Configure two different IP addresses for http and https

  • Thread starter Thread starter Joe Coppola
  • Start date Start date
J

Joe Coppola

Hi all,

I am trying to configure the DNS for my internal network. Basically I want
all http traffic (port 80) to route to IP address 10.12.22.5 and I want all
https traffic (port 443) to route to 10.12.22.6. I thought I could just set
up SRV records for 443 but its not working, maybe I am doing something
wrong.

Any ideas?

Thanks,
Joe
 
In
Joe Coppola said:
Hi all,

I am trying to configure the DNS for my internal network.
Basically I want all http traffic (port 80) to route to
IP address 10.12.22.5 and I want all https traffic (port
443) to route to 10.12.22.6. I thought I could just set
up SRV records for 443 but its not working, maybe I am
doing something wrong.
Click to expand...

IE won't query for SRV records, you'll have to give the records different
names or they'll get published using round robin.
 
Joe Coppola said:
Hi all,

I am trying to configure the DNS for my internal network. Basically I want
all http traffic (port 80) to route to IP address 10.12.22.5 and I want all
https traffic (port 443) to route to 10.12.22.6. I thought I could just set
up SRV records for 443 but its not working, maybe I am doing something
wrong.
Click to expand...

Very few clients support server records to discover services;
HTTP and most of the tranditional "Internet" protocols do not.

You cannot distinguish the same website name for different
purposes (services) this way.

You can certainly put a reference page or even an ISAPI filter
on the HTTP server so that it refers the clients to another
address/name however.

Is the HTTPS expected to run on a different machine?
(What is the actual purpose of your wishin gto do this?)

Maybe we can help with you real goal....
 
Thanks for the info.

Basically, it kinda works like this. my regular port 80 site is a test
site. However, my 443 site does some live transaction processing.

So when someone hits the 443 site they need to be able to access the
transaction server, where as everyone else just sees the normal 80 site.

I guess another question would be, how do you configure multiple websites on
a IIS server (probably not related to this group)
 
Joe Coppola said:
Thanks for the info.

Basically, it kinda works like this. my regular port 80 site is a test
site. However, my 443 site does some live transaction processing.

So when someone hits the 443 site they need to be able to access the
transaction server, where as everyone else just sees the normal 80 site.
Click to expand...

That should be doable in the web server and or on the pages.

At worst you could do it with an ISAPI filter but that is non-trivial
(not to "write" one but to write a reliable and secure filter.)

You could also just move the "TEST" site to a different
port or different name (with or without changing the address.)
I guess another question would be, how do you configure multiple websites on
a IIS server (probably not related to this group)
Click to expand...

Right click on the server HTTP and define the new site by one (or more) of:

1) IP address
2) Host header
3) Port

Add the content directories you defined in the new site properties.

It's pretty much the same as defining the first site except
the "default/first" site gets all undefined requests in most
cases and the other defined sites get only matching requests.
 
In
Joe Coppola said:
Thanks for the info.

Basically, it kinda works like this. my regular port 80
site is a test site. However, my 443 site does some live
transaction processing.

So when someone hits the 443 site they need to be able to
access the transaction server, where as everyone else
just sees the normal 80 site.

I guess another question would be, how do you configure
multiple websites on a IIS server (probably not related
to this group)
Click to expand...

It sorta is related to this group, you can put multiple websites in IIS on
one IP address, but you can only have one secure site on that same IP
address. Secure sites will ignore the the host header, but if the name you
access the secure site by does not match the name of the certificate, users
will recieve a warning that the certificate does not match.
Is all the content in the same virtual website?
Just mark the directory or page that SSL is required on the page or
directory, then make all links to the page or directory include https://
instead of just a relative link, if some one tries to hit the page without
the https they will get a page that says SSL required. This can be done all
in one website on one IP address. Usually though, you would make the secure
pages in its own website with a different name and IP address.

But from what I gather there are two different sites, correct?
It is possible to have the both sites on one IP address, so long as only one
is on port 443. You must give the main site without SSL a host header, such
a www.example.com (whatever the name you access the site by) but do not give
the second site a host header on port 80 and set it to require SSL. That way
if someone tries to access by IP without https they only get the SSL
required page. The SSL site can still be known as www.example.com but it
must be accessed by https://www.example.com the SSL certificate must be
named www.example.com.
 
Ok, but how do I handle this.

The SSL site is on a different server 10.12.22.6 and the non-ssl Site is on
Server 10.12.22.5

So the problem is I need to resolve it differently depending on port.

Joe
 
Thanks for the info.

Basically, it kinda works like this. my regular port 80 site is a test
site. However, my 443 site does some live transaction processing.

So when someone hits the 443 site they need to be able to access the
transaction server, where as everyone else just sees the normal 80 site.

I guess another question would be, how do you configure multiple websites on
a IIS server (probably not related to this group)
Click to expand...

It's not, and there is an IIS group. You can't control this with DNS,
but fortunately, with two sites answering on one IP address on the
same physical system, you don't need to. The HTTPS protocol is
directed to the SSL site, and the HTTP protocol to the non-SSL site
automatically. The sites may be same IP, but they only respond on
their respective ports.

Jeff
 
Your other option is to pick up a hardware load balancer and utilize a VIP
for your web interfaces. Then simply build out the https traffic to route
to whatever server you like. There are a ton of products that do this
(including a simple NAT/PAT device if you don't want a lot of inspection
into the traffic). You could do this with any device that will do port
redirects. They just point the DNS to the VIP and you are done. Nothing
the software has to do at all.

Regards,
Ed
 
In
Joe Coppola said:
Ok, but how do I handle this.

The SSL site is on a different server 10.12.22.6 and the
non-ssl Site is on Server 10.12.22.5

So the problem is I need to resolve it differently
depending on port.
Click to expand...

Is there going to be access internally or is this going externally accessed
and NATed to the correct machine?
For the external users I don't think it is a problem, just NAT incoming
request on port 443 to the correct machine, internally it is another story
and I don't think it can be done, atleast if you access both sites by the
same name.
 
JC> I am trying to configure the DNS for my internal network.

No, you aren't.

JC> Basically I want all http traffic (port 80) to route to
JC> IP address 10.12.22.5 and I want all https traffic (port 443)
JC> to route to 10.12.22.6.

This is nothing to do with DNS. This is an IP routing issue, and is
addressed by configuring your IP routing.

Is setting up interception proxy HTTP and HTTPS servers *really* what
you are trying to do ? If so, be aware that interception proxy HTTP(S)
servers are widely regarded to be a menace, and you won't find many
people willing to help you to set up yet another such menace for free.
If not, why not tell us what your *actual* goal is ?
 
Back
Top