I'm having a problem getting my IIS 8.5 server to behave as desired. I am attempting to host two domains on the same IP address, both on https, using separate webservers.
Naturally, IIS is setup as my "primary" webserver, listening on 80 & 443. One domain is setup here with an ssl cert. I'm using the "URL Rewrite" mod to send insecure traffic over to the secure side. The other domain is setup as virtual host and uses the "HTTP Redirect" feature to send traffic to the second webserver. For the second webserver, I have Apache 2.4 listening on 8443, also with a cert.
so, briefly: http://example1.com -> URL Rewrite -> https://example1.com https://example1.com -> resolves and served from IIS
http://example2.com -> HTTP Redirect -> https://example2.com:8443 https://example2.com:8443 -> resolves and served by Apache
My problem is after a browser (FF or Chrome) visit http://example2.com and are redirected to https://example2.com:8443, subsequent visits always go to https://example2.com (without the port). This fails because during the ssl handshake, the browser is given example1's certificate.
I've tracked this down to these two browsers relying on HSTS. As soon as I clear the HSTS cache, they're able to find the correct site (with the port) again.
How can I get this setup to work smoothly? I don't see anything in Apache's conf that is setting an HSTS, so I assume it's in the IIS redirect. I looked at this answer discussing HSTS on IIS, thinking I could modify Doug's suggestion to set the max-age
to zero to prevent it from being set, but it doesn't seem to work.
Solution:
Based on the suggestion below, the best solution is to host both domains in IIS, bind the SSL certs and check the "Require Server Name Indication" box in the binding. I had to do it to all domains sharing the IP. Then I could create a reverse proxy (URL Rewrite & Application Request Routing modules required) that would hand-off traffic to the Apache-hosted instance.