Score:2

Using same port in both IIS and nginx on different IP addresses

gb flag

The server is running Windows Server 2019 Standard with IIS 10, and it has two network interfaces with public IPs (198.51.100.1 and 203.0.113.1)

My desired setup:

  • IIS: 198.51.100.1 on port 80
  • IIS: 198.51.100.1 on port 443
  • IIS: 203.0.113.1 on port 80
  • nginx: 203.0.113.1 on port 443

But after IIS started, the http.sys (PID=4) starts listening 80 and 443 ports on all IPs:

  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:443               [::]:0                 LISTENING       4

I can limit to particular address with 'netsh http add iplisten' command, but I want to use both 198.51.100.1 and 203.0.113.1 address in IIS. Iplisten is not allowed to specify ports.

And I don't want to use reverse proxy...

Anyone know how I can use 443 in both IIS and nginx?

cn flag
Bob
Can't you use Site ==> Bindings in IIS Manager to stop listening to any/all IP's and limit IIS to only the specific IP-address 1.1.1.1 for port 443 , leaving the 2.2.2.2:443 IP-address:port free for nginx to bind to?
gb flag
IIS bindings are set to specific addresses (based on my desired setup). However, http.sys is listening on all addresses, 0.0.0.0:80 and 0.0.0.0:443.
Score:1
in flag

You'll need to use NETSH to configure the system to only let http.sys capture specific addresses (by default it captures wildcard, as you see in your included NETSTAT)

Try running these from an elevated command prompt (after stopping the IIS service)

netsh http delete iplisten 0.0.0.0
netsh http add iplisten 198.51.100.1:80
netsh http add iplisten 198.51.100.1:443
netsh http add iplisten 203.0.113.1:80

That should reconfigure the http.sys to only listen on the specified IP:Port combinations, and not proactively capture every :80 and :443 on the system.

Important note -- do remember that you've now limited the IP-port combinations that IIS is capable of answering (regardless of how you configure bindings on sites within IIS Admin). If you need to add more IPs and/or Ports in the future, you'll have to perform additional netsh http add iplisten commands.

in flag
I don't have a 2019 server to play around with, but I just looked up the MS Docs spec on this command, and it has changed since I last used it. The current spec shows that it doesn't use (and will ignore) the port number -- meaning that this might not work for splitting 203.0.113.1 across both IIS and nginx. You might have to forfeit that whole IP from IIS and not run a :80 site on it) . YMMV, so give it a test run first. But I'm seeing that in the docs now. https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-http#add-iplisten
gb flag
Really, we can't specify the port in the netsh http iplisten command (on 2019 and also on 2016 or on 2008). In the original post I mentioned this.
in flag
I'm sorry @crazyman , I don't know how I read that a few times and continually missed that you'd already determined iplisten wouldn't work. I would have sworn that I was able to use the ports in 2008r2, but really it has been long enough that it could have been 03. I just dove through the docs again and don't see anything current that'll limit http.sys to specific ports.
gb flag
No problem. Maybe it was 2003. In 2008r2 you certainly cannot specify a port https://paste.pics/8777daa1495927d741c6d3e7831e9f23
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.