0

I know with http sites I can configure it to listen for specific hostnames and you can add several bindings, it ignores the rest which is great. I also know I can rename my ssl cert friendly name to get that box available for ssl binding. The problem is I need to accept ssl to www.site.com and site.com but I only get one binding with a ssl cert. Whichever one I don't bind won't be served.

How can i configure my site to only respond to ssl requests for site.com and www.site.com but ignore everything else? I have a separate http site we'll call badsite.com which is going to this one if the user types https, because this site is listening to all https.

I can't choose between ssl to www.site.com and site.com as i need to accept both, but I want to drop, rewrite, error or otherwise not permit anything else on port 443 requests.

shadowfoxy
  • 1

2 Answers2

0

You want to look at setting up a Subject Alternative Name on your certificate. If you decide to use a SAN cert you should have the option to enter in SAN when submitting the CSR. If you do that you can make the cert valid for www.site.com and site.com

more information on SAN https://www.digicert.com/subject-alternative-name.htm

Mass Nerder
  • 1,007
  • 5
  • 6
  • I should clarify my problem is not with the cert itself if that's the confusion, as it is currently I can reach www.site.com and site.com without any issues SSL wise it is valid for both. My problem only begins when I try to get IIS to ignore other hostnames directed to me on the SSL port as I have other sites on the same host which I don't want reaching site.com or www.site.com by mistakenly adding https to their names. – shadowfoxy Jan 11 '16 at 16:41
  • Are you trying to use host headers with SSL? I don't believe that IIS supports SSL host headers until verison 8. https://www.digicert.com/ssl-support/ssl-host-headers-iis-8.htm and http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability – Mass Nerder Jan 11 '16 at 16:47
  • I'm not specifically trying to use host headers, i'm looking for any method of getting IIS 7.5 to ignore hosts i haven't specified. I'm not particular if this is something with URL Rewrite or other modules as long as it works. As I initially stated, I can use 1 host header with SSL so it is semi-supported in 7.5 but that means choosing between responding to www.site.com and site.com even though my cert works fine for both, if I put site.com in the host header it ignores www.site.com and vice versa. – shadowfoxy Jan 11 '16 at 17:05
0

I've looked over all the features I could find documented and I think the best solution is going to be the request blocking part of URL Rewrite. Checking the HTTP_HOST and telling it to ignore anything that's not www.site.com and site.com with regex seems to do close approximation to what I want. They still hit the SSL cert error because I can't drop the request before IIS presents the certificate but once that takes place this rule drops the request.

            <rule name="RequestBlockingRule" stopProcessing="true">
                <match url=".*" />
                <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                    <add input="{HTTP_HOST}" pattern="^(www.)?site.com$" negate="true" />
                </conditions>
                <action type="AbortRequest" />
            </rule>

I'll leave this open for a little while to see if a better suggestion comes along, I think this may be the best IIS 7.5 has to offer, just short of a proper solution.

shadowfoxy
  • 1