0

I'm having a problem getting my IIS 8.5 server to behave as desired. I am attempting to host two domains on the same IP address, both on https, using separate webservers.

Naturally, IIS is setup as my "primary" webserver, listening on 80 & 443. One domain is setup here with an ssl cert. I'm using the "URL Rewrite" mod to send insecure traffic over to the secure side. The other domain is setup as virtual host and uses the "HTTP Redirect" feature to send traffic to the second webserver. For the second webserver, I have Apache 2.4 listening on 8443, also with a cert.

so, briefly: http://example1.com -> URL Rewrite -> https://example1.com https://example1.com -> resolves and served from IIS

http://example2.com -> HTTP Redirect -> https://example2.com:8443 https://example2.com:8443 -> resolves and served by Apache

My problem is after a browser (FF or Chrome) visit http://example2.com and are redirected to https://example2.com:8443, subsequent visits always go to https://example2.com (without the port). This fails because during the ssl handshake, the browser is given example1's certificate.

I've tracked this down to these two browsers relying on HSTS. As soon as I clear the HSTS cache, they're able to find the correct site (with the port) again.

How can I get this setup to work smoothly? I don't see anything in Apache's conf that is setting an HSTS, so I assume it's in the IIS redirect. I looked at this answer discussing HSTS on IIS, thinking I could modify Doug's suggestion to set the max-age to zero to prevent it from being set, but it doesn't seem to work.

Solution:

Based on the suggestion below, the best solution is to host both domains in IIS, bind the SSL certs and check the "Require Server Name Indication" box in the binding. I had to do it to all domains sharing the IP. Then I could create a reverse proxy (URL Rewrite & Application Request Routing modules required) that would hand-off traffic to the Apache-hosted instance.

end-user
  • 145
  • 1
  • 2
  • 10

1 Answers1

0

You can't with your current set up.

The HSTS RFC states the following:

The UA MUST replace the URI scheme with "https" [RFC2818], and

if the URI contains an explicit port component of "80", then the UA MUST convert the port component to be "443", or

if the URI contains an explicit port component that is not equal to "80", the port component value MUST be preserved; otherwise,

if the URI does not contain an explicit port component, the UA MUST NOT add one.

NOTE: These steps ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS Host.

So going to http://www.example2.com:8443 will preserve the port and redirect to https://www.example2.com:8443 but you cannot do the same from http://www.example2.com.

So you've the following choices:

  1. Stop using HSTS in Apache for example2.com and only use it in IIS for example1.com

  2. Use one main server to listen to port 80 and 443 and proxy requests for example.com to the other server on port 8443. This is much cleaner as doesn't require the use on non-standard ports like 8443 by the user. However, as you are using the same IP address for both you either have to use a process called Server Name Identification or SNI (which is not supported by older browsers like XP/IE8) to correctly serve the same hosts over the same IP address for HTTPS, or use the same cert for both sites as a workaround (see answer here for an explanation of how that works).

Barry Pollard
  • 4,461
  • 14
  • 26
  • Well, not quite? I'm using IIS for both domains, and Apache is *only* on example2:8443 – end-user Apr 07 '16 at 17:07
  • So direct all your Apache through IIS instead of going directly to Apache on a non-standard port. – Barry Pollard Apr 07 '16 at 17:22
  • I don't understand. How would IIS hand-off traffic to Apache? – end-user Apr 07 '16 at 17:27
  • It can proxy requests. So requests to example2.com:443 could be handled by IIS and proxied off to example2.com:8443 being run by Apache. Or example example2.com:8080 since IIS has handles the https and call to Apache is internal so can perhaps be across http rather than https. Fairly standard to have one SSL termination server and number of backend servers off of that. – Barry Pollard Apr 07 '16 at 18:24
  • But the problem here is that the SSL handshake happens first. So if the request goes to IIS, it sends wrong cert. I'm trying to figure out how to ensure the UA will connect to the right host & port. – end-user Apr 07 '16 at 18:58
  • 1
    Set up both two sites on IIS with two different certs. IIS should return the appropriate cert based on the ServerName requested. This is made possible by a feature called Server Name Identification which IIS has supported since version 8. IIS can then still proxy any requests to the second site off to the Apache instance so it does the actual work - but crucially the user will be connected to IIS via the standard 443 port and so will just see https://www.example2.com rather than https://www.example2.com:8443. Thereby resolving your original question. – Barry Pollard Apr 07 '16 at 19:10
  • AHA! Ok, I didn't know I could do it this way. That did indeed fix the problem. – end-user Apr 08 '16 at 13:22