IIS 7将SSL添加到一个站点，所有其他站点都响应https请求 [英] IIS 7 adding SSL to one site, all other sites responds to https request

问题描述

我的IIS上运行了多个站点，现在我们需要支持ssl请求的其中一个站点（SiteB）。我已经启用它为网站编辑绑定，但问题是当我选择协议SSL编辑绑定HostName字段被禁用，无法设置主机名以响应https请求时，这会导致我的IIS的所有站点都被请求使用https ：//加载siteB的网站。

I have multiple sites running on my IIS, now for one of the websites (SiteB) we need to support ssl requests. I have enabled it editing bindings for the website, but the problem is when I selected protocol SSL editing bindings HostName field is disabled, being unable to set hostname to respond to https request, this causes that all sites of my IIS if are requested with https:// loads web site of siteB.

例如我的出价是下一个

Site A

 IP  Port HostName
 *     80 www.sitea.com

Site B
 IP Port Hostname
 *   443 www.siteb.com
 *    80 www.siteb.com

如果我输入在我的浏览器中 https://www.siteb.com 它可以正常工作，但如果我输入 https://www.sitea.com 在浏览器中，siteb网页加载了sitea的主机名。

If I type https://www.siteb.com in my browser it works correctly, but if I type https://www.sitea.com in the browser, siteb webpage is loaded with the hostname of sitea.

如何才能使 https://www.siteb.com 响应https请求m是IIS？

How Can I make that only https://www.siteb.com responds to https requests on my IIS?

我也尝试过使用命令appcmd但它不起作用。

I have tried with command appcmd too but It't doesnt work.

appcmd set site /site.name:{sitB} /bindings.[protocol='https',bindingInformation='*:443:*'].bindingInformation:*:443:siteB.com 

感谢您的帮助。

推荐答案

根问题

由于网络加密协议，这种意外行为不是因为IIS的原因。

The Root Problem
This unexpected behavior isn't because of IIS so much as it is because of the web encryption protocols.

两种主要的Web加密协议是SSL和TLS。这两个协议在将任何请求信息传递给服务器之前协商安全连接。这意味着，在安全请求之后，服务器实际上不会在建立安全连接之后学习主机名。

The two major web encryption protocols are SSL and TLS. Both of these protocols negotiate a secure connection before passing any request information to the server. This means that, on secure requests, servers don't actually learn the hostname until after the secure connection is made.

已经创建了TLS和SSL的扩展来解决这个限制。它被称为 SNI （服务器名称识别）。问题是服务器和客户端计算机都需要支持此扩展。目前客户端浏览器支持有点不稳定。有关浏览器列表，请参阅 SNI 文章。

An extension to TLS and SSL has been created to address this limitation. It's called SNI (Server Name Identification). The problem is that this extension needs to be supported on both the server and client machines. Currently the client browser support is somewhat spotty. See the SNI article for a browser list.

IIS处理问题

由于上述主机名限制，IIS不允许您将主机名绑定到HTTPS绑定。 IIS无法将HTTPS请求路由到特定主机名，因为它在首次开始协商连接时不知道请求的主机名。

IIS's Handling Of The Problem
It is because of the above mentioned hostname limitation that IIS doesn't allow you to bind hostnames to HTTPS bindings. There is no way for IIS to route HTTPS requests to a particular hostname since it doesn't know the requested hostname when it first begins to negotiate the connection.

一旦IIS有协商与客户的安全连接，并了解其请求的主机名是否用于具有HTTPS绑定的站点以外的站点（例如，请求 https ：//sitea.com ）IIS可以返回失败代码或尝试优雅地失败。 IIS选择后者并尝试通过HTTPS绑定提供站点来优雅地失败，即使用户请求其他站点。

Once IIS has negotiated a secure connection with a client and learns that their requested hostname is for a site other than the one with the HTTPS binding (e.g. a request for https://sitea.com) IIS can either return a failure code or try to fail gracefully. IIS chooses the latter and tries to fail gracefully by serving up the site with the HTTPS binding even though the user is requesting a different site.

解决方案/解决方法

• 创建重写规则，将非安全网站的所有HTTPS请求重定向到HTTP。


• 升级到IIS 8以使用SNI扩展。然后要求访问者升级到支持SNI的浏览器。


• 让您的安全站点在收到其他域的请求时返回错误消息。


• 绑定IP地址而不是主机名，因为IIS可以通过IP地址路由HTTPS请求

• Create a rewrite rule to redirect all HTTPS requests for nonsecure websites to HTTP.
• Upgrade to IIS 8 to use the SNI extension. Then ask visitors to upgrade to browsers that suport SNI.
• Have your secure site return an error message when it receives a request for a different domain.
• Bind by IP address instead of hostname since IIS can route HTTPS requests by IP address

参考

我的大部分信息来自关于SNI的维基百科文章

这篇关于IIS 7将SSL添加到一个站点，所有其他站点都响应https请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！