IIS 7 将 SSL 添加到一个站点，所有其他站点都响应 https 请求 [英] IIS 7 adding SSL to one site, all other sites responds to https request

问题描述

我的 IIS 上运行了多个站点，现在对于其中一个网站 (SiteB)，我们需要支持 ssl 请求.我已启用它为网站编辑绑定，但问题是当我选择协议 SSL 编辑绑定 HostName 字段被禁用时，无法设置主机名以响应 https 请求，这会导致我的 IIS 的所有站点都使用 https 请求://加载 siteB 的网站.

I have multiple sites running on my IIS, now for one of the websites (SiteB) we need to support ssl requests. I have enabled it editing bindings for the website, but the problem is when I selected protocol SSL editing bindings HostName field is disabled, being unable to set hostname to respond to https request, this causes that all sites of my IIS if are requested with https:// loads web site of siteB.

例如我的投标是下一个

Site A

 IP  Port HostName
 *     80 www.sitea.com

Site B
 IP Port Hostname
 *   443 www.siteb.com
 *    80 www.siteb.com

如果我在我的浏览器中输入 https://www.siteb.com 它可以正常工作，但如果我在浏览器中输入 https://www.sitea.com，siteb 网页加载的是 sitea 的主机名.

If I type https://www.siteb.com in my browser it works correctly, but if I type https://www.sitea.com in the browser, siteb webpage is loaded with the hostname of sitea.

我怎样才能使只有 https://www.siteb.com 响应我的 IIS 上的 https 请求?

How Can I make that only https://www.siteb.com responds to https requests on my IIS?

我也尝试过使用命令 appcmd，但它不起作用.

I have tried with command appcmd too but It't doesnt work.

appcmd set site /site.name:{sitB} /bindings.[protocol='https',bindingInformation='*:443:*'].bindingInformation:*:443:siteB.com 

感谢您的帮助.

推荐答案

根本问题
这种意外行为与其说是因为 IIS，不如说是因为 Web 加密协议.

The Root Problem
This unexpected behavior isn't because of IIS so much as it is because of the web encryption protocols.

两种主要的网络加密协议是 SSL 和 TLS.在将任何请求信息传递给服务器之前，这两种协议都会协商安全连接.这意味着，在安全请求中，服务器直到建立安全连接后才真正了解主机名.

The two major web encryption protocols are SSL and TLS. Both of these protocols negotiate a secure connection before passing any request information to the server. This means that, on secure requests, servers don't actually learn the hostname until after the secure connection is made.

已创建 TLS 和 SSL 扩展来解决此限制.它被称为 SNI(服务器名称标识).问题是服务器和客户端机器都需要支持这个扩展.目前，客户端浏览器支持有些参差不齐.有关浏览器列表，请参阅 SNI 文章.

An extension to TLS and SSL has been created to address this limitation. It's called SNI (Server Name Identification). The problem is that this extension needs to be supported on both the server and client machines. Currently the client browser support is somewhat spotty. See the SNI article for a browser list.

IIS 对问题的处理
由于上面提到的主机名限制，IIS 不允许您将主机名绑定到 HTTPS 绑定.IIS 无法将 HTTPS 请求路由到特定主机名，因为它在首次开始协商连接时不知道请求的主机名.

IIS's Handling Of The Problem
It is because of the above mentioned hostname limitation that IIS doesn't allow you to bind hostnames to HTTPS bindings. There is no way for IIS to route HTTPS requests to a particular hostname since it doesn't know the requested hostname when it first begins to negotiate the connection.

一旦 IIS 与客户端协商安全连接并获悉他们请求的主机名是针对具有 HTTPS 绑定的站点以外的站点(例如，请求 https://sitea.com) IIS 可以返回失败代码或尝试正常失败.IIS 选择后者并尝试通过使用 HTTPS 绑定为站点提供服务来优雅地失败，即使用户正在请求不同的站点.

Once IIS has negotiated a secure connection with a client and learns that their requested hostname is for a site other than the one with the HTTPS binding (e.g. a request for https://sitea.com) IIS can either return a failure code or try to fail gracefully. IIS chooses the latter and tries to fail gracefully by serving up the site with the HTTPS binding even though the user is requesting a different site.

解决方案/解决方法

• 创建一个重写规则，将非安全网站的所有 HTTPS 请求重定向到 HTTP.
• 升级到 IIS 8 以使用 SNI 扩展.然后要求访问者升级到支持 SNI 的浏览器.
• 让您的安全网站在收到对不同域的请求时返回错误消息.
• 通过 IP 地址而不是主机名绑定，因为 IIS 可以通过 IP 地址路由 HTTPS 请求

参考文献
我的大部分信息来自 维基百科关于 SNI 的文章

这篇关于IIS 7 将 SSL 添加到一个站点，所有其他站点都响应 https 请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！