[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

IIS 7 HTTP only

Posted on 2014-08-12
18
Medium Priority
?
697 Views
Last Modified: 2014-09-03
HI,

I have a windows 2008R2 Web server running around 20 websites and one running https with a ssl cert. One local IP.
however if I run one of the http websites with https in the url, I get the HTTPS "nag" but it still loads the https site, I want to "force" the http sites to only run http or just show a "page can not be displayed" error if someone puts https in the URL instead of going to the https site.

I have URL rewrite installed in IIS but can not find a rule to force http anywhere, there are plenty to force https.

Thanks
0
Comment
Question by:exact1
  • 7
  • 7
  • 3
  • +1
18 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40257078
You can simply disable SSL for individual websites:
 appcmd set config " Default Web Site "/section: access /sslFlags:None /commit:APPHOST

More info:
http://technet.microsoft.com/en-us/library/cc732341%28v=ws.10%29.aspx
Additionally if you are using host headers in your config this should simplify things.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40257125
I agree with becraig... I'd use host headers, especially as you only have one IP.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40257490
The issue you have IIS bound to IP port 443.

The requested site is unknown until after the SSL connection is negotiated and established.
I.e. A person calling a wrong number only finds out when the person on the other end answers and tells them that whoever they are trying to reach is not at this number.

There is a way to run multiple SSL sites on one IP, which requires the use of a certificate that includes multiple names for the sites that are then differentiated using host headers on the 443 port similar to your setup of http.
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
LVL 29

Expert Comment

by:becraig
ID: 40257503
Arnold I think what the OP is asking for (I might be wrong) is to simply disable SSL on the other sites so no ssl requests gets honored.
I want to "force" the http sites to only run http or just show a "page can not be displayed" error if someone puts https in the URL instead of going to the https site.

I have suggested
1. creating host headers (which will ELIMINATE this confusion)
2. Explicitly disabling SSL for the sites in question in the event that is the final aim.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40257536
I read the same thing, the issue is that the other sites do not have an SSL portion enabled.
I.e. All sites point to a public address, for point of discussion we'll use 10.0.10.10 as the common Ip
Www.site.com has both port 80 with host header and 443
Www.site1.com
.
.
Www.site10.com only have port 80 with host headers.

I believe the user wants to prevent the following:
Person A types in https://www.site9.com
The user gets alerted that the certificate name is mismatched since it reflects the www.site.com

Even if the SSL configuration on site.com, the user might get two errors, one for the certificate mismatch and then possibly for the site not found or a 403 error.

I do not believe there is anything on the configuration side that can be done to avoid this issue.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40257539
I do not agree the situation can be remedied with host headers IIS will know what you are asking for if host headers are enabled, so you will not punch in www.site9.com and get www.site.com 


That is the suggestion that was made in my comment to simply leverage host headers to avoid confusion.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40257555
Host headers are in use on the HTTP side.

The user has a single Encrypted SSL site and this is where the issue begins

From the original question:
however if I run one of the http websites with https in the url, I get the HTTPS "nag" but it still loads the https site, I want to "force" the http sites to only run http or just show a "page can not be displayed" error if someone puts https in the URL instead of going to the https site.

The only way to achieve the asked for resolution requires a separate process where a certificate exists that has all the sites names that will terminate the SSL connection and then determine the URL being sought and generate the appropriate response.
0
 

Author Comment

by:exact1
ID: 40265882
Hi, thanks all I will look into these suggestions next week.

to reiterate:

all websites are using host headers so they can use one "local" IP (e.g. NAT from external IP on firewall), one website also has a host header on port 80 (as usual) and also port 443 added and a single ssl cert for that domain. I have a force HTTPS rule on that site within the web config file. That works fine, any user types http: site they get redirected to https: site.

The issue is, if any other site (on that server) receives a request but the user has added https by mistake instead of http they get a incorrect certificate "nag" and then see the login of the single https site.  Which is not an ideal solution.

I would have thought this issue would crop up a lot on single web servers with multiple sites and one or more https?

So again I would have thought there was an easy get around in IIS, like "only run this site http" I have also tried looking for a force http rule in URL Rewrite without luck.

