SSL with multiple sites on one static IP 1

[JWFdev]

Hello...

My NIC card can have multiple IPs binded to it. I only have one public ip address.

I was reading that SSL cannot use HOST HEADER to differenciate between domain names.

The discussion in the IIS manual shows using different IPs on one IIS server. It says you have to have a different NIC for each IP address. Well I know I don't need that as I can bind many IP addresses to my external NIC.

Again... referring to the the IIS manual. The diagram and wording depicts about four different domain names serviced by the single IIS server - each has its own unique IP address... BUT... like I want to do... three of them are private IP addresses.

Can these private IP addresses be seen from the callers on the external IP?

I just don't know how it could work.

I tried it... and it does work. But I'm thinking because I'm doing it all in house on my own hubs/routers. I set up a machine with the same subnet as the external IP NIC on the server machine... both were plugged to the same switch/hub using the same netmask setting.

I added/binded a private IP 192.168.1.31 to the external NIC and also to a web site in IIS.

The client machine I set up with the 204.xxx.xxx.xxx address the was using the netmask as the static IP for the external (public) NIC that all website will point to pulls up the web site binded to 192.168.1.31 fine!

I can ping it too. I just don't know how that's going to work on the internet. No one can get to my web site if it's got a private IP address. At least that's how I thought I was trained to think.

But why does Microsoft use private IP addresses as a suggestion in the manual/documentation??? Go to "Hosting Multiple Sites by Assiging Ports, Addresses, and Host Header Names" to see what I'm talking about.

I have DNS running on this server and it works only when I make sure an point the domain's HOST name to the correct private IP that I binded to the external NIC.

Still... It's not going to work when I connect it and try to have a friend pull it up that is outside of my hubs/routers. I just know it's not.

I was reading here and someone used NAT to pass it to the correct internal (private) IP?

My server has two NICs so I could do this... but I need some more help. There isn't enought written about it in the documentation.

I don't mind using HOST HEADER to distiguish between the different domains I am serving... but I want to use SSL too!

Please help if you can or point me to something I can read concerning this. Thanks.

Sincerely,
John Ford

 

[JWFdev]

Please can anyone help on this???

Mainly... I'm wondering if anyone has setup multiple IPs to IIS but only used on NIC to do it... and then of course how the did it. Sincerely,
John Ford

 

[rjs]

I have 20-30 sites each with a different IP and running on a single NIC. First, add the IP address to TCP/IP for the NIC (click the advanced button on the TCP/IP properties page).

Then in IIS, on the Web site properties page, select the IP address from the drop down list. I think the default is all unassigned.

 

[JWFdev]

RJS...

Thanks... I've been able to do this fine. The problem is... using non-public IPs for the sites.

If I set up my DNS server to mention the Private IP address for these web sites... how can they possibly connect to them in the first place?

I just don't understand. Shouldn't I give out my single static IP that my ISP gave me for my DSL circuit? In other words... when someone's browser does a DNS lookup for one of these sites, shouldn't they be directed to my only public IP address that is the static one given to me by my DNS?

Then once their browser arrives at that IP address requesting the web site then only IIS knows the correct IP and serves the page.

The problem is... (maybe me just misunderstanding), but Microsoft clearly depicts a IIS senario in which a server is handling traffic for serveral sites all using a different IP... but two-three of the sites have use an IP address that is reserved for private IPs. Therefore plugging in this IP as a host name in the DNS server only helps for my Intranet traffic.

Shouldn't IIS only be used for serving multiple web sites with different IPs if they have non private IP addresses? That is, if you want them to be seen by other's than your intranet?

How can IIS serve a page to the INTERNET if it is a private IP address website?

How can my DNS server do any good the the people on the INTERNET if it tells them the web site they are looking for can be found at 192.168.1.XXX, or 10.10.1.XXX, etc. These are private IP addresses.

It works here for me because all of the machines use the same subnet mask.

I just don't know why Microsoft put it in the documentation but did not elaborate nor mention that all must have public addresses in they are to serve Internet browsers.

I just want to be able to host serveral web site on one server and also allow all of them to have SSL

1. I only have one static IP address that is a public address.
2. I only have one NIC on that IP address.
3. I want to host several web sites on one instance of IIS
4. I want SSL available to all of these web sites.
5. IIS documentation says using HOST header to server more than one site on IIS prevents you from using SSL. Is this true? Sincerely,
John Ford

 

[rjs]

Sorry, I missed the fact you only have 1 IP from your ISP. In which case, the only method I know of is to use Host headers to differentiate the different sites. I have not messed around with host headers, so I can't give you good info on that. Hopefully someone else will chime in.

