I have two websites: Prod and Train

In my hosts file I have two entries:

xxx.xx.xxx.xxx    prod.site.com  
xxx.xx.xxx.xxx    train.site.com

I have two separate websites set up in IIS7, Prod and Train.

The Prod site has the following bindings:

http   Prod   80   *
https         443  *

The Train site has:

http   Train  80   *

http:// works for train but not prod (which has the require SSL flag enabled) and https:// works for both, except that https://train.site.com is loading the production website instead of the training one.

This is probably a stupid question, but how can I change the bindings so that https://train.site.com does not work or at least redirects to http://? If someone accidentally types https:// I don't want them to start messing around with a production site thinking that they are in training.

I have a vague idea of why it is doing this, but no idea how to fix it without breaking production.

  • 451
  • 7
  • 22

1 Answers1


Your prod site is accepting all https connections on all IP addresses and serving them regardless of the host header presented by the client.

To change that binding to only accept connections that have the correct host header, you'll need to break out the IIS command line tools. Delete the existing https binding that accepts all requests, then run something like this in an (UAC-escalated) command prompt, substituting my assumption about the IIS site name for the correct info:

cd \windows\system32\inetsrv
appcmd set site /site.name:"prod" /+bindings.[protocol='https',bindingInformation='*:443:prod.site.com']
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • thanks. Is there any way to do this via the IIS Manager though? Would this have the same affect as just adding the host name to the https binding through the dialog? – Brandon Mar 23 '11 at 22:02
  • @Brandon SSL bindings don't let you put a host name in, since that would falsely imply that IIS supported [SNI](http://en.wikipedia.org/wiki/Server_Name_Indication) - they make you work for it! – Shane Madden Mar 23 '11 at 22:06
  • so then what does that command line do? Is it essentially the same thing as if IIS Manager actually let me put in a host name? I won't actually be the one making the change, which is why I was hoping for a solution via GUI, not a command line one I can't explain :P – Brandon Mar 23 '11 at 22:09
  • 2
    Yes - it edits the Bindings section of applicationhost.config, adding an https binding with a host header. – TristanK Mar 23 '11 at 22:24