TechQA.

nginx and IIS - dealing with invalid hostname and SSL

1.1k views Asked by At

Setup

Client <=(HTTPS)=> Nginx load balancer <=(HTTPS)=> IIS 8

(I know some people would ask why to use SSL between the nginx and the IIS, but this is not the topic of my question here.)

Error case

A spamming/scanning client connects with SSL with an invalid hostname, e.g. the hostname specified by the client contains a star (*). This makes the IIS close the connection during the handshake and Nginx then takes this as the IIS being down.

When all IIS-servers are then down, the next request gets a "Bad gateway" from the nginx. This allows clients to falsely manipulate the nginx the think the IIS is down.

How to fix?

How would one fix this?

  • Is it possible to deny requests in the nginx config with invalid hostnames based on looking at the characters?
  • Or is it possible to make the IIS behave differently in these cases? The IIS already has a catch all ssl binding which just returns a 403 forbidden, but this is not hit in the explained case.
  • Or do I have to list all allowed hostnames specifically in the nginx configuration?
iis ssl nginx hostname
Original Q&A
1

There are 1 answers

2
itpp13 On

Something like this:

http {
    .....
    map $request_uri $blockit {
        default              0;
        ~*\*\.;              1;
    }
    .....
    server {
        .....
        location / {
            if ($blockit) { return 403; }
            .....

Related Questions in IIS

Related Questions in SSL

Related Questions in NGINX

Related Questions in HOSTNAME

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions