Subscribe to Windows IT Pro
August 06, 2002 12:00 AM

IIS Informant: Handling Host Headers on Your Web Site

Brett Hill
Windows IT Pro
InstantDoc ID #25936
Rating: (0)

[Editor's Note: Do you have an IIS-related question? Send it to brett@iisanswers.com and you might see the answer in this column!]

What happens when a server receives a request for a host header­based Web site, but no Web site on the server is defined for that host header?

Host headers are a rock-solid IIS feature. Consequently, if something related to host headers isn't working, a configuration oversight almost certainly caused the problem.

First, let me briefly address the subject of host headers. A Web server configured to require host headers is far more resistant to a script or worm that scans sites by IP address than is an IP-addressable site. If such a script or worm uses an IP address to attempt to contact an IIS server configured with Web sites that all require host headers, the malicious software fails to connect to any of the server's Web sites. You can use host headers on your Web sites to insulate your servers from attacks such as CodeRed and Nimda, even if host headers aren't required. However, keep the following information in mind.

If an IIS server has a Web site with a host header that exactly matches the request's host header field, that Web site responds to the client request. However, if no Web site has a host header that matches the request's host header field, the first Web site that can respond to the IP address in the client request responds. If you configure all of a Web server's Web sites to use host headers, none respond to an IP address-only request. The server returns the message No Web site is configured at this address.

An intruder who receives the message No Web site is configured at this address would be hard pressed to determine the host header required to access any of the Web sites on the server. (Although discovering the IP address of a Web site if you know the DNS name is easy, finding the DNS name of a Web site through its IP address is quite another matter.)

Figure 1 shows a common misconfiguration. If the Web site is configured as Figure 1 shows, the site responds to the IP address, not the host name. Consequently, the host header entry is ineffective. You would never want this configuration, but because the default entry has the IP address only, people often click Add to add the host header entry without removing the IP address­based entry. To correct this situation, inspect your Advanced Multiple Identities window for all your Web sites and make sure that none are configured with an additional entry that doesn't list a host header.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Brett Hill
    10 years ago
    Oct 09, 2002

    Author response: You have to use an IP address for each one. That is part of the deal with SSL. Host headers are part of the encrypted packet so they cannot be used with SSL.

    -Brett

  • Art Segura
    10 years ago
    Sep 25, 2002

    How can I use SSL to secure multiple web sites on one server that uses host headers with one IP address? (or do I have to have an IP address for each web site to use SSL for each one?)

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.