I am asking how to bind an UrlPrefix to a particular network interface via HTTP Server API (aka http.sys).
It seems IIS somehow can do this.
Netsh shows the interface IP as part of the UrlPrefix
> netsh http show servicestate view="requestq"
...
Number of registered URLs: 1
Registered URLs:
HTTP://TEST.SITE.INVALID:80:192.168.202.142/
... ^^^^^^^^^^^^^^^
And it works - curl returns error when i am trying to access the site via the localhost interface
> curl.exe -vi --connect-to "test.site.invalid:80:192.168.202.142:80" http://test.site.invalid/something.html
... 200 OK
> curl.exe -vi --connect-to "test.site.invalid:80:127.0.0.1:80" http://test.site.invalid/something.html
... 404 Not Found
I couldn't find any mentions about such type of binding in the http server api docs. Moveover it says completely opposite
By default, once a registration is entered in the request queue, the HTTP Server API binds to the port specified in the UrlPrefix (for example port 80) for all IP addresses (INADDR_ANY or INADDR6_ANY) available on the machine.
You can add/delete a particular interface ip to the ip listen list on a whole host level but not for the individual urlprefix. Anyway the list is empty on my machine:
> netsh http show iplist
IP addresses present in the IP listen list:
-------------------------------------------
... nothing in the list
It is puzzling me, does IIS use some undocumented API? Anybody know?
Related
I have two different nodejs + expressjs applications with different SSL certificates. I got another IP address for my second app. I have only one port enabled i.e 443. When I run first application it runs successfully, but when I try to run second one it trows port already in use error.
Please note I am running both application on different IP addresses.
This has nothing to do with the number of interfaces/IP addresses you use. A port on a machine can only be used once. In this case, your first application already listens exclusively to it.
The best way is to use a web server or reverse proxy (e.g. HAProxy, nginx, Apache) listening on all interfaces to handle incoming requests on port 443 and forward the traffic to your applications based on the IP address – or even better (sub)domain name – of the request. Then you can run both applications on a separate port > 1024 that doesn't require root rights to bind (which is also a security issue):
Example:
Request to IP 10.1.10.1 → +---------------------+ → Forwarded to app 1:80441
| Reverse Proxy:443 |
Request to IP 10.1.10.2 → +---------------------+ → Forwarded to app 2:80442
I am writing to you because I built an infrastructure with a Bind server and a PowerDNS recursor that transmits the requests to the Bind server. What I wanted to do was that the recursor transmits the ip of the client and not its., so I tried to do that using EDNS(0).
Here is a diagram that summarizes what I want to do:
Client : 10.0.0.1/24
|
| “test.com”
|
Server with PDNS-RECURSOR : 192.168.1.1/24
|
| “test.com” with ip_source=10.0.0.1/24
|
Server with BIND : 192.168.1.2/24
And the different configurations files :
• BIND Conf : 3 views
View recursor {} #Return specific IP for the recursor machine
View localhost {} #Return specific IP for the localhost machine.
View external {} #Return specific IP for the external machines.
• Pdns-Recursor Conf (4.1):
edns-outgoing-bufsize=1680
edns-subnet-whitelist=0.0.0.0/0.
forward-zones=192.168.1.2
use-incoming-edns-subnet=yes
Unfortunately, it always returns the view of the recursor, do you have a solution?
Thank you in advance !
You can not transmit the IP but you can transmit a subnet. This needs an EDNS option called Client-Subnet, described in RFC7871
For PowerDNS this is controlled in configuration by various options starting with ecs-, see https://doc.powerdns.com/recursor/settings.html#ecs-add-for
You may try ecs-ipv4-bits: 32 to try sending the whole IP (the option was more about sending a subnet, for privacy issues).
Bind configuration regarding this option is described at https://www.isc.org/wp-content/uploads/2017/04/ecs.pages.pdf
You should sniff out the traffic between the two to make sure PowerDNS sends correctly the information to bind.
You can also try with dig querying directly bind with the appropriate client subnet option (+subnet=) to make sure bind does what you need.
I pointed my domain name that I registered through route 53 here: Response returned by Route 53
DNS request sent to Route 53
arcadeidea.com. IN A
EDNS0 client subnet IP
24
DNS response code
NOERROR
Protocol
UDP
Response returned by Route 53
34.214.33.108
And when I try going to the elastic IP (34.214.33.108) I get the hello world html page served by a sample
arcadeidea.com’s server DNS address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN
I think it may be a problem with port forwarding, as I'm forwarding 80 to 8080 which is what the sample node app was setup as a default. Not sure how to debug that though...Any thoughts?
This DNS server is not answering for this domain. Check that you have inserted the correct AWS DNS hosts on your domain registrar.
% nslookup
> server NS-1316.AWSDNS-36.ORG
Default server: NS-1316.AWSDNS-36.ORG
Address: 205.251.197.36#53
> arcadeidea.com
Server: NS-1316.AWSDNS-36.ORG
Address: 205.251.197.36#53
** server can't find arcadeidea.com: REFUSED
So what worked for me was resetting my wireless router...my other computer that was directly plugged into the modem was able to load the site after associating the IP with the domain, but not the computer that was wired to my router. I was able to verify this when I used my phone to check the site, while connected to my wireless router's network...Network admins, I understand a little more of your pain now.
I have build a wt (witty) hello world example and I am trying to deploy this on a Google Cloud instance. It seems to run fine locally (hence it has all the necessary library dependencies). However, I am not able to it to deploy on the server.
I am trying (using my actual http address which is different from the example below)
./hello --docroot . --http-address 105.150.47.754 --http-port 80
but it responds with
Error (asio): bind : cannot assign requested address
It seems to work fine using (0.0.0.0/0)
The cloud instance allows HTTP tcp/80 traffic.
I have tried
setcap 'cap_net_bind_service=+ep' ~/hello
to allow non-root users to publish on ports below 1024, but also to no avail.
Any suggestions?
Cheers, Mike
If you are unable to listen on the specified IP address, one of the following is likely true:
1) Something (such as a web server) is already listening at that address on port 80, or
2) The IP address you are using is not assigned to one of the machine's network interfaces.
Using (0.0.0.0/0) with port 80 tells the Wt web server (wthttpd) to listen on all available local interfaces. Therefore, using that address will work with any available network interface assigned any IP address with port 80 available.
I want to ping internal application URL like http://test.com:8080/ , but it through error as unknown host , because there is DNS server or no standard setting for this server.
Thats means i have internal application which means application running in within network(only our network can access this application). if ping this url , it throws unknown host.
Please advise is there any way to ping internal application ?
You ping hosts, not applications. ping relies on the ICMP protocol, which is completely outside of TCP, so it has no concept of ports (ports are a TCP thing). What you need to do is make sure that your test.com resolves to the correct IP address (the simplest way to do it would be to put the address statically into /etc/hosts).
For example, if you're test.com is at 10.0.0.1, your /etc/hosts on your local machine should contain a line with 10.0.0.1 test.com or you should ping 10.0.0.1 directly (ping 10.0.0.1).
Additionally, on the server, make sure that incoming ICMP requests aren't ignored (echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all) (usually by default, they aren't).