2

The server is running Windows Server 2019 Standard with IIS 10, and it has two network interfaces with public IPs (198.51.100.1 and 203.0.113.1)

My desired setup:

  • IIS: 198.51.100.1 on port 80
  • IIS: 198.51.100.1 on port 443
  • IIS: 203.0.113.1 on port 80
  • nginx: 203.0.113.1 on port 443

But after IIS started, the http.sys (PID=4) starts listening 80 and 443 ports on all IPs:

  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:443               [::]:0                 LISTENING       4

I can limit to particular address with 'netsh http add iplisten' command, but I want to use both 198.51.100.1 and 203.0.113.1 address in IIS. Iplisten is not allowed to specify ports.

And I don't want to use reverse proxy...

Anyone know how I can use 443 in both IIS and nginx?

Tero Kilkanen
  • 38,887
crazyman
  • 66

1 Answers1

1

You'll need to use NETSH to configure the system to only let http.sys capture specific addresses (by default it captures wildcard, as you see in your included NETSTAT)

Try running these from an elevated command prompt (after stopping the IIS service)

netsh http delete iplisten 0.0.0.0
netsh http add iplisten 198.51.100.1:80
netsh http add iplisten 198.51.100.1:443
netsh http add iplisten 203.0.113.1:80

That should reconfigure the http.sys to only listen on the specified IP:Port combinations, and not proactively capture every :80 and :443 on the system.

Important note -- do remember that you've now limited the IP-port combinations that IIS is capable of answering (regardless of how you configure bindings on sites within IIS Admin). If you need to add more IPs and/or Ports in the future, you'll have to perform additional netsh http add iplisten commands.

Ruscal
  • 1,222