IIS Question



  • In IIS 6 I have a website only accessible over https, and I'm using a host header for the domain name. Works fine, except I would like to prevent access to the site if the user just types in the IP. With the other sites running on IIS (non ssl) this works fine and I get the expected "bad request", but with https and the IP I just get a cert warning and then it goes to the site. Shouldn't the host header prevent this too for https?



  • The host header allows you to run multiple web sites all listening on the same port.  If you have multiple sites all with a host header value, IIS will return Bad Request if it can't tell which site you wanted.  I guess you only have one https site running, so it doesn't need to use the host header to tell which site is wanted.

    Why do you want to stop requests that use the IP address?



  • @chebrock said:

    In IIS 6 I have a website only accessible over https, and I'm using a host header for the domain name. Works fine, except I would like to prevent access to the site if the user just types in the IP. With the other sites running on IIS (non ssl) this works fine and I get the expected "bad request", but with https and the IP I just get a cert warning and then it goes to the site. Shouldn't the host header prevent this too for https?

     

    Could you create an additional website on your server, for the same IP, and have your primary website set to only respond the hostname(s) you want, and the additional website respond for everything else?  On your secondary website, you can re-direct somewhere or display an error message page or do whatever you want when someone directly types in an IP.



  • Thanks both for you reply. I havent tested it but if I understand you correctly, you're saying that having a single site with a hostheader will resolve to the IP but if you have multiple sites it wont?

    I ended up just checking the url and redirecting if it wasn't the domain name.


Log in to reply