Another HTTP to HTTPS questionRSS

4 replies

Last post Aug 06, 2019 08:03 PM by Rovastar

  • Another HTTP to HTTPS question

    Jul 31, 2019 04:40 PM|SNarciso|LINK

    Hello,

    With some help i managed to build my proxy scenario. When testing the HTTP to HTTPS without the certificate is working well, but not with the real certificates deployed, all requests are going to the main certificate beside the proxy redirection is going to the right place. The Redirect that worked before ssl was like this https://{HTTP_HOST}{REQUEST_URI}

    Limitations:

    Because i have SBS2008, there are some issues that i manage to overcome.

    I am using Certify Certificate Management version 3 for automatic ssl renovation (only version 4 has wildcard certificates)

    I have only one public ip so i have to configure the bindings with Host Names

    To configure Host Names for HTTPS, used some PowerShell commands like "New-WebBinding" and "get-item cert:\LocalMachine\MY\"

    Sites:

    "Default Web Site" there is nothing here, only a port 80 bind to mainsite.example.com

    Don't have Url rewrite rules

    "SBS Web Applications" is where i have Exchange, OWA, etc. I install the main ssl certificate and is working well.

    i have a port 80 bind to Host Name Sites and have an https bind to Host Name mainsite.example.com, all to the ip 192.168.0.1 not *

    Don't have Url rewrite Rules

    "Secondary Web Site" port 80 bind to Host Name secondary.example.com IP 192.168.0.1

    port 443 bind to Host Name secondary.example.com IP * and ssl certificate secondary.example.com 

    If i do an http request to http://secondary.example.com this is proxy/redirected to the correct internal website.

    If i make a https request having the Following Url Rewrite, it redirect to the the correct website but giving error on the certificate because it is using the mainsite.example.com certificate.

    <rule name="Redirect HTTP to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" ignoreCase="true" />
    <conditions>
    <add input="{HTTPS}" pattern="off" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
    </rule>

    Any help will be apreciated, thanks.

  • Re: Another HTTP to HTTPS question

    Aug 01, 2019 08:36 AM|Able|LINK

    Hi SNarciso,

    SNarciso

    correct internal website

    According to your description, could you please tell me  what's this  correct internal website mean?It seems that you the issue is the binding between domain name and certificate.

    Best Regards

    Able

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Another HTTP to HTTPS question

    Aug 01, 2019 09:04 AM|SNarciso|LINK

    Hi Able,

    Well that bind and proxy redirect was a litle complex and was discussed in my previous post https://forums.iis.net/t/1243424.aspx?IIS+Reverse+Proxy+to+a+specific+internal+URL+scenario

    Resuming, my internal website only accept connections from the full external FQDN name on port 88, so i have to create a Domain DNS reference to that machine and that FQDN so that i can acomplish the rewrite i need.

    About the Site bindings itself in IIS i check several times and "Secondary Web Site" have the correct certificate to host name "secondary.example.com" and beside the HTTP to HTTPS rule is only defined in this "Secondary Web Site" and is working (but with the wrong certificate) if i disable this rule i can get the website "http://secondary.example.com" without the redirect to HTTPS so its reaching the correct binding but.... why it's using the wrong certificate?

  • Re: Another HTTP to HTTPS question

    Aug 06, 2019 06:16 PM|SNarciso|LINK

    After some tests and research i find out that what i intent to do is not possible in version 7 of IIS, that's why IIS are using the same ssl even if i bind to a different one.

    Before IIS 8, you could host multiple sites needing SSL on a single IP address if the sites use the same SSL certificate or used a wildcard SSL certificate.

    Because i have only one ip address and different domains, wildcard certificate is not the answer and then i am stuck at this point.

    I was thinking in other way to do this, so i need your help. I have this in mind:

    • The internet url need to come from htt or https without port number
    • I have another internal secondary server that is running IIS 8, i was thinking in redirect the url from IIS 7 to IIS8 (ssl certificate here) and then the final Linux server. What is the best way to do this?

  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Another HTTP to HTTPS question

    Aug 06, 2019 08:03 PM|Rovastar|LINK

    Yes IIS7/windows 2008 doesn't have SNI so trying to bind to multiple stuff is not easy.

    You will need multiple IP/ports for this.

    It be easier moving to 2016 where you have SNI as well as wildcard domains on the same IP. It makes life a lot easier managing multiple sites on the same box.

    Troubleshoot IIS in style
    https://www.leansentry.com/