IIS6 weirdness

We've got an IIS 6 server that's got two HTTPS websites like this:

Website1, host header www.website1.com
Folder1\Default.htm - says "Folder1"
Folder2\Default.htm - says "Fodler2"
Website2, host header www.website1.com
Folder3\Default.htm - says "Folder3
Folder4.Default.htm - says "Folder4"

If you do https://www.website1.com/folder1/default.htm, it says "Folder1" as
expected. In fact, all of that works.

But if you type https://www.website2.com/folder1/default.htm it also
accesses "Folder1" quite happily and says "Folder1".

How is this happening!! Folder1 is under website1, not website2... we would
expect a page not found.

The folder structure under c:\inetpub is:

c:\inetpub\wwwroot
website1\folder1
website2\folder2
website3\folder3
website4\folder4

What logic is been undertaken when IIS receives a request to
https://www.website2.com/folder1/default.htm?

Thanks, Rob.

Re: IIS6 weirdness

"Rob Nicholson" wrote in message
news:Od$QeTIIIHA.4684@TK2MSFTNGP06.phx.gbl...
> We've got an IIS 6 server that's got two HTTPS websites like this:
>
> Website1, host header www.website1.com
> Folder1\Default.htm - says "Folder1"
> Folder2\Default.htm - says "Fodler2"
> Website2, host header www.website1.com
> Folder3\Default.htm - says "Folder3
> Folder4.Default.htm - says "Folder4"
>
> If you do https://www.website1.com/folder1/default.htm, it says "Folder1"
as
> expected. In fact, all of that works.
>
> But if you type https://www.website2.com/folder1/default.htm it also
> accesses "Folder1" quite happily and says "Folder1".
>
> How is this happening!! Folder1 is under website1, not website2... we
would
> expect a page not found.
>
> The folder structure under c:\inetpub is:
>
> c:\inetpub\wwwroot
> website1\folder1
> website2\folder2
> website3\folder3
> website4\folder4
>
> What logic is been undertaken when IIS receives a request to
> https://www.website2.com/folder1/default.htm?
>

The requests to website1 and website2 serve must arrive at the server on two
distinct IP addresses. In identity for each website must use one of these
IPs each.

IOW, the host header mechanism for identify the intended website does not
apply to SSL.


--
Anthony Jones - MVP ASP/ASP.NET

Re: IIS6 weirdness

....or two different ports on the same IP...so you can bind the second SSL
cert to Port 444 instead of 443 for example (if you only have one IP). You
would have to find a way of passing the port in the request if you wanted to
do it this way, such as:

https://www.website2.com/folder1/default.htm:444

--

"Anthony Jones" wrote in message
news:OttOWxIIIHA.4880@TK2MSFTNGP03.phx.gbl...
> "Rob Nicholson" wrote in message
> news:Od$QeTIIIHA.4684@TK2MSFTNGP06.phx.gbl...
>> We've got an IIS 6 server that's got two HTTPS websites like this:
>>
>> Website1, host header www.website1.com
>> Folder1\Default.htm - says "Folder1"
>> Folder2\Default.htm - says "Fodler2"
>> Website2, host header www.website1.com
>> Folder3\Default.htm - says "Folder3
>> Folder4.Default.htm - says "Folder4"
>>
>> If you do https://www.website1.com/folder1/default.htm, it says "Folder1"
> as
>> expected. In fact, all of that works.
>>
>> But if you type https://www.website2.com/folder1/default.htm it also
>> accesses "Folder1" quite happily and says "Folder1".
>>
>> How is this happening!! Folder1 is under website1, not website2... we
> would
>> expect a page not found.
>>
>> The folder structure under c:\inetpub is:
>>
>> c:\inetpub\wwwroot
>> website1\folder1
>> website2\folder2
>> website3\folder3
>> website4\folder4
>>
>> What logic is been undertaken when IIS receives a request to
>> https://www.website2.com/folder1/default.htm?
>>
>
> The requests to website1 and website2 serve must arrive at the server on
> two
> distinct IP addresses. In identity for each website must use one of these
> IPs each.
>
> IOW, the host header mechanism for identify the intended website does not
> apply to SSL.
>
>
> --
> Anthony Jones - MVP ASP/ASP.NET
>
>

Re: IIS6 weirdness

Hi Rob,

Host Header will not work with SSL because the whole HTTP package is
encrypted, IIS cannot dispatch requests to proper web sites before
decrypting them(need certificates). Therefore in a Web Site's property->Web
Site tab, click Advanced, you will see there is no host header available
for secure binding(only IP & SSL Port).

