How do I found the external URL for a site in IIS 8.5 that doesn't list a host name in the bindings?
I've got a client who has given me access to their web server and asked me to find the URL for their live and test sites. The live site is called Default Web Site in IIS. It has two site bindings: one for port 80, one for 443; neither have a host name. The one for 443 has a security certificate that mentions the URL www.companyname.com. If I go to that URL from my computer, I can get to it fine. The problem is the test site. It's set up in IIS as a site called Test with two bindings: one for port 8080, one for port 8081. The binding for port 8081 has the same security certificate as the live site. Of course, that URL takes me to the live site. How do I find the URL for the test site?
Here's what I'm seeing in IIS for the test site:
Figured it out through trial and error. The main site uses the URL in the security certificate: www.companyname.com. The test site uses the same URL with the port specified in IIS: www.companyname.com:8081.
There's really no 'correct' answer, as the server in question could have multiple network interfaces, each with it's own IP address and thus URL.
Not only that, the IP address could go through a firewall that does a selective forward of the packets. In other words, the firewall "is" www.companyname.com, not your server. If a request for port 80 or 443 hits the firewall, it forwards it to server1. If a request for 8080 or 8081 hits the firewall, it forwards to server2.
Now, you mention:
Of course, that URL takes me to the live site
Does it? My guess is, you don't have a firewall, and the cert is used simply for an HTTPS certificate, but if you hit www.companyname.com:8081 you're hitting your test site; this is, of course, assuming the test site is identical to the live site. If it is not, then there's really no good way to find out the IP. You'll need to do some sleuthing at the hardware level on the server and determine what IP ranges it has, and how the hosting facility maps external IP's to those ranges. That's not hard, but it varies dramatically from site to site.
On a cloud provider, you look at the virtual networking. On a co-location site, you check with the local infrastructure. On a cable modem, you check the firewall, etc.
Thanks. How do I look for an external IP address?
The easiest way is to do a tracert from the server to say 8.8.8.8.
You then look for an IP address that isn't in the private IP ranges. (wherever this server his hosted almost certainly uses private IP ranges in it's internal system.)
The easiest way is https://www.whatismyip.com/
Most cloud centers now will do this to you:
Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
More than twenty years ago, most Unix systems had a bug with malformed PING's, that could crash the O/S. Windows itself had a problem SENDING the malformed PING, but not receiving. (it's not a security problem if you're suicidal). As a result, everyone has this general idea that "pings are bad". (You can use PINGS to conduct a denial of service attack). So many, many hosts will block PING's. I'm not convinced with any modern O/S that's patched that there's a problem, and pings can be an important diagnostic tool.
If you're on such a cloud, 'whatismyip' is about the only way to go, and even that's not guaranteed.
Related
I'm trying for the first time to connect my local server (Synology) through NGINX and Cloudflare so I can access it through my own domain name. I have the proxy host all set up pointing to my local IP address with the port and I have an SSL encryption using Let's Encrypt. The site gives me either a timed out error or unreachable, however one time somehow the site took my to ASUS aicloud which is through my ASUS ac68u router but I was not even pointing NGINX to that.
using cloudflare diagnostic center site it syas the request failed because the web server did not respond.
I'm not sure whether my router is blocking Cloudflare or if there is any other issue going on, would appreciate any help with the matter!
So my IIS7 server was hosting an ASP.Net web site with domain xxx-xxx.com with IP yyy.yyy.yyy.yyy.
Few days ago, I changed my ISP, which in result, changed my IP address to zzz.zzz.zzz.zzz.
Obviously the web site is down at the moment.
ping xxx-xxx.com
Results into:
Pinging xxx-xxx.com [yyy.yyy.yyy.yyy] with 32 bytes of data:
Request timed out.
Reply from yyy.yyy.yyy.yyy: Destination host unreachable.
Request timed out.
Reply from yyy.yyy.yyy.yyy: Destination host unreachable.
Ping statistics for yyy.yyy.yyy.yyy:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss)
As seen above, domain name xxx-xxx.com is still assigned to my old IP address yyy.yyy.yyy.yyy xxx-xxx.com.
According to my friend, and excuse me my ignorance and lacking experience, there's a really simple step I must take in IIS7 in order to get the web site back online, however, I'm not entirely sure how. I tried editing bindings and setting IP address, however that does not work, neither did netsh iplisten add work.
Furthermore, correct me if I'm wrong, but do I need to go to the place domain name was bought from and change assigned IP address?
Here's the command
netsh http add iplisten ipaddress=xxx.xxx.xxx.xxx
It is necessary to restart IIS7 for the change to take affect.
I have successfully setup IIS on my local development machine (dev branch - setup as localdev.me) but when I went to setup another branch (hotfix - setup as localhotfix.me) I am running into issues. The issues are due to the way the site is setup. The subdomain of the url is used to determine which Database to connect to. So going to host.localdev.me will connect to the host database. So in IIS I have the following settings for the bindings of the site.
Type Host Name Port IP Address
http localdev.me 80 *
http *.localdev.me 80 *
I can ping localdev.me with any subdomain and I get the loopback address as expected. When I then setup the hotfix branch (exactly the same as the dev but with the following bindings) I get name not resolved errors.
Type Host Name Port IP Address
http localhotfix.me 80 *
http *.localhotfix.me 80 *
Is there a reason the first setup would work and not the second? What is perhaps even stranger if I tell IIS to stop I can still ping subdomains on localdev.me and get the loopback address.
