IIS

Tag: IIS

IIS, AWS ELB and SSL – Why can’t we all just get along?

Recently found myself in the position of having to set up an AWS Elastic Load Balancer (ELB) in front of our EC2 instance that is running Windows Server 2012R2. This means the server is running IIS v8.5. Normally this would not be a problem except that we wanted to run SSL on the load balanced site and continue to force non-SSL traffic to use the SSL version.

Normally this is a no-brainer and there are plenty of example URL Rewrites out there on the Interwebs that will handle this but the challenge is if you want Health Checks in ELB to work properly against a REAL LIVE web page. ELB will send a HTTP GET request to any page I wanted on the site. I found numerous example that purported to resolve the problem but none of them seemed to do the job, or they redirected the ELB health check or they just flat out 5xx errored out.

So, in order to resolve this problem I crafted the following workaround:

  1. Create a site in IIS that does nothing but redirect traffic (permanent or 301) around to the target url. The web.config (only file in the site) is as follows:<?xml version=”1.0″ encoding=”UTF-8″?>
    <configuration>
    <system.webServer>
    <httpRedirect enabled=”true” destination=”https://TARGETSITE.com” exactDestination=”false” />
    </system.webServer>
    <system.web>
    <customErrors mode=”RemoteOnly” redirectMode=”ResponseRewrite”> </customErrors>
    </system.web>
    </configuration>
  2. Set the bindings for this site to accept only traffic for the following:
    1. http traffic with a Host Name of www.TARGETSITE.com with a port of 80 and the IP address (the inside/private address) for this server
    2. http traffic with no Host Name and a port of 88 and the IP address of this server (the inside/private address)
  3. Ensure that Windows Firewall (if you are using it) will accept TCP traffic on port 88
  4. Add an exception for port 88 to your Security Group that this server uses, allowing traffic from anywhere
  5. Configure your ELB instance with the following listeners:
    1. HTTPS for LB protocol, 443 for LB port, HTTP for instance protocol, 80 for instance port and the SSL certificate for TARGETSITE.com
    2. HTTP for LB protocol, 80 for LB port, HTTP for instance protocol, 88 for instance port and N/A for Ciper and SSL
      elb-listeners
  6. Configure your ELB instance so that the Health Check uses an HTTP request to port 80 to the page ( /default.aspx ) of your choice.
  7. Configure bindings on your TARGETSITE.com site in IIS so that it accepts HTTP traffic on port 80.

That should about do it. I’ll assume that you’ve already gotten your SSL certificate installed on your ELB instance

Caveats – Test this out first on a non-live environment as your results may vary. Also, the redirect site is NOT being load balanced at this point so you won’t have any fail over capability unless you set up an ELB just for this purpose. Not a bad idea really…

IIS7 and 530 User cannot log in, home directory inaccessible

Like many others (as evidenced by the various posts and searches on this topic), I do this infrequently enough that it has come up and bit me in the a** too many times so hopefully by memorializing my idiocy in blog post form, I will NOT forget this lesson I learned when managing FTP users in IIS7.

If you an experienced IIS manager (6.x and better) you are most likely to get caught by this. You’ve probably done all the normal steps (added users to Windows, added to correct group, given write access to the correct folder) and yet nothing seems to work for you on this new users… Well, if when you’ve logged in using the corect username and password and still get the dreaded “530 User cannot log in, home directory inaccessible” message, then this should resolve your problem.

If you go to the virtual directory you are looking to allow access to in IIS, make sure that you go into the “FTP Authorization” and create a rule for this user.

Read more

IIS 7.5 on x64 with 32bit applications

I recently upgraded my development laptop from Vista (with a failing hard drive) to Windows 7 with a smoking fast Hitatchi 500Gb 7200k drive. I’ve been totally stoked with the perfomance increase (especially boot speeds) so far.

I’ve working through a number of issues getting IIS and VisualStudio playing nice together when I ran into a couple of problems that I didn’t find resolutions for easily online so I figured I should blog them out.

Read more