In your current case, the site www.website2.com need to be configured to
use another IP address(also need to make change on DNS). If there is only
one public IP address can be used on the server, you should consider
specify it to use a non-default SSL port(e.g 444).

Please update if you have any concern or questions on this.

Have a great day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: IIS6 weirdness

> Please update if you have any concern or questions on this.

Thanks all - we will digest and have another look.

Cheers, Rob.

Re: IIS6 weirdness

You are welcome Rob. Please don't hesitate to post here again whenever you
meet any IIS issues.

Have a great day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: IIS6 weirdness

""WenJun Zhang[msft]"" wrote in message
news:54NAWaSIIHA.7444@TK2MSFTNGHUB02.phx.gbl...
> Hi Rob,
>
> Host Header will not work with SSL because the whole HTTP package is
> encrypted, IIS cannot dispatch requests to proper web sites before
> decrypting them(need certificates). Therefore in a Web Site's
property->Web
> Site tab, click Advanced, you will see there is no host header available
> for secure binding(only IP & SSL Port).
>
> In your current case, the site www.website2.com need to be configured to
> use another IP address(also need to make change on DNS). If there is only
> one public IP address can be used on the server, you should consider
> specify it to use a non-default SSL port(e.g 444).
>
> Please update if you have any concern or questions on this.
>
> Have a great day.
>


Another alternative is to place an inteligent reverse proxy on the single
public IP such as ISA server. Its the ISA box which handles the SSL
endpoint, it in turn uses straighforward http to forward requests to the web
server.


--
Anthony Jones - MVP ASP/ASP.NET

Re: IIS6 weirdness

> Another alternative is to place an inteligent reverse proxy on the single
> public IP such as ISA server. Its the ISA box which handles the SSL
> endpoint, it in turn uses straighforward http to forward requests to the
> web
> server.

Spookily that exact same subject came up today... we are thinking about
splitting our web hosting into separate virtual machines running on VMware
ESX server - primarily to allow the web apps to be updated separately but
also for disaster recovery.

The subject of "ohh, we'll need separate IP addresses per server" came up to
which the answer was "Is that what reverse proxy is all about?".

I like it when a subject comes together :-)

Cheers, Rob.

Re: IIS6 weirdness

On Nov 9, 10:06 am, "Rob Nicholson" wrote:
> > Another alternative is to place an inteligent reverse proxy on the single
> > public IP such as ISA server. Its the ISA box which handles the SSL
> > endpoint, it in turn uses straighforward http to forward requests to the
> > web
> > server.
>
> Spookily that exact same subject came up today... we are thinking about
> splitting our web hosting into separate virtual machines running on VMware
> ESX server - primarily to allow the web apps to be updated separately but
> also for disaster recovery.
>
> The subject of "ohh, we'll need separate IP addresses per server" came up to
> which the answer was "Is that what reverse proxy is all about?".
>
> I like it when a subject comes together :-)
>
> Cheers, Rob.


I don't think reverse proxy is going to help your SSL multiplexing
problem, unless you terminate all your SSL endpoints on the reverse
proxy and pass unencrypted traffic between the reverse proxy and each
proxied website.

You can't treat SSL just like "encrypted HTTP" traffic because it is
not. SSL is one level underneath HTTP, so HTTP-level concepts like
"Host Header" do not apply to designs with SSL. You only have IP and
Port to work with as endpoints with SSL, and you'll have to do some
fancy multiplexing of your own to get some of the other HTTP-level
behaviors. This fancy multiplexing is not comparable to a plain SSL
solution, so you can't just mix solutions back and forth... unless you
understand the underlying issue and how to work with it instead of
fighting it.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//