 

[epohl]

I believe the only way to do multiple SSL sites is to either use different IP Addresses or you can also use different ports. The reason Microsofts example has private IP addresses is that typically a web server is on a DMZ with a private adrress and it is reached through a firewall using NAT. So there would actually be a public IP that translated to the private IP. But in your situation with only the one public IP you would either have to use different ports (which would have to be specified in a browser when hitting the site ie

https://www.example.com:444)

or possibly you could buy some more IP addresses from your ISP.

 

[JWFdev]

Thanks epohl,

But can't I use NAT too? I have to use it for all my other intranet machines to be able to get out to the Internet... so how/why can/can't I configure it to direct traffic to IIS for the private IPs I would like to bind to the NIC card that the traffic comes in on?

Just wondering...
Sincerely,
John Ford

 

[epohl]

Yes you can still use NAT, but are still stuck with just the one public IP address. So all your sites would still resolve to this 1 ip address and you would have no way to distinguish them in NAT.

 

[JWFdev]

I see... but epohl... I was reading that someone was using and outside [public] DNS that points all the host names to one public IP... then when the person's browser ends up on IIS's doorstep vis the public IP on the nic card... NAT, IIS, and internal DNS work it out to the private IP associated with the host name of the web site requested.

Isn't this what you've been alluring to all along? Please do not think I am being disrespectful by any means but I keep reading this into what everyone is saying.

You see... you mentioned that that used in on a DMZ and a firewall translated it using NAT - Were you saying/suggesting the firewall was protecting 1 public IP per each spoofed host name using NAT?

Is there someway to tell NAT to watch for port 80 and 443 and then lookup host names from a local DNS and then hand the IP packets to IIS?

Please read/see this thread as it also allures to this being possible... I wrote to one of the guys who made the best post to the thread, but he has not written back as of yet.

http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/22/pid/41/qid/209162

Maybe it's a lost cause but I keep seeing things point to the possiblity, but have found know cheat-sheet to tell me how to set it up.

Should I just use HOST HEADER and have all sites on my server use only one HOST name when a browser on that site needs to use SSL? I could have disclaimer type info on why/how the Internet user was being redirected to another domain.

Thanks for any help. Sincerely,
John Ford

 

[epohl]

Sorry to my knowledge it is NOT possible.( NAT, IIS, and internal DNS work it out to the private IP associated with the host name of the web site requested) They have no way of working out the private ip because when using SSL you can NOT use host header and the packet is not decrypted until it hits the site with the correct certificate. Unfortunately the only way to do this is multiple ips, different ports or as you suggest have one site for ssl.

 

[Galrahn]

hello John Ford,

I got your email. Quick answer, what you want done cannot be done.

Now for the long explination why your internet scenario will not work, and why it is possible to do this with no problem on internal intranet/extranet style networks.

The problem actually lies in the SSL standard and how it conflicts with the http 1.1 standard.

HTTP 1.1 is what allows us to use host headers in IIS to host multiple websites on one server. Using host headers, the web server recieves the request, then is able to distingish the request to a host on the server. Hosts are sorted by domains, yada yada, you have multiple sites on one server using 1 IP address.

A server can use IIS 4.0 and IIS 5.0 to host multiple Web sites, and this is possible by using any of the following methods:

By using different IP addresses, but the same port number.

By using the same IP address, but different port numbers.

By using the same IP address and port number, but using HTTP 1.1 host headers.

SSL is now in version 3.0, and has been since 1996. It was never a real standard, in fact SSL was designed by Netscape. The "standard" for SSL can still be found on Netscapes website at:

http://wp.netscape.com/eng/ssl3/draft302.txt

The problem is, the client request is still encrypted by using SSL. Because of this, the header is encrypted, and IIS cannot determine which server certificate to use or which Web server to communicate with.

That in a nutshell is what forces 1 internet IP address to 1 SSL website, host headers or no host headers.

The solution for intranets/extranets has been to use a proxy server. With a proxy server, all DNS requests are sent to 1 server each with its own IP address. That request is then proxied to another webserver and port with the SSL website.

