If I'm hosting multiple sites on a server, and a dns server resolves the different domainnames to the same address, (which is the server's name), how does IIS know eventually which site is requested?
So a client types the address of my 1. site -> myrandomsite.mydomain.com
Then another client types -> anotherrandomsite.mydomain.com
The DNS server resolves both of these to -> myserver.mydomain.com.
So what happens then on the server?
The binding host header tell IIS where request to be delivered. So when you host header mutiple domain name for the same server. You have to specify your domain name in binding->host name field.
When client send a request to your IIS server, http.sys receive the request first. Then it will communicate with IIS service. IIS read applicationhost.config and tell http.sys which application pool to handle the request. Finally, the request will be delivered to the correct site and application pool.
Related
Short question:
How to setup a local and external dns that have an external destination and a internal destination.
Technologie used:
Websites are hosted in IIS
Local DNS is in Windows server
External DNS via CPanel
using Azure Application proxy for the bridge external to internal
Explanation:
I've made a schema, see image.
entrepriseName.com: website hosted externally somewhere by somebody.
site1.entrepriseName.com :
Contains some basic webpages. Which are referenced by https://entrepriseName.com. With html .
url site1.entrepriseName.com is not existing yet, and its hosted under https://site1-entrepriseName.msappproxy.net
site2.entrepriseName.com :
Availaible ONLY locally / vpn. With https.
url site2.entrepriseName.com is not existing yet. currently hosted on https://site2.entrepriseName.local, but https is complaining.
And its not clean, should be under site2.entrepriseName.com
https://site1-entrepriseName.msappproxy.net should in reality be https://site1.entrepriseName.com.
Assuming I added a custom domain name in azure and configure the app proxy correctly. The next step would be to add some sort of dns...
When I tried to add a foward lookup zone "entrepriseName.com" in the LOCAL dns.
Our external website "entrepriseName.com" didn't work locally, as everything with entrepriseName.com (which is normal, after tought haha...)
Actual Question
So how respect make sure that these 3 conditons are met:
Internal request route to site1.entrepriseName.com but is also accesible externally (with AAD app proxy connector)
Internal request an also route to site2.entrepriseName.com (only avalaible locally).
Lets say that site1 load a script like <script src="js/potato.js"></script>
Since https://entrepriseName.com have reference to site1 with iframe.
Will entrepriseName.com attempt to load the realtive script js/potato.js?
Obviously we want to prevent this from happening.
Internal request route to site1.entrepriseName.com but is also accesible externally (with AAD app proxy connector)
• Since, the domain ‘enterprise.com’ is owned by your organization and thus has an internal AD DNS server setup for it, for the ‘site1.enterprisename.com’, you will have to create an ‘A’ host record in the internal DNS server for the requests to the application ‘site1.enterprisename.com’ to be redirected to internally as well as similarly, ‘A’ DNS host record also need to be created in the public DNS server where ‘enterprisename.com’ domain is registered so that any external (over the internet) requests are routed correctly to the externally facing application homepage. Also, you need to configure conditional forwarding to the public IP address of the domain hosted on the public DNS server in the internal DNS server of your domain environment for any internal requests to redirect to the publicly hosted DNS records and through it, to the application.
• Also, since the AAD application proxy connector is a syncing and request forwarding software to be installed on the member server that syncs the database of the application in Azure as well as that running on-premises and forwards the requests directed to Azure through it, a wildcard certificate with the CN ‘.enterprisename.com’ or a SSL HTTPS certificate with the CN ‘site1.enterprisename.com’ where ‘site1’ is the name of the application hosted with this subdomain should be installed on the server* running the application in on-premises environment and on the member server where the app proxy connector is installed in the personal certificate store of the server. In this way, you can configure the application ‘site1.enterprisename.com’ to be accessed internally as well as externally.
Note: - The member server where the app proxy connector is installed should be dedicatedly a part of the application farm itself so that the certificate installed on it authorizes and identifies the application server as valid.
Internal request an also route to site2.entrepriseName.com (only avalaible locally).
• To configure the internal request route to ‘site2.enterprisename.com’ available only locally, you will need to create an ‘A’ host DNS record in the internal DNS server for it and remove the conditional forwarding configured in the internal DNS server for the externally (over the internet) available website of the application. Also, remove the ‘A’ host record for the ‘site2.enterprisename.com’ if created in the public DNS server for the ‘over the internet’ routing and redirection to disable completely. This will ensure that the application ‘site2’ is available only in the intranet locally. Also, note that, if you want to manage multiple types of DNS records for a subdomain in the internal server, then you can create a DNS zone with the FQDN of the subdomain (application) in the internal DNS server.
