID: 24414355
If you are using the variable in your code and the value gets changed before the code execution then when using the UseHostName option then according to MS's KB on this there is only one way to handle this ... using an ASP page to create a custom header and setting the value that way on a per request basis.
Even this would have to be tested.  If setting the custom header changes the server variable then this might not work for you either unless you can run your code / import the page and then set the content header in the ASP page as the last thing right before sending the page back to the client.

Author Comment

ID: 24415780
The only way to fix it is to remove the feature of having multiple domains available to a single website.

You can't have an ASP page that sets any environment variables because ASP doesn't and won't know what to set it too.

This is the only solution, using that patch.
We would have to remove the ability to run a single website under multiple domains. But, we can't. So we'd have to move it to IIS level redirects, as I think I stated before.

IP Website > Redirect to www.domain.com
Auto Generated Domain Name -> Redirect to www.domain.com
www.domain.com > runs the actual website
My post is really to find a method to get AROUND from having to do this. It takes like 10x more work and time in my company to get the IT department and DEV department working together to get things like that done wide scale. If I could just find something different, maybe code based only, that can do it, it would be awesome.

Maybe like setting the .htm processor DLL to be the ASP one. Or something like that. And change the host header server side.
LVL 22

Expert Comment

ID: 24415921
I am curious ... are you sure you are using the variable that they reference?
Typically if you are looking at the header information that the request is coming in on your are parsing the actual URL/URI request string and pulling the value from there, not take it from a system level / web server level variable.

I'll think about this and see if I can come up with something ... from what I have read nobody else has suggested any other work-arounds though.

Expert Comment

ID: 35147601
I am having the same issue with a web site. I ran the fix listed in the MS KB article (UseHostName) and it fixed the issue for port 80. no more private IP address being returned. But an HTTP request over port 443/SSL still gets a private IP returned. I am using openssl to perform the test. I opened a ticket with Microsoft and this is what the tech said, "It seems openssl is trying to connect using the HTTP 1.0 which is obsolete now. The best way to avoid this issue is by preventing the HTTP 1.0 requests on IIS. You may need to write a ISAPI to do it or you may use a 3rd party one."

From windows, "openssl s_client -connect [ip address]:443"
and then, "GET /scripts" command.

So is there a way to prevent HTTP1.0 on IIS6?

Expert Comment

ID: 35147809
Found some info here. There is an IIS6 hotfix that may help with this issue.

Author Comment

ID: 35148448
All I can see in those posts is that you have to install the hotfix.

I no longer work for the company so I no longer care for a resolution... I am going to accept the answer given by the first person.

The real answer is upgrade to IIS7. IIS7 doesn't have this bug.

Expert Comment

ID: 35156546
Microsoft support is telling me I should add an ISAPI filter to the web server and that the issue is due to HTTP1.0. This filter they provided will block http1.0.

   <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" />
            <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
      <action type="AbortRequest" />

Author Comment

ID: 35157067
Is that for ASP.NET? That looks like web.config XML ...
The site uses ASP

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the withdrawal of support for Windows Server 2003 this summer, many clients face the issue of moving away from their 2003 installs. There are a few options out there that many people/companies are selling. But the clients I have, haven't wanted…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question