2

I am looking how to force an exact hostname match within IIS when using https. For instance, I want "https://works.mysite.com/resource" to be ok, but "https://noworks.mysite.com/resource" to return 404 (assuming they both resolve to the same IP).

IIUC, the default behavior of IIS when going to "https://noworks.mysite.com/resource" is to get a cert warning, if the user presses continue, the user is able to access the URL.

I was able to do this by generating a *.mysite.com SSL cert, and then specify the hostname within the bindings in IIS, but without the * in the beginning, the hostname field is disabled and blank.

Am I missing something simple here?

iis_newbie
  • 21
  • 1
  • Yes -- IIS (even 7.5) does not support host name when processing HTTPS request -- SSL is bound to IP:port pair and is processed like that. There is some workaround (to allow to use the same cert on multiple sites) but that still does not solve the issue for you. Better do what you did already -- wildcard certificate and then rewrite rule. – LazyOne Jun 20 '12 at 15:10
  • @LazyOne: Not true. Someone's already beaten me to the answer below. You can't bind host headers with SSL in the IIS Manager, but you can do it using AppCmd or PowerShell. – abitgone Jun 20 '12 at 15:22
  • @abitgone IIS 7.x does not support hostnames for HTTPS because it works on IP:port pairs (just a reminder, in case you are not aware: SSL connection/handshake occurs **before** HTTP part kicks in). This is the problem with any web server. That's why **Server Name Indication** was created/implemented -- unfortunately IIS 7.5 does not support it yet (only in v8). http://en.wikipedia.org/wiki/Server_Name_Indication -- this allows multiple SSL certificates to be bound to the same IP:port pair – LazyOne Jun 20 '12 at 15:40
  • @abitgon If solution in MichelZ's answer allows to solve the issue, then it's all good and I just misunderstood the question. – LazyOne Jun 20 '12 at 15:43
  • @LazyOne: Again, not strictly true. You've been able to add host headers with IIS for some time now, since IIS 6.0. What you do need is a single cert which can work with multiple host names – so multi-domain UCC certs or wildcard certs. For example: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true – abitgone Jun 20 '12 at 16:05
  • @abitgon Wildcard certificate (or certificate for multiple domain names) and multiple certificates for different domain names are two different things (especially from cost point of view, which is the case for vast majority of customers as not everyone happy to pay 3x/5x/etc times more for such certificate). I was referring to the 2nd one. – LazyOne Jun 20 '12 at 16:28
  • @LazyOne: This question relates to a wildcard SSL cert. – abitgone Jun 20 '12 at 16:34

1 Answers1

2

What you want is called "host headers"

You can do host headers in the UI for HTTP connections only, for SSL, you need appcmd:

appcmd set site /site.name:"<IISSiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<hostHeaderValue>']

See here for more details

MichelZ
  • 11,068
  • 4
  • 32
  • 59
  • Thanks - I tried this, but it seems that even with this there needs to be the initial binding with no host headers defined. So IIUC, my whole scenario can be addressed, but having 2 web sites, one that doesn't publish anything but with the ssl binding with the blank hostname and another with my app and with the binding with host headers. Does this sound reasonable? – iis_newbie Jun 20 '12 at 17:50