IIS Bindings
Introduction
A binding is an attribute of a website which is used to uniquely identify itself and consists of a combination of IP, Port and the Hostname.
Basically Binding = IP + Port + Hostname
Confusion
So if its that simple, where and when does the confusion arise? Consider a situation where you have multiple websites hosted on an IIS machine. When a request reaches this web server, how does it decide as to which website this request should go to? This is where the knowledge of Bindings can be useful. For two or more websites to run successfully on IIS, their Bindings have to be unique. It basically means that either one of the following attributes - IP, Port or Hostname has to be different.
HTTP
The default port that HTTP requests use is port 80.
Consider an example where website A has the following Binding.
IP: 10.10.10.1 Port:80 Hostname: contosso.com
If another website website B has to be hosted on the same server, atleast one of the above attributes has to be different.
So, Website B can have either of the following Bindings.
- IP: 10.10.10.1 Port:80 Hostname: Test.com
- IP: 10.10.10.1 Port:8080 Hostname: Contosso.com
- IP: 20.20.20.2 Port:80 Hostname: Contosso.com
Option 1 is something that is feasible, scalable and easier to manage. Since port 80 is the default port of HTTP protocol, if a website is listening on any other port other than 80 , it has to be specified by the user in the browser which becomes a little tedious. Ideally, each website will be accessed using its Hostname. So having a different Hostname rather than a different Port makes more sense. This way, you can host multiple websites without any difficulty.
Option 2 is generally used when you have website B as the backup for website A. Website A usually contains the latest code release and website B contains the last working code. If, for some reason website A goes down, the administrator can immediately stop website A, modify the port number of website B and get the last working code up and running.
Option 3 is used if you have an additional IP address added to the machine.
HTTPS - Windows server 2008 R2
The default port that HTTPS requests use is port 443. There is a small twist in the way requests are routed to individual websites in case of websites running over HTTPS. As we discussed earlier, to uniquely establish two websites having HTTP bindings, we used the combination of IP, Port and Hostname. However, in case of two or more websites having HTTPS binding, they can be established using the combination of IP and Port only. This is because, during the SSL handshake, only IP and Port details are available. Hence, hostname does not play any part in determining the website that the request should go to.
If you observe the Bindings section while adding an HTTPS binding, the Hostname section will be greyed out.
Consider an example where website A has the following Binding.
IP: 10.10.10.1 Port:443
If another website website B has to be hosted on the same server, either of the above attributes has to be different.
So, Website B can have either of the following Bindings.
- IP: 20.20.20.2 Port:443
- IP: 10.10.10.1 Port:445
Option 1 is used if you have an additional IP address added to the machine. This is the most feasible option for HTTPS websites on a windows server 2008 R2 machine.
Option 2 can be used but is not feasible since it uses a port number that is different than the default HTTPS port(443). The disadvantage is that the users will have to specifically mention the port number in the URL of the website that they intend to access. Example: https://www.contosso.com:445
Special case of using wildcard certificates - Windows server 2008 R2
Consider an example where website A has the following Binding - IP: 10.10.10.1 Port: 443 and is supposed to be accessed using the Hostname: website1.contosso.com
If another website website B has to be hosted on the same server with the Hostname: website2.contosso.com, then we can assign the same IP and Port combination to both the websites in the IIS manager.
But two websites running with the same IP and Port combination will result in a conflict. So, in order to uniquely identify the websites and make sure that the request reaches the correct website, the "Bindings" section under "sites" attribute in the applicationHost.config file will have to be modified in the following manner.
For website A,
<binding protocol="https" bindingInformation="10.10.10.1:443:website1.contosso.com" />
For website B,
<binding protocol="https" bindingInformation="10.10.10.1:443:website2.contosso.com" />
HTTPS - Windows server 2012 R2
The major disadvantage with windows server 2008 R2 machine was Scalability. Hosting multiple websites required users to configure multiple IP addresses on the machine or have the users access the website using an unconventional port.
In order to rectify this problem, a very important feature called "Server name Indication(SNI)" was introduced.
SNI allows us to utilize all three attributes of a binding - IP , Port and Hostname that we used previously with HTTP based websites to uniquely identify themselves. Most of the new browsers support the SNI feature. You can refer to this blog for more information on SNI and how it can be configured.
Summary
HTTP = IP + Port + hostname
HTTPS [windows server 2008 R2] = IP + Port
HTTPS [windows server 2012 R2] = IP + Port + Hostname
Hope this helps :)
Comments
- Anonymous
July 27, 2016
Great work Parvez. Keep blogging :) Waiting for more posts - Anonymous
February 09, 2017
This is so helpful. I was super confused with the concept of binding in IIS and this article explains it so well !! thank you :)- Anonymous
February 14, 2017
You're welcome :) Glad it helped !!
- Anonymous