HSTS & redirects on IIS 8.5

Question

I'm having a problem getting my IIS 8.5 server to behave as desired. I am attempting to host two domains on the same IP address, both on https, using separate webservers.

Naturally, IIS is setup as my "primary" webserver, listening on 80 & 443. One domain is setup here with an ssl cert. I'm using the "URL Rewrite" mod to send insecure traffic over to the secure side. The other domain is setup as virtual host and uses the "HTTP Redirect" feature to send traffic to the second webserver. For the second webserver, I have Apache 2.4 listening on 8443, also with a cert.

so, briefly: http://example1.com -> URL Rewrite -> https://example1.com https://example1.com -> resolves and served from IIS

http://example2.com -> HTTP Redirect -> https://example2.com:8443 https://example2.com:8443 -> resolves and served by Apache

My problem is after a browser (FF or Chrome) visit http://example2.com and are redirected to https://example2.com:8443, subsequent visits always go to https://example2.com (without the port). This fails because during the ssl handshake, the browser is given example1's certificate.

I've tracked this down to these two browsers relying on HSTS. As soon as I clear the HSTS cache, they're able to find the correct site (with the port) again.

How can I get this setup to work smoothly? I don't see anything in Apache's conf that is setting an HSTS, so I assume it's in the IIS redirect. I looked at this answer discussing HSTS on IIS, thinking I could modify Doug's suggestion to set the max-age to zero to prevent it from being set, but it doesn't seem to work.

Solution:

Based on the suggestion below, the best solution is to host both domains in IIS, bind the SSL certs and check the "Require Server Name Indication" box in the binding. I had to do it to all domains sharing the IP. Then I could create a reverse proxy (URL Rewrite & Application Request Routing modules required) that would hand-off traffic to the Apache-hosted instance.

Answer 1

You can't with your current set up.

The HSTS RFC states the following:

The UA MUST replace the URI scheme with "https" [RFC2818], and

if the URI contains an explicit port component of "80", then the UA MUST convert the port component to be "443", or

if the URI contains an explicit port component that is not equal to "80", the port component value MUST be preserved; otherwise,

if the URI does not contain an explicit port component, the UA MUST NOT add one.

NOTE: These steps ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS Host.

So going to http://www.example2.com:8443 will preserve the port and redirect to https://www.example2.com:8443 but you cannot do the same from http://www.example2.com.

So you've the following choices:

1. Stop using HSTS in Apache for example2.com and only use it in IIS for example1.com

2. Use one main server to listen to port 80 and 443 and proxy requests for example.com to the other server on port 8443. This is much cleaner as doesn't require the use on non-standard ports like 8443 by the user. However, as you are using the same IP address for both you either have to use a process called Server Name Identification or SNI (which is not supported by older browsers like XP/IE8) to correctly serve the same hosts over the same IP address for HTTPS, or use the same cert for both sites as a workaround (see answer here for an explanation of how that works).