1

I have a cluster of IIS servers sitting behind a load balancer at a vendor. The vendor's load balancer determines if the server is functional by accessing a special monitoring page on the server, and the URL it uses for this is the server's local IP + the path of the monitoring page. It looks at both HTTP and HTTPS versions of this webpage, and won't direct traffic to port 80 unless the HTTP version is up, and won't direct traffic to 443 unless the HTTPS version of the page is up.

This was fine previously, because we could just make a blank binding in IIS, and the web page would respond to requests made with the IP as the URL. Obviously there would be certificate errors when the load balancer accesses the SSL version of the monitoring page, but that was fine because the load balancer was just looking for PASS/FAIL on the monitoring page, it doesn't care about SSL errors.

HOWEVER, now we have a requirement to host multiple domains on these IIS servers, with completely different SSL certificates. This becomes a problem for us, because if you have any HTTPS bindings that don't have "REQUIRE SERVER NAME INDICATION" checked, IIS will dumbly use whatever certificate that binding uses for every SSL request made to the server, even if they explicitly specify a different certificate. And obviously, IIS won't let you check "REQUIRE SERVER NAME INDICATION" on a blank binding, and if you try to manually set that flag on the binding in applicationhost.config, the binding simply doesn't function.

So what I'd like to do is add a binding with the IP address as the host name. IIS won't let you do it in the GUI, but again, you can just manually do it in applicationhost.config. This works just fine for the HTTP binding. The problem is, when you try to do it for the HTTPS binding, you end up with a binding that doesn't have "REQUIRE SERVER NAME INDICATION," which means whatever certificate that binding uses gets used for every SSL request made to the server, and I'm right back at square one. Trying to add that RSNI flag manually in applicationhost.config results in a binding that doesn't work, same as if you try that trick on the blank binding.

I'm at a bit of a loss here. Obviously the correct solution is to just have the load balancer use a proper URL, but that seems to be a very heavy lift for our vendor for some reason, so I'm looking for alternative solutions.

el_pinko_grande
  • 11
  • 1
  • From https://serverfault.com/questions/579109/sni-and-wildcard-ssl-certificates-on-the-same-server-with-iis: *"Do not configure an IP:443 binding ... but configure a \*:443 binding (\* means "All Unassigned") ...."* – Steffen Ullrich Jun 04 '21 at 19:01
  • Hmm, that seemed promising, but it didn't work. I ran into the same issue, where the new domains still end up using the certificate from the *:443 binding. – el_pinko_grande Jun 04 '21 at 20:16
  • https://docs.jexusmanager.com/tutorials/https-binding.html What you really need deep down inside is a few IP based certificate bindings in Windows HTTP API. – Lex Li Jun 04 '21 at 21:31

0 Answers0