So basically you have 4 websites

Website Name Proxy IP addressort Real IPort

site1.com 10.8.8.123:443 10.8.8.200:4441
site2.com 10.8.8.124:443 10.8.8.200:4442
site3.com 10.8.8.125:443 10.8.8.200:4443
site4.com 10.8.8.126:443 10.8.8.200:4444

By using different a proxy, you can now spread out your multiple website design. You can even use appliances like the F5 Big-IP Load Balance tool to offload SSL to the applicance so you don't take the performance hit on your web server, etc...

But for your purposes, you are currently without options. I have done work for several businesses lately that are looking to do exactly what you are, but unfortunately do not like the cost value of maintaining 1 IP and cert for each individual website.

The good news is, relief is coming, and hopefully soon. TLS is a standard that has been getting alot more attention as of late due to the push for secure information. For more information on TLS check out:

http://www.ietf.org/html.charters/tls-charter.html

and more importantly to what you are wanting to do, read up on:

http://www.ietf.org/rfc/rfc2817.txt

Those proposed upgrades in RFC 2817 is what you are waiting on, which will finally allow for secure hosting of multiple websites on a single server.

Remember guys, the internet is still very young. DNS was offically created in 1984, meaning we are at the same point cars were at in 1926...

Luckily for all of us, things advance much faster today.

Sorry it is not the answer you were looking for John, but if you o find a way, be sure and send that tip to the rest of us...

Galrahn
galrahn@galrahn.com

 

[JWFdev]

Galrahn,

Thanks for taking the extra time to explain.

I was kind'a "there" already according to something that epohl was saying... it made it snap into my head.

NAT can't help... IIS can't help... DNS is before the fact so it only directs the USER's browser on where to send the forthcoming [encrypted] IP packets.

<b>The packets arrive encrypted</b> so NAT can do nothing and IIS will only be able to respond to encrypted packets sent to the HOST name matching the certificate.

I sure thank everyone for their help and really appreciate you taking the time.

Just wondering... Why didn't they make DNS to be able to resolve the IP and the port to use? That would solve this problem. Sincerely,
John Ford

 

[Gupone]

RJS,

I just read your post from OCT and was interested in learning more about setting up the webserver with muliple Static IP addresses.. I was with Directv internet and as you prob know they are going bye bye.. I had one static IP with them and now I have signed up with SBC DSL and they only have the 5 Static IP Package. I can put the other IPs to good use but needed to know more on how to set them up with multiple websites set up on my 2000 advance server.

I know how to set up the differents websites, just was not sure how to use the IPs.. My router, the Linksys brand is only able to route one Static IP. You were saying that in you NIC config you can set it up to do the multi IP routing?

Please let me know how to do this..

Thanks so much,

Gupone

 

[JWFdev]

Hello Gupone,

All I have to do is choose properties for your tcp-ip protocol for the NIC card... I BIND the various IP addresses by clicking on one of the tabs in the dialogue window.

THEN...

Tell IIS which IP is for which web site.

sorry I didn't answer sooner...

John Ford Sincerely,
John Ford

 

[Gupone]

JWF,

I was just curious. I am using the Linksys Router in which you go in and put in one static IP for routing. Should I still do this with one of the IP addresses and then go into the NIC properties and add the other Static IP address? If so, what IP address do I give to my DNS host?

Any Ideals?

Thanks,

Tim

 

[JWFdev]

I'm not real up on that... but it appears you do exactly as you just said.

You don't have to use the router with win2k server... it'll do it for you with NAT (that's all the linksys is doing). But... it will then &quot;bend&quot; all the traffic through the only one NIC you've connected onto the Internet on the server.

Most routers have a DMZ (de-militarized-zone) port. This port lets all traffic through. You'd want to put it on your server - (in which case you'll be set up like I said above with all your NICs in the server having to locate the one NIC on the server to route inband and outband traffic).

Then use the other ports on the router for inhouse traffic.

ME... I just did away with any router and use Win2k server for all of that. It doesn't slow down the server even a noticeable amount... nor the connection speed. I feel there's more options this way.

To read on NAT, of course use your win2k help... but also there are plenty of posts about it on this site.

The DNS should be set to the correct IP of the site as listed in IIS... everything in front of IIS should pass it through if asked. Sincerely,
John Ford

 

[stinglv]

John,

On the issue that you first stated... what did you finally do to get the results you desired?

Bradley Roberts
Las Vegas, Nevada