[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 351
  • Last Modified:

Issue with redirecting from http to https on iis and windows 2003

I'm currently using the attached code to redirect from http to https,

This has been fine for a number of years, but now I've started hosting another site on the same server and IIS will not allow both sites to use port 443 for https.   So I need to be able to redirect the site to the non standard port I setup for the second site (444).  The issue I have is that I do not want to have several versions of this file with the ssl port hard coded into it.  I would like a solution that will query the server for the ssl port and then redirect to that port.


<%
If Request.ServerVariables("SERVER_PORT")=80 Then
         Dim strQUERY_STRING
         Dim strSecureURL
         Dim strWork

         ' Get server variables
         strQUERY_STRING = Request.ServerVariables("QUERY_STRING")

         ' Fix the query string:
         strWork = Replace(strQUERY_STRING,"http","https")
         strWork = Replace(strWork,"403;","")
	 strWork = Replace(strWork,":80","")

         ' Now, set the new, secure URL:
         strSecureURL = strWork
'response.write(strSecureURL) ' uncomment for sanity check.
         Response.Redirect strSecureURL
     End If
%>

Open in new window

0
semperfi89
Asked:
semperfi89
  • 9
  • 6
  • 2
  • +2
1 Solution
 
Narender GakkaAWS / DevOps / Cloud ConsultantCommented:
Did you try configuring the Sites with the seperate Host Headers, It seems that both the websites are running on the same IP address due to which you are not able to configure the two sites in the same port.

if it doesn't work then use the HTTPS alternate port 8443 for the one of the sites
0
 
eitamaCommented:
You can run 2 servers under 1 TCP port using the Host header to differentiate between them.

Open the IIS configuration and find :

Web Site Tab > Advanced Button in "Web Site Identification" Area > Press "Add"

Enter you virtual Host text.

For example:
if you have 2 websites which use SSL, 1 is https://my-1st-site/ and the 2nd one is https://my-2nd-site/
You enter "my-1st-site" for the 1st ... etc...

When you use a browser to access any of the sites, the browser will use the IP address and TCP port common to both sites, but it will insert a proper Host header which will solve your problem.
This is a lot easier then making your php/asp script discover the SSL port number on request basis.
Also, discovering the port per request will probably have a significant impact on your site performance.
0
 
RovastarCommented:
Just use sepearte IPs for each site (http and https). That way your code should still work.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
eitamaCommented:
@Rovastar

I do not agree with your solution,
If the IPs are public, it will cost money.
If the IPs are NATed, you still need to "find out" the port configured in the NAT or write script per site.
Besides, using an alternate port for SSL is discouraged, someone with a strict firewall will not be able to access the site.

That's exactly why we have the Virtual Host option.
0
 
semperfi89Author Commented:
I do have them setup with different Host Headers.  When on the "Web Site" tab I try to add 443 to the "SSL Port" box, then stop and start the website and I get this error...

"IIS was unable to start the site. Another site may already be using the port you configured for this site. Please select a unused port for this site"

Using different IP's is not an option as the websites have both secure and non secure content and the firewall has no way to forward ports based on host header info.
0
 
eitamaCommented:
0
 
RovastarCommented:
Virtual solutions imaginary costcutting measures that cause more problem then they solve hence why nearly all front end web solutions out there are physical boxes and not virtual ones.
0
 
eitamaCommented:
After some reading I have done, I have realized that the Host header is hidden when using SSL,
So you cannot decide which site it will go to, that's why you are getting blocked.

Also, if you are using the same SSL certificate for both sites, it will be invalid for one of them since the SSL server certificate states the "COMMON" name or domain-name of the web-site inside the certificate,
The browser will see a mismatch and warn the user that the certificate is not valid.

There are a few ways around this :
1. Using multiple IPs as Rovastar suggested.
2. Using : http://www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html
    from my previous post.
3. Putting all the files in one site, and using a server-side scripting language to send the correct traffic to the user, but thats ugly.
4. Using apache, and getting a 2nd certificate for the 2nd web-site.
0
 
fz2hqsCommented:
You certainly do not need another IP address., you want two sites. One responding on port 80 and one on 443. The HTTP sites only task is to redirect to the 443 site i.e using $p$q flags to ensure continuity to end user. The HTTP site can run host headers if neeeded no problem.
0
 
semperfi89Author Commented:
@eitama

The sites have different SSL certificates, and have differnt (unrealated) domain names so a wild card certificate is not an option. Using a UCC Cert is an option but it still won't fix my issue.  I can't run both sites using the same port, so one site has to be on a differant port.  Which is fine, I just want to know a way to alter the script (or a different script) that will not require me to hard code the port number into the script to redirect.

I don't even know if running Apache is an option (but I doubt it) due to running Exchange and needing access to OWA and Active Sync.


@fz2hqs
as I stated in my previous post both sites have non SSL content so a simple http site that only redirects to the https site is not going to work



Is there not a varible that I can query as part of the script that IIS will respond with the correct SSL port number?
0
 
eitamaCommented:
I am sure that this variable, even if you manage to get a hold of some call to get it, will take about 2 seconds to be retrieved.

How about, your asp/php file will query for the server port, but only once and it will then save it internally in some file for future use.

Is that good? if so, il'll try to think of a way obtaining it.
0
 
eitamaCommented:
If the solution I offered above is ok wth you,
then you need to find a way to run vbs script from inside asp/php,
call this file : iisweb.vbs, which is a part of IIS scripts.
(look here : http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1805162e-6ac5-4a98-9a08-919c4c10827d.mspx?mfr=true)

then, you will have a list of all the websites your IIS is running, including the port.
You will then have to do some parsing, and extract the port number from the correct website.
Which can be done if you name your websites correctly and use the Host header to decide which site you need.
0
 
semperfi89Author Commented:
@eitama
I looked at your suggestion, and it doesn't work.  It only shows the web port not the ssl port.


Site Name (Metabase Path)                     Status  IP              Port  Host
==============================================================================
Default Web Site (W3SVC/1)                    STARTED ALL             80    N/A
site1.local (W3SVC/1529999581)                STARTED ALL             80    site1.local
site2.local (W3SVC/1976305337)                STARTED ALL             80    site2.local
Administration (W3SVC/30431)                  STARTED ALL             8099  N/A

Open in new window

0
 
semperfi89Author Commented:
Ok, six days and no other options...

Anybody else have any thoughts?
0
 
eitamaCommented:
How about embedding the HTTP port and HTTPS port in the site name and then you can fetch it from the name with the command above?
0
 
eitamaCommented:
For example :

Site Name (Metabase Path)                     Status  IP              Port  Host
==============================================================================
Default Web Site (W3SVC/1)                    STARTED ALL             80    N/A
site1.80|443 (W3SVC/1529999581)                STARTED ALL             80    site1.local
site2.81|444 (W3SVC/1976305337)                STARTED ALL             80    site2.local
Administration (W3SVC/30431)                  STARTED ALL             8099  N/A

Then you would use some string parsing like regular-expression.

String variable = "site1.80|443";
Regex expression : .+.(\d+)\|(\d+) on variable

print subexp1;//80
print subexp2;//443

(Pseudo-Code ofc).
0
 
semperfi89Author Commented:
@eitama

I can't verify if this works or not, I've had two servers die and I'm working on recovering them.  I'm going to close this question and give you the point because it looks like it's a good idea, and in theory it should work.
0
 
semperfi89Author Commented:
a
0
 
eitamaCommented:
Thank you,
And good luck (:
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 9
  • 6
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now