Disabling or Routing HTTP/1.0 in IIS


We have an issue using our IIS server. If you send a request to IIS using HTTP/1.0 and do not provide a HOST in the headers of the request the server responds with the internal IP of the server.

We have to block this.  We've found the only way to block it is to either use ASP pages that spew out the .htm page.  

This only happens when requesting .htm or .html pages.

What I'm really looking for is a way to either stop it from returning the internal IP, or to return 1.1 responses to a 1.0 request.

And yes, I do know there is a way to disable it one way through the metabase. But the issue is the server variables always return that hard coded value. So we never know if they are on the IP, domain, or sub domain, or anything.

Our software requires that knowledge to function because it does redirects and acts differently if you are on a temporary domain, as opposed to a fully functional one.

Anyone have some ideas?
Who is Participating?
digitalpacmanAuthor Commented:
Thats the solution we've known about.

The problem is it forces you to hard code the SERVER_NAME environment variable.
That means a website cannot run under multiple host names if the software relies on the SERVER_NAME to be different, which we do.

We allow the customer to run under the IP, a temporary dynamic name given by us, and also the domain if they have one. We redirect the user to the appropriate URL (ip to domain, ect) if they land on it that way. But we cannot check the server_name variable if do the feature suggested in the article.
I'm confused.
My understanding of the variable is that it lets you over ride the default host name of the actual machine and returns this as the SERVER_NAME variable that is used when creating the header, if you have enabled the UseHostName variable, there by not returning the actual machine name or its IP in the header information.

From your response, are you saying that you use the variable and need it to reflect the actual machine name?  In which case, I understand that this is not an option for you.

If you are not using the variable then this should work.  According to the KB, this in no way changes the response of the server or how the server handles the requests.  This just places different information in that header field over riding the default that would normally be used by the server.
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

digitalpacmanAuthor Commented:
SERVER_NAME returns the DOMAIN NAME, not the actual server name.

If you visit a server and pass Host: www.abc.com
SERVER_NAME is equal to www.abc.com
If you visit a server and pass Host: sub.abc.com
SERVER_NAME is equal to sub.abc.com
If you visit a server and pass Host:
SERVER_NAME is equal to

If you enable UseHostName  you are forced to set it to something. Lets say its www.abc.com
Then when you request SERVER_NAME, no matter what the HOST: is, it will ALWAYS be www.abc.com

The user can be visiting the IP address and the server code will think its running under www.abc.com

These are the results of our tests. There is a way around it, but it requires an infrastructure change on our part. The only reason we do this method of redirect (by code) is so we don't have to have 3 websites (1 real, 2 redirect) per customer. We are a hosting provider and already have like 200-300 websites on each web server.
digitalpacmanAuthor Commented:

Its also read only, you can't set it.
If you are using the variable in your code and the value gets changed before the code execution then when using the UseHostName option then according to MS's KB on this there is only one way to handle this ... using an ASP page to create a custom header and setting the value that way on a per request basis.
Even this would have to be tested.  If setting the custom header changes the server variable then this might not work for you either unless you can run your code / import the page and then set the content header in the ASP page as the last thing right before sending the page back to the client.
digitalpacmanAuthor Commented:
The only way to fix it is to remove the feature of having multiple domains available to a single website.

You can't have an ASP page that sets any environment variables because ASP doesn't and won't know what to set it too.

This is the only solution, using that patch.
We would have to remove the ability to run a single website under multiple domains. But, we can't. So we'd have to move it to IIS level redirects, as I think I stated before.

IP Website > Redirect to www.domain.com
Auto Generated Domain Name -> Redirect to www.domain.com
www.domain.com > runs the actual website
My post is really to find a method to get AROUND from having to do this. It takes like 10x more work and time in my company to get the IT department and DEV department working together to get things like that done wide scale. If I could just find something different, maybe code based only, that can do it, it would be awesome.

Maybe like setting the .htm processor DLL to be the ASP one. Or something like that. And change the host header server side.
I am curious ... are you sure you are using the variable that they reference?
Typically if you are looking at the header information that the request is coming in on your are parsing the actual URL/URI request string and pulling the value from there, not take it from a system level / web server level variable.

I'll think about this and see if I can come up with something ... from what I have read nobody else has suggested any other work-arounds though.
I am having the same issue with a web site. I ran the fix listed in the MS KB article (UseHostName) and it fixed the issue for port 80. no more private IP address being returned. But an HTTP request over port 443/SSL still gets a private IP returned. I am using openssl to perform the test. I opened a ticket with Microsoft and this is what the tech said, "It seems openssl is trying to connect using the HTTP 1.0 which is obsolete now. The best way to avoid this issue is by preventing the HTTP 1.0 requests on IIS. You may need to write a ISAPI to do it or you may use a 3rd party one."

From windows, "openssl s_client -connect [ip address]:443"
and then, "GET /scripts" command.

So is there a way to prevent HTTP1.0 on IIS6?
Found some info here. There is an IIS6 hotfix that may help with this issue.
digitalpacmanAuthor Commented:
All I can see in those posts is that you have to install the hotfix.

I no longer work for the company so I no longer care for a resolution... I am going to accept the answer given by the first person.

The real answer is upgrade to IIS7. IIS7 doesn't have this bug.
Microsoft support is telling me I should add an ISAPI filter to the web server and that the issue is due to HTTP1.0. This filter they provided will block http1.0.

   <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" />
            <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
      <action type="AbortRequest" />
digitalpacmanAuthor Commented:
Is that for ASP.NET? That looks like web.config XML ...
The site uses ASP
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.