Two IIS servers using same URL

Hi,

Our company has a URL: http://www.vaytek.com

We have two IIS servers that support two different sites

What's the best way to manage requesting and maintaining these with win-acme for instance?

I don't know win-acme all that well but Certify the Web is an easy to use ACME client with IIS

A google search has several suggestions on how to handle that. Certify's own forum is also a good way to interact with their dev team

https://www.google.com/search?q=certify+the+web+two+iis+servers&oq=certify+the+web+two+iis+servers&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIHCAEQABiiBDIHCAIQABiiBDIHCAMQABiiBNIBCDQ3MzhqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8

3 Likes

So you mentioned two different IIS servers, that would mean port 6060 is being forwarded to a different machine internally.

Why not just have files.vaytek.com or some other subdomain instead of mapping different ports?

Did you know that IIS on a single machine can host multiple websites? That way port 80 (for http) and port 443 (for https) only need to be forwarded to one machine, or you can forward specific names to specific machines.

If you do decide you definitely need to use the same name for the two different services (it would be useful to know why) then you would need to decide whether the port 6060 service is going to be http or https.

Yes there is a way to share certs between machines, the most popular method on windows is the Centralized Certificate Store (CCS) feature, where you store your PFX files on a UNC share that both web servers can see, the configure IIS to pick up your websites certs from that share. Both win-acme and Certify have methods for deploying to CCS shares with the correct file naming conventions etc.

Note thought that you can technically request the "same" cert on each machine with the same set of domains, the difficulty there is that http validation requires port 80 so you instead need to use DNS validation on at least one of the machines.

3 Likes

OK - Thinking out loud here.

The simplest thing to do is have an SSL certificate for the main website which is really the only one that is used regularly by the general public. The file server site is used by our support staff to send customers download links - the customers never see the "unlocked" icon next to the URL. Still not ideal for a secure connection.

If I want SSL on both sites the next simplest setup is to have two distinct domain names - no subdomain - then one of the sites can use 443 for https and 80 for http validation and my router can figure that out. The other site would use port 6060 for https and do dns validation in order to request and renew.

Ideally a subdomain solution would be best - is there a way to manage that without adding in the CSS to complicate the setup? Could I setup something similar to two distinct domains with domain.com on IIS-1 and subdomain.domain.com on IIS-2?

A subdomain is definitely easier than using two distinct domains. For reference, www.vaytek.com is just a subdomain of vaytek.com and is just the same as an A record in DNS [or a CNAME to vaytek.com]. So creating an A record in dns for files pointing to the IP address of the file server would give you files.vaytek.com (for example).

The absolute easiest setup is to have both websites on the same IIS server (IIS > right-click Sites > Add Website). Then in your http binding for the website you specify the hostname(s) it will match, that's how IIS knows which site to serve up, but if you want to run 2 different IIS servers that's still fine if you just use a different name for each one.

Conventionally vaytkek.com and www.vaytek.com would point to the IP address of your main website server. Then files.vaytek.com can point to the other server (or any name you want to give it).

3 Likes

Thanks for replying - if you haven't noticed I have little experience as a web admin which is why I want to avoid a site migration.

To reflect back on the two server model - the router forwards all requests to the vaytek.com and www.vaytek.com server and if the request is prefixed by the subdomain then IIS can be configured to forward that request to a different server on the LAN. Once I have a subdomain I can test this with http.

Does that mean all the certificate management happens on the main server? Or... do I still need to manage a certificate on the subdomain server?

Yes, if you "reverse proxy" from your main IIS server back to your files server then the main server is the one handling all the https. I haven't used it but I'd guess it's something like this: Setup IIS with URL Rewrite as a reverse proxy for real world apps - Microsoft Community Hub

Regarding routing to the correct server, some web application firewalls can forward conditionally based on the domain name, so you could forward to the correct servers instead of proxying between them.

As an aside, generally you should think twice about hosting publicly accessible websites on your internal office infrastructure unless you've got a professionally setup DMZ/VLAN, as a determined hacker will know more about your OS/web tech than you do and be able to traverse from one of these servers to other points on your network unless they are properly segregated. I noted that some of your website pages are "classic" asp which is tech that dates back almost 30 yrs - this is a red flag in terms of likely security posture for things like SQL injection and directory traversal exploits (unrelated to certificates, but still something to consider).

4 Likes

Thanks again for the reply. I have been trying to get up to speed on IIS and web servers in general over the last few days. One of the things I learned about was the URL Rewrite module in IIS. I used it to force users to HTTPS if they tried HTTP.

I have setup a test server and rented a domain name (very cheap) to explore subdomains and using lets encrypt to install SSL certs. I will learn to use URL rewrite to reverse proxy these practice sites (or not - could be over my head) and then approach my customer about either letting me do that or migrate (regarding your aside) to a professionally managed site.

Now I have been trying out reverse proxy - can't even get to the login page on either website yet. But I haven't finished reading.

2 Likes

I made a run at using IIS as a reverse proxy and got one of the sites working completely and the other working more or less but with performance problems and one piece of important functionality completely failing. I asked about the problem on the vendor's community website and directly to their support group. I was about ready to give up after no response for several days. But I started to explore alternatives and decided to try out nginx.

it is much simpler configuration to start with in any case and my preliminary discovery is that both my sites work pretty well and the major problem I was having with the file server has gone away.

I posted this to keep the thread going for another 30 so I could possibly post the complete solution.

I now need to hook up TLS-Certs and come in over the internet to verify the real world connections and then do a systematic test of all functionality.

4 Likes

If you're looking at other reverse proxies, Caddy is really good and it has automated https (in some cases zero config).

3 Likes

Thanks for checking in.

I have manged to get both my websites functioning well behind nginx. One of them uses web sockets and the vendor had a solid understanding of what nginx needed so all is well. I hooked up a rented domain to demonstrate the speed and correctness of a front end server with https.

Now I know a little bit more than I did a few weeks ago.

4 Likes

I used caddy for a home site that I have a domain for. Very easy to get working with https.

4 Likes

One more thing then I am done. I moved my customer's site from nginx to caddy. I went from about 60 lines of text to less than 20. I had to force http 1.1 and one of the sites was using web sockets and caddy required no additional configuration. One line inside the service block.

reverse_proxy http://10.10.2.30

for instance.
Also adding certificates is beyond easy. I actually added a subdomain to use https on basically a local only website and then used some screening logic to only allow users from the LAN to see it. Got rid of the annoying warnings about unsafe to connect.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.