2

The server is running Windows Server 2019 Standard with IIS 10, and it has two network interfaces with public IPs (198.51.100.1 and 203.0.113.1)

My desired setup:

  • IIS: 198.51.100.1 on port 80
  • IIS: 198.51.100.1 on port 443
  • IIS: 203.0.113.1 on port 80
  • nginx: 203.0.113.1 on port 443

But after IIS started, the http.sys (PID=4) starts listening 80 and 443 ports on all IPs:

  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:443               [::]:0                 LISTENING       4

I can limit to particular address with 'netsh http add iplisten' command, but I want to use both 198.51.100.1 and 203.0.113.1 address in IIS. Iplisten is not allowed to specify ports.

And I don't want to use reverse proxy...

Anyone know how I can use 443 in both IIS and nginx?

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
crazyman
  • 116
  • 5
  • 1
    Can't you use Site ==> Bindings in IIS Manager to stop listening to any/all IP's and limit IIS to only the specific IP-address 1.1.1.1 for port 443 , leaving the 2.2.2.2:443 IP-address:port free for nginx to bind to? – Bob Feb 10 '22 at 16:16
  • IIS bindings are set to specific addresses (based on my desired setup). However, http.sys is listening on all addresses, 0.0.0.0:80 and 0.0.0.0:443. – crazyman Feb 11 '22 at 15:20

1 Answers1

1

You'll need to use NETSH to configure the system to only let http.sys capture specific addresses (by default it captures wildcard, as you see in your included NETSTAT)

Try running these from an elevated command prompt (after stopping the IIS service)

netsh http delete iplisten 0.0.0.0
netsh http add iplisten 198.51.100.1:80
netsh http add iplisten 198.51.100.1:443
netsh http add iplisten 203.0.113.1:80

That should reconfigure the http.sys to only listen on the specified IP:Port combinations, and not proactively capture every :80 and :443 on the system.

Important note -- do remember that you've now limited the IP-port combinations that IIS is capable of answering (regardless of how you configure bindings on sites within IIS Admin). If you need to add more IPs and/or Ports in the future, you'll have to perform additional netsh http add iplisten commands.

Ruscal
  • 1,223
  • 6
  • 13
  • I don't have a 2019 server to play around with, but I just looked up the MS Docs spec on this command, and it has changed since I last used it. The current spec shows that it doesn't use (and will ignore) the port number -- meaning that this might not work for splitting 203.0.113.1 across both IIS and nginx. You might have to forfeit that whole IP from IIS and not run a :80 site on it) . YMMV, so give it a test run first. But I'm seeing that in the docs now. https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-http#add-iplisten – Ruscal Feb 15 '22 at 14:50
  • Really, we can't specify the port in the netsh http iplisten command (on 2019 and also on 2016 or on 2008). In the original post I mentioned this. – crazyman Feb 17 '22 at 15:21
  • I'm sorry @crazyman , I don't know how I read that a few times and continually missed that you'd already determined iplisten wouldn't work. I would have sworn that I was able to use the ports in 2008r2, but really it has been long enough that it could have been 03. I just dove through the docs again and don't see anything current that'll limit http.sys to specific ports. – Ruscal Feb 18 '22 at 15:14
  • No problem. Maybe it was 2003. In 2008r2 you certainly cannot specify a port https://paste.pics/8777daa1495927d741c6d3e7831e9f23 – crazyman Feb 18 '22 at 16:39