I don't think I can disable SSL per site unless I have bound port 443 first, and on all the http sites, I don't have https 443 port added, as its not needed.
0
 

Author Comment

by:exact1
ID: 40285487
Hi

updates to posters:

- you can not disable ssl if its not added to a website, so that's a no go as all my http sites don't have https enabled.
- all sites use host headers already

Arnold, I sort of see where you are going with the ssl cert that terminates any non https sites but could you elaborate please?

The only way I might be able to do this is by putting the one https site on another local IP and using the firewall to NAT redirect http and https to different local IPs, although I am unsure if that will work.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40286179
The only way to achieve your goal is to have a reverse proxy that accepts the SSL 443 connection.  Within the reverse proxy, the requested URL is known and the configuration is such that a request for site1 is directed to the correct site everything else could be configured to display the message of your choice/s.

Using a different local IP would not resolve the issue as the traffic on SSL 443 incoming will by rule routed to the site.


Internet requests <=> SSL 443 <=> reverse proxy <site1.com=> your preferred site
                                                                           \<requested URL anything than site1.com => error/info message

The other option deals with adding URL checks on the site1 pages that test and when the requested URL is not site1.com generate redirection of the user to a separate custom message, or ........

The difficulty with the latest suggestion deals with modifying the site'is pages which become ever more complex when a user can alter their site as they see fit when they see fit.
0
 

Author Comment

by:exact1
ID: 40287371
Hi, can this reverse proxy be setup in IIS7.5 or URL rewrite (or similar)?
this particular web server is on its own internet connection and uses ISP / Public DNS servers.
currently its the only server on that network, it actually uses our backup 75 Mbps fibre line, so is isolated.

Windows 2008 R2 Web in a workgroup.

thanks
0
 
LVL 81

Expert Comment

by:arnold
ID: 40288417
The difficulty with trying to do everything within one deals with the means.

If IIS 443 with the site certificate, runs a script that checks the requested URL and then would need to redirect to https://www.site1.com:<somenewport>
With this, you run the risk that some/several users who use browsers that have builtin port redirection/protection, will get an error page such that the user will have to go through the configuration to identify this <somenewport> as trusted/valid.
This security feature I think exists in Chrome, and Firefox.

In the IIS implementation you will have
Site1 80 and <somenewport>
main SSL with www.site1.com certificate running a detection script for the requested URL and redirects to www.site1.com:<somenewport> or to the requested_URL non secure connection error message.
site2 80
...
.
.
0
 

Author Comment

by:exact1
ID: 40296265
Hi Arnold, ok thanks for the info.
I am not entirely sure what I will do now, I thought it would be easier to solve.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40297154
IIS does not include an option for host headers on the SSL bindings.

Other than the issue with the single certificate, the host headers is the only way IIS would have been able to differentiate after the SSL connection is established and the decoding of the requested URL.

It could be easy to solve, there is a version of squid -cache that can run on windows. which you then can setup as a reverse proxy.  Though as noted, the only change will be is the user erroneously typing in https://www.site2.com after the certificate name mismatch error display, will be directed to an error page of your choosing.
Viewing the certificate the user will still see the message such as "you are trying to access www,site2.com while the certificate is for www.site1.com"
0
 

Author Comment

by:exact1
ID: 40297914
Thanks again Arnold, I will have a look at squid cache.
0
 

Author Comment

by:exact1
ID: 40298402
Hi, I have installed and can run squid cache, however not sure not on any real configuration to complete this.
I assume the redirect pages will be in the squid.conf?

As a note, there are no local users to this server, just web based http and https.
0
 
LVL 81

Accepted Solution

by:
arnold earned 400 total points
ID: 40298906
The default configuration is as a proxy, you need to reconfigure it as a reverse proxy.

http://wiki.squid-cache.org/ConfigExamples/

Test first by configuring the reverse proxy to use the 444 port.
Note you need to export the site1.com Certificate and convert it to be used as the SSL end point.

It is up to you whether the access between the proxy and the site1.com will be secure or not.
The other item forgot to mention, if site1.com access is important, with the reverse proxy, then IIS log will reflect the proxy as the requesting source for all access.
0
 

Author Comment

by:exact1
ID: 40300621
thanks, I will award you the point and have a look at this.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question