I could always get it working by manually specifying the host name in my windows hosts file but I would rather not do that as I would need to go in and edit the file every time we add a new subdomain.
EDIT: These are the specific errors I am getting.
ping localhotfix.me
Ping request could not find host localhotfix.me. Please check the name and try again.
EDIT2: I have a solution that works fairly well. It requires Acrylic DNS and installation of the Microsoft Loopback Adapter. I set the loopback adapter to a valid IP Address and set the DNS server to 127.0.0.1 then edit the AcrylicHosts file to contain entries for each domain with a wildcard. Once I did all of this I was able to ping localhotfix.me along with *.localhotfix.me. I believe the reason localdev.me worked is because it is a valid domain. The name would resolve at which point I believe IIS was able to take over. But thats really just an educated guess. But kindof makes sense as to why it worked for one and not the other.
The reason *.localdev.me works without a hosts file is because the public DNS for that domain resolves to 127.0.0.1 as long as it is not localdev.me or www.localdev.me. You can check this using nslookup *.localdev.me (replace the asterisk with anything except www) while your hosts file is empty. On the other hand, *.localhotfix.me is not registered in public DNS at all, which is why you'd need a hosts file entry for those.
On Friday I hosted a WordPress site on my micro instance - I installed LAMP stack, and WordPress on it.
Instance state is Running, but when I try to access website with public domain given in console, it says
web page Not available
I have set an Outbound rule to allow everyone and Inbound rule for my IP address only.
This is about accessing website from outside world, but when I try to connect to my instance with JAVA Interface, MindTerm Web SSH, it says
Network connection timeout error
Can't figure out anything, Just started working on AWS.
I think you have confused the Outbound and Inbound rules - Outbound means traffic going out from the server, while Inbound means traffic from the internet to the server.
As you say, you added an Inbound rule for your IP address only, and you can access the website from you IP only, just like you requested.
Add an Inbound rule for port 80 for0.0.0.0/0, and you should be able to access the site from other locations as well.
If you need to open it to HTTP and SSH, open it for both for 0.0.0.0/0:
Please verify your settings and permission based on this :
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html
You might also want to check your firewall, in case that is blocking the access..
We're currently trying to set up a HTTPS with multiple certificates. We've had some limited success but we're getting some results I can't make any sense of...
Basically we have two servers on our NLB (10.0.51.51 and 10.0.51.52) and two IPs assigned to our NLB (10.0.51.2 and 10.0.51.4) and we have IIS listening on both of these IPs with a different wildcard certificates (To avoid giving out public IP's let's say A:443 routes to 10.0.51.2:443 and B:443 routes to 10.0.51.4:443). We also have a Cisco router using port address translation to route port 443 from two external IP's to these internal NLB IPs.
The weird thing is, this works if we request A:443 or B:443, but if you go internally on 10.0.51.51:443, 10.0.51.52:443, 10.0.51.2:443 or 10.0.51.4:443 you ALWAYS get the same SSL cert. This cert was in the past assigned to *:443 but we've made sure there's no * bindings anymore defined in IIS.
When i run "netsh http show sslcert" after trimming out all the irrelevant stuff I get:
IP:port : 0.0.0.0:443
Certificate Hash : <Removed: Cert 1>
IP:port : 10.0.51.2:446
Certificate Hash : <Removed: Cert 3 - Another site>
IP:port : 10.0.51.3:446
Certificate Hash : <Removed: Cert 3 - Another site>
IP:port : 10.0.51.4:443
Certificate Hash : <Removed: Cert 2>
Which tells me that the * binding is still in there, which is a bit weird, but I can't see why that would prevent the other from working (Or even more more strangely why the request through the router would work).
It's got me wondering whether it's actually treating the requests as the machine's IP rather than the NLB IP, but unfortunately our dev environment is only a single server which sorta reduces the amount of trial/error I can take to this (Since all I can test on is a live environment) without convincing management to buy more servers for the test environment - which is something I'm trying.
Does anyone have any idea:
Why there's a difference between internal and through the router?
Why the internal request is getting the wrong cert?
How I can remedy this so that we get the same behavior on both sides?
I ended up tracking the problem down. Leaving this as a hint for anyone else who falls in the same trap...
The problem was caused by us using a shared configuration model on our IIS servers. When setting up a HTTPS binding this appears to only actually bind it on the box you're managing it on (Leaving the other completely unbound). Since our * binding still existed it was catching it on the server we didn't do through the UI and just let pick up the shared config.
Crazy bad luck with single-affinity NLB sent us down the garden path after the router being the cause by making our internal requests go to one server and our external requests to another.
We ended up finding this by running "netsh http show sslcert > certs.txt" on both servers and diff'ing the outputs.
Going forwards our plan is to no longer use the IIS UI for SSL configuration instead following the steps below:
Install the certificates on each server.
Run a command-line binding of the SSL port "netsh http add sslcert ipport=?:? certhash=? appid=?" (ip:port is easy to work out, certhash can be copied from the "certificate hash" section of the server certificates page, appid can be copied from an existing IIS binding on the netsh http add sslcert)
Edit the IIS ApplicationHost.config file directly to add the bindings without the UI being involved.
Our understanding is this will prevent a repeat of this error.