Re: how to configure host headers for 3 IIS machines ?

From: Kristofer Gafvert (kgafvert_at_NEWSilopia.com)
Date: 03/05/04 

Date: Fri, 5 Mar 2004 20:31:00 +0100

Hello Paul,

Here's my reply to you:

Okay, let me explain this a bit, and this might be why you see this.

The CS-Host field is sent by the client. It is possible for the client to
fake this (for privacy for example, not that this is dangerous to give
out...). If the server is configured with host headers only, i dont think
that this is possible (but not completely sure).

So, let's try this with telnet. server.com is any way to make a connection
to the server (domain name, or IP)

telnet server.com 80 <enter>
GET /default.html HTTP/1.1 <enter>
Host: fakeHost.com <enter>
<enter><enter>

Now, if you look in the log file (wait until this is logged), you will see
someone "accessing the site" using fakeHost.com. This is not really true,
the client just sended the Host fakeHost.com

Everything in the logfile starting with CS is something sent from the
client, to the server. This information can be faked, and the referer is the
most common faked header. If you see these strange Host together with a
strange referer, then it is almost for sure that an add-in for the client
did this.

If the client did not send a Host, nothing is logged (except for the dash
(-)) in the logfile.

Does this explain what you are seeing? It sounds that this doesn't happen
too often, so i do not think that something is wrong with IIS.

So, to sum up:

CS-Host does not necessary have to have something to do with the actual
host. It is just the Host field sent by the client, to the server (and there
were already a connection to the server when this information was sent). 

-- 
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003
"Paul" <nobody@devnull.spamcop.net> wrote in message
news:sK2dnVer0PSxKNXdRVn-tw@adelphia.com...
> Hi Kristofer,
> Could you take a look at the thread with the subject "cs-host, host header
> and destination" and see if you could help me understand what I am seeing?
> Tahnks,
> Paul Coleman
>
> "Kristofer Gafvert" <kgafvert@NEWSilopia.com> wrote in message
> news:uBB7nkqAEHA.2212@TK2MSFTNGP10.phx.gbl...
> > Hello,
> >
> > If you only have one public IP, this will not work with IIS only.
> >
> > IIS can:
> > 1) Host multiple websites on one machine, and distinguish them with a
host
> > header
> > 2) Redirect to another webserver, based on a host header
> >
> > IIS cannot:
> > 1) Act as a reverse proxy
> >
> > And what you are asking for is a reverse proxy.
> >
> > Let me explain. IIS1 is the "main" server, and accepts all traffic.
Then,
> > based on the host header, it will redirect the request to another
internal
> > webserver. The problem here is that IIS can only redirect. So, you will
> have
> > to write the internal IP in the "redirec to" text box. The web client
> > (internet explorer) will then make a "new request" to this new
webserver.
> > So, if the IP of the internal webserver was 192.168.0.10, it will try to
> > connect to IP 192.168.0.10, which will of course not work (private IPs
are
> > not routable).
> >
> > There are a few ways to solve this.
> >
> > 1) Redirect to the public IP, but another port, and then in the
firewall,
> > forward this port to one of the other web servers.
> > 2) Use a third-party application, acting as a reverse proxy. For example
> > OctaGate http://www.octagate.com/HTTPRedirect.asp or Apache
> > http://www.apacheweek.com/features/reverseproxies  Note: Apache can of
> > course act as a reverse proxy for IIS Web Servers.
> >
> >
> > So, if we go back to your suggestions:
> >
> > 1) Yes, this is possible. As i also told you, the "main" server can be
> > configured to redirect to another port, so your customers do not have to
> > remember the port.
> >
> > 2) Using host headers, without including the external IP and another
port
> is
> > not possible. The client machine (not on your network), do not know how
to
> > connect to another webserver inside your firewall, if there is no open
> > connection between that webserver and the client. This is what a reverse
> > proxy solves. And unfortunately, IIS cannot act as a reverse proxy :-(
> >
> >
> > -- 
> > Regards,
> > Kristofer Gafvert - IIS MVP
> > Reply to newsgroup only. Remove NEWS if you must reply by email, but
> please
> > do not.
> > www.ilopia.com - FAQ and Tutorials for Windows Server 2003
> >
> >
> > "scott" <scottscotland@yahoo.com> wrote in message
> > news:uZyy5SqAEHA.2808@TK2MSFTNGP10.phx.gbl...
> > > Hi,
> > >
> > > I posted about this before but not sure if i fully followed.
> > >
> > > Im looking to run three IIS machines on the same public IP.
> > >
> > > IIS1 = used to deal with http traffic using host headers.
> > > IIS2 = 2003 sharepoint windows services = www.domain2.com
> > > IIS3 = w2k sharepoint team services = www.domain2.com
> > >
> > > NOTE: cant run on same machine.
> > >
> > > As far as im aware the only way i can do this is.
> > >
> > > 1. publishing IIS machines on a non standard port ie.
> www.domain.com:port
> > > OR
> > > 2. using host headers i can keep all machines on port 80. Host header
> > would
> > > then redirect user to appropriate machines.
> > >
> > > If my network was setup like this:
> > >
> > > -----------------------------------
> > > net
> > > v
> > > router > iis1 > router > iis2
> > > v                        v
> > > fw                     iis3
> > > v
> > > lan
> > > -------------------------------
> > >
> > > 1. If  host headers were configured on IIS1 could i plug in as many
IIS
> > > machines behind it as I like ?
> > >
> > > 2. How would I configure host headers to deal with this setup ?
> > >
> > > For example:  I enter www.domain2.com in a browser, im directed to my
> IP,
> > > IIS1 says its domain2 and uses host headers to push traffic to IIS2 ?
> > >
> > > NOTE: assumes IE6 with domain info in header.
> > >
> > > Thanks for your time and help.
> > > Scott
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: 401.2 Errors
    ... the server name as their proxy server, ... really understand the point in deploying the Firewall Client to all clients. ... I had a look at the log file but it only seems to be ... recording access that the IIS Server itself goes through. ...
    (microsoft.public.windows.server.sbs)
  • Re: Connect Computer Problem at 2 Customer Sites
    ... I understand this issue to be: the client ... please restart the IIS service. ... join the domain has got the valid IP address and DNS server address in the ... Microsoft Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem with connect computer wizard
    ... You mentioned that you're using Anonymous access with Administrator ... Open ConnectComputer properties in IIS. ... And there is only the DNS server be configured on client ...
    (microsoft.public.windows.server.sbs)
  • Re: Web site viewable from outside office but not on Lan
    ... ..net except the host header. ... > server is dynamic, so any of these sites if hosted locally will need to ... > mostly an IIS and a firewall problem. ... >> There is a Forward Lookup Zone for ourcompany.com and it has a host ...
    (microsoft.public.windows.server.dns)
  • Re: IIS6 caching
    ... On the server side, IIS6 will cache static files in kernel mode response ... No. IIS compression was not enabled. ... >>>> a client site or proxy caching issue. ...
    (microsoft.public.inetserver.iis)