Ssl – How to remove the default host header for SSL requests in IIS6

host-headershttpsiis-6ssl

I have multiple sites setup on IIS 6 with host headers. One of those sites has an SSL certificate installed. So now if any of the non-SSL-enabled sites is requested with HTTPS it loads the SSL-enabled site and gives a security warning.

How can I prevent the non-SSL sites from loading anything if they are requested with https? I would prefer it to throw the standard "Server not found" message. Is that possible?

Best Answer

The only way to achieve this with IIS 6 is to put the SSL-enabled site onto its own IP address and set IIS up not to listen on port 443 of the main IP address.

In SSL (without Server Name Indication - not yet supported by IIS), the client validates the server's certificate before it sends the requested hostname to the server. The server has to choose a certificate to send based on just the IP address.

Related Solutions

IIS6 Website Presenting Wrong SSL Certificate – Fix Guide

SSL certificates are bound to the internal IP address of the web server, not the external IP addresses.

Let's say you have foo.example.com bound to Public IP A and bar.example.com on Public IP B, but your web server only has the IP address 192.168.0.1

Whether the request comes in on IP A or IP B, it is still going to end up at 192.168.0.1. Which means that IIS has no choice but to use the certificate that is assigned to foo.example.com.

To work around this issue, you will need to have multiple IP addresses assigned to your web server. This is easy to do. Speak to your sysadmin to have some IP's removed from the DHCP range (or ask him/her which ones you can use), then go to your properties for the network card (Control Panel > Network Connections), and go to the properties for TCP/IP.

You will need to have a static IP enabled in the first place (being a server I hope this is done anyway), and then click Advanced, and under the box for "IP addresses" click "Add" - and enter the new IP addresses you've been assigned by your sysadmin (Let's say 192.168.0.2).

Then, at your router, you need to ensure that requests from IP A on port 443 go to 192.168.0.1 and that all other requests on port 443 go to 192.168.0.2.

Then, in your IIS configuration, you need to bind the SSL Cert from foo.example.com to 192.168.0.1, and bind the rest to 192.168.0.2 (or leave as All Unassigned, as you have).

If this doesn't work, or you already have this configured, update your question and leave a comment to let us know.

Update: I just saw your comments, thanks for the update. You will need to ensure foo.example.com and bar.example.com are on two different public IP addresses. The reason being that because the packets are encrypted, there's no way you can use hostname based routing to send the request to the right IP address (I believe this is the case. If anyone knows different, let me know). The only part of the request that's visible to the routers is the destination IP. This is why you can only have one SSL per IP address. So you will need to have public IP's for this to work, and in your DNS an A record for bar.example.com that is different to foo.example.com.

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Best Answer

Related Solutions

IIS6 Website Presenting Wrong SSL Certificate – Fix Guide

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Related Topic