IIS 7 HTTP only


I have a windows 2008R2 Web server running around 20 websites and one running https with a ssl cert. One local IP.
however if I run one of the http websites with https in the url, I get the HTTPS "nag" but it still loads the https site, I want to "force" the http sites to only run http or just show a "page can not be displayed" error if someone puts https in the URL instead of going to the https site.

I have URL rewrite installed in IIS but can not find a rule to force http anywhere, there are plenty to force https.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can simply disable SSL for individual websites:
 appcmd set config " Default Web Site "/section: access /sslFlags:None /commit:APPHOST

More info:
Additionally if you are using host headers in your config this should simplify things.
Craig BeckCommented:
I agree with becraig... I'd use host headers, especially as you only have one IP.
The issue you have IIS bound to IP port 443.

The requested site is unknown until after the SSL connection is negotiated and established.
I.e. A person calling a wrong number only finds out when the person on the other end answers and tells them that whoever they are trying to reach is not at this number.

There is a way to run multiple SSL sites on one IP, which requires the use of a certificate that includes multiple names for the sites that are then differentiated using host headers on the 443 port similar to your setup of http.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Arnold I think what the OP is asking for (I might be wrong) is to simply disable SSL on the other sites so no ssl requests gets honored.
I want to "force" the http sites to only run http or just show a "page can not be displayed" error if someone puts https in the URL instead of going to the https site.

I have suggested
1. creating host headers (which will ELIMINATE this confusion)
2. Explicitly disabling SSL for the sites in question in the event that is the final aim.
I read the same thing, the issue is that the other sites do not have an SSL portion enabled.
I.e. All sites point to a public address, for point of discussion we'll use as the common Ip
Www.site.com has both port 80 with host header and 443
Www.site10.com only have port 80 with host headers.

I believe the user wants to prevent the following:
Person A types in https://www.site9.com
The user gets alerted that the certificate name is mismatched since it reflects the www.site.com

Even if the SSL configuration on site.com, the user might get two errors, one for the certificate mismatch and then possibly for the site not found or a 403 error.

I do not believe there is anything on the configuration side that can be done to avoid this issue.
I do not agree the situation can be remedied with host headers IIS will know what you are asking for if host headers are enabled, so you will not punch in www.site9.com and get www.site.com 

That is the suggestion that was made in my comment to simply leverage host headers to avoid confusion.
Host headers are in use on the HTTP side.

The user has a single Encrypted SSL site and this is where the issue begins

From the original question:
however if I run one of the http websites with https in the url, I get the HTTPS "nag" but it still loads the https site, I want to "force" the http sites to only run http or just show a "page can not be displayed" error if someone puts https in the URL instead of going to the https site.

The only way to achieve the asked for resolution requires a separate process where a certificate exists that has all the sites names that will terminate the SSL connection and then determine the URL being sought and generate the appropriate response.
exact1Author Commented:
Hi, thanks all I will look into these suggestions next week.

to reiterate:

all websites are using host headers so they can use one "local" IP (e.g. NAT from external IP on firewall), one website also has a host header on port 80 (as usual) and also port 443 added and a single ssl cert for that domain. I have a force HTTPS rule on that site within the web config file. That works fine, any user types http: site they get redirected to https: site.

The issue is, if any other site (on that server) receives a request but the user has added https by mistake instead of http they get a incorrect certificate "nag" and then see the login of the single https site.  Which is not an ideal solution.

I would have thought this issue would crop up a lot on single web servers with multiple sites and one or more https?

So again I would have thought there was an easy get around in IIS, like "only run this site http" I have also tried looking for a force http rule in URL Rewrite without luck.

I don't think I can disable SSL per site unless I have bound port 443 first, and on all the http sites, I don't have https 443 port added, as its not needed.
exact1Author Commented:

updates to posters:

- you can not disable ssl if its not added to a website, so that's a no go as all my http sites don't have https enabled.
- all sites use host headers already

Arnold, I sort of see where you are going with the ssl cert that terminates any non https sites but could you elaborate please?

The only way I might be able to do this is by putting the one https site on another local IP and using the firewall to NAT redirect http and https to different local IPs, although I am unsure if that will work.
The only way to achieve your goal is to have a reverse proxy that accepts the SSL 443 connection.  Within the reverse proxy, the requested URL is known and the configuration is such that a request for site1 is directed to the correct site everything else could be configured to display the message of your choice/s.

Using a different local IP would not resolve the issue as the traffic on SSL 443 incoming will by rule routed to the site.

Internet requests <=> SSL 443 <=> reverse proxy <site1.com=> your preferred site
                                                                           \<requested URL anything than site1.com => error/info message

The other option deals with adding URL checks on the site1 pages that test and when the requested URL is not site1.com generate redirection of the user to a separate custom message, or ........

The difficulty with the latest suggestion deals with modifying the site'is pages which become ever more complex when a user can alter their site as they see fit when they see fit.
exact1Author Commented:
Hi, can this reverse proxy be setup in IIS7.5 or URL rewrite (or similar)?
this particular web server is on its own internet connection and uses ISP / Public DNS servers.
currently its the only server on that network, it actually uses our backup 75 Mbps fibre line, so is isolated.

Windows 2008 R2 Web in a workgroup.

The difficulty with trying to do everything within one deals with the means.

If IIS 443 with the site certificate, runs a script that checks the requested URL and then would need to redirect to https://www.site1.com:<somenewport>
With this, you run the risk that some/several users who use browsers that have builtin port redirection/protection, will get an error page such that the user will have to go through the configuration to identify this <somenewport> as trusted/valid.
This security feature I think exists in Chrome, and Firefox.

In the IIS implementation you will have
Site1 80 and <somenewport>
main SSL with www.site1.com certificate running a detection script for the requested URL and redirects to www.site1.com:<somenewport> or to the requested_URL non secure connection error message.
site2 80
exact1Author Commented:
Hi Arnold, ok thanks for the info.
I am not entirely sure what I will do now, I thought it would be easier to solve.
IIS does not include an option for host headers on the SSL bindings.

Other than the issue with the single certificate, the host headers is the only way IIS would have been able to differentiate after the SSL connection is established and the decoding of the requested URL.

It could be easy to solve, there is a version of squid -cache that can run on windows. which you then can setup as a reverse proxy.  Though as noted, the only change will be is the user erroneously typing in https://www.site2.com after the certificate name mismatch error display, will be directed to an error page of your choosing.
Viewing the certificate the user will still see the message such as "you are trying to access www,site2.com while the certificate is for www.site1.com"
exact1Author Commented:
Thanks again Arnold, I will have a look at squid cache.
exact1Author Commented:
Hi, I have installed and can run squid cache, however not sure not on any real configuration to complete this.
I assume the redirect pages will be in the squid.conf?

As a note, there are no local users to this server, just web based http and https.
The default configuration is as a proxy, you need to reconfigure it as a reverse proxy.


Test first by configuring the reverse proxy to use the 444 port.
Note you need to export the site1.com Certificate and convert it to be used as the SSL end point.

It is up to you whether the access between the proxy and the site1.com will be secure or not.
The other item forgot to mention, if site1.com access is important, with the reverse proxy, then IIS log will reflect the proxy as the requesting source for all access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
exact1Author Commented:
thanks, I will award you the point and have a look at this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.