Iis – Is it safe to use an empty binding in IIS

bindingsiis

I want to show a specific page for unbound HTTPS URLs.
I have set up a basic website with an empty HTTPS binding, and this seems to work ok.

Am I right in thinking it is acting as a 'catch-all' for any HTTPS URLs that aren't already bound to other sites?
Is there a chance it may 'catch' valid URLs that are in a binding?

In what order does IIS match a URL against bindings?

Best Answer

Yes you are correct, an empty host name for an https binding catches all requests not already handled by other sides on the server. The IP addresses still play a role as well, if you have multiple ones.

IIS matching more specific bindings firsts, so one with no host name will be very low in the order.

Any requests to that site will most likely result in a certificate error and the requested host name and the name in the certificate for the site will most likely be different.

I am running catch-all sites on my IIS servers for over ten years and never seen and problems with it.

Related Solutions

Iis – How to run VisualSVN Server on port 443 running IIS on same server

Already answered there. Use the following command:

netsh http add iplisten ipaddress=x.x.x.39

Ssl – SNI and wildcard SSL certificates on the same server with IIS

Baris is right! The SSL certificate configured on an IP:PORT binding (example: 100.74.156.187:443) always takes precedence in http.sys! So the solution is as follows:

Do not configure an IP:443 binding for your wildcard-fallback-certificate but configure a *:443 binding (* means "All Unassigned") for it.

If you have configured your wildcard certificate on the Azure Cloud Service SSL endpoint (as i have) you have to change the SSL binding created by the Azure Cloud Service Runtime (IISconfigurator.exe) from IP:PORT to *:PORT. I am calling the following method in OnStart of my web role:

public static void UnbindDefaultSslBindingFromIp()
{
    Trace.TraceInformation(">> IISTenantManager: Unbind default SSL binding from IP");
    using (var serverManager = new Microsoft.Web.Administration.ServerManager())
    {
        try
        {
            var websiteName = string.Format("{0}_Web", Microsoft.WindowsAzure.ServiceRuntime.RoleEnvironment.CurrentRoleInstance.Id);
            var site = serverManager.Sites[websiteName];
            var defaultSslBinding = site.Bindings.Single(b => b.IsIPPortHostBinding && b.Protocol == "https");
            defaultSslBinding.BindingInformation = string.Format("*:{0}:", defaultSslBinding.EndPoint.Port);
            serverManager.CommitChanges();
        }
        catch (Exception ex)
        {
            Trace.TraceError(ex.ToString());
        }
    }
}

The following screenshot shows a working configuration of our cloud service. Please don't be confused about the non-standard ports. The screenshot is from the emulated cloud service.

working IIS configuration

One further thing to mention: Do not change all bindings to * because the HTTP (port 80) binding only works with IP:PORT binding in the deployed cloud service. Something else is bind to IP:80 so *:80 does not work because * stands for "all unassigned" and the IP is already assigned somewhere else in http.sys.

Best Answer

Related Solutions

Iis – How to run VisualSVN Server on port 443 running IIS on same server

Ssl – SNI and wildcard SSL certificates on the same server with IIS

Related Topic