Note: - You may want to edit and configure the ‘hosts’ file on the server hosting the ‘site2’ application as well as the ‘site1’ application to include the application (subdomain) FQDN so that the server responds to network requests for the application hosted on it along with individual hostname records.
Will entrepriseName.com attempt to load the realtive script js/potato.js? Obviously we want to prevent this from happening.
• If the ‘potato.js’ script is configured to load when the ‘https://enterprisename.com’ website is requested, then that script will surely load up but if the reference ‘site1’ is with ‘iFrame’, when referencing to the site address, then the ‘site1’ referencing to the FQDN of the ‘site1’ have to be removed from the website code during initializing and startup and replaced with that of the website itself, i.e., ‘https://enterprisename.com’.
In the first place i should say that it might seem a bit weird but its a challenge to distinguish between the level of these configurations,for example ,say i want my localhost be accessible through abc.com, i know i should go through two steps:
1.use iis manager bindings
2.add abc.com to dns host file
127.0.0.1 abc.com
But is not clear for me level of these configs and what is each part's responsibility ?
In a complete url request, steps as follows
User request abc.com.
DNS is request for abc.com.(That is why add abc.com to dns host file)
IP address for abc.com is returned.
Browser send request to the IP address.
IIS in server return site’s page.(That is why use iis manager bindings)
Complete request
Why to use host file
If I access my web app via its IP address I get the default azure 404 not found web page.
I have configured a custom domain (A Record + Cname) which works fine if I use that.
Should I be able to access the web app via the IP address, and if so what else do I need to do.
This is causing a PCI compliance failure at the moment as the actual web site has server headers removed from the response, however the 404 page returns server headers as its not hitting my configured web site.
Thanks.
If you want to access your site using the IP address, you need to explicitly pass the host header to tell Azure what site it is. This is because many sites share the same IP. The header should look like this:
Host:MyExample.com
Output:
I am having an issue getting an IIS 7.5 website to answer when I connect to it using an IP address.
I have a Win2008 Server set up with IIS 7.5. It has only one IP address bound to it (10.10.10.10), and IIS listens on it just fine. I have IIS hosting two websites: defaultsite and mysite. Both of these two are necessary to be present. (To be fair, I have many more sites, but 2 will simplify things.)
Defaultsite is your typical IIS default site and has an IIS binding of "*:80:"
I want to access "mysite" via the DNS name but also the public IP address 1.1.1.1. So I've added the appropriate bindings:
":80:1.1.1.1"
":80:mysite.com"
My DNS and load balancer are moving traffic just fine to the IIS server. Everything works fine when hitting the server via "mysite.com" and I get the defaultsite if I try other ways to get to the server.
The problem is when I use 1.1.1.1 to get to the server, I get there, but I'm still sent over to the "defaultsite" rather than "mysite." My IIS logs and the file contents I retrieve verify this behavior.
Any ideas on how to get an IP address set as the host header on a site binding? (Searching for this situation is vexing; since all my key terms are present any time you work with host headers/bindings.)
Remove the binding for *.80 from the default site and make it respond to 10.10.10.10 and then your other site will get picked up when you type the 1.1.1.1 site. IIS is responding to the request but the rule states 'If any site comes through on port 80, respond to the default site'. The DNS name works because you are going by name and the lookup is not there on the default site.
I am trying to log DNS "leaks", in other words the DNS servers used by visitors to my web site.
How does one figure out which DNS server a web request came from to my server (i.e. the getting DNS leaks). This website dnsleaktest.com does it, it knows which DNS server I am coming from? How? It should only be able to know some stats about my browser, and maybe the HTTP referer. How does it know my DNS server?
What is being exploited, used? Or what is the traffic flow from my browser to this server, and where in that flow is dnsleaktest able to get this information?
That's not that easy.
What dnsleaks probably does - they have their own authoritative DNS server, javascript on their websites queries various randomly-generated subdomains of their domain, and on their DNS server they monitor where requests to those randomly-generated subdomains come from.
To do it, you need some domain hosted on your own DNS servers (not servers provided by your registrar or a hosting provider). You need to monitor queries to this server - can be done if you parse your DNS server logs or have your own DNS server software, or if your DNS server provides some API hooks to see the incoming requests. Then you write a script for your sites which queries various subdomains, and tells server-side script on your website which subdomain requests it should monitor. The server-side script in turn talks to the DNS server.
All the above is an unverified guess. I see no other way to do it.