I have published an ASP.NET core Web API on IIS. The website is hosted on a Windows Server 2019 dedicated server with a number of IP addresses. In Plesk I have set the IP address which I want the website to be bound to (let's assume is it 10.1.1.1). When I ping the domain name I see the correct IP address.
In one of the API's endpoints, there is an HTTP Request made to an external API which has access restriction to pre-defined IP addresses. If a request is made to this external API from an unknown IP it returns an error with that IP address.
Our website's IP address is set properly at the external API. However, when our API tries to connect to the external API from code it doesn't use the website's correct IP Address. It uses the first available IP address on the server. Therefore, the connection to the external API is refused.
My question is, why the HTTP Request is not made from the same IP address as the website and what can I do to make things right?
When we bind sites to IIS, you are only binding the incoming IP address. Traditionally we would want to control and sanitize all outbound requests, it there are multiple NICs configured, the outbound traffic would be routed through the NIC that is configured with the gateway, or the NIC that is on the same subnet as the target.
If your server has multiple IP addresses defined in the same NIC, the outbound IP address from IIS hosted content is selected for you. I'm not sure if it is a round robin but I can tell you it is not in any way related to the incoming IP address that your site is bound to.
Outbound traffic is NOT associated with IIS at all, outbound traffic from IIS follows the normal pathway and rules as outbound connections from all processes on your PC/server.
The general standard to avoid this issue in IIS is to use SSL and Host Header Names. That way you can host multiple sites on the same IP address, or realy you are inbound address agnostic meaning your configuration can be easily ported to other hosts without having to mess around with multiple physical or virtual IP addresses.
Following this advice from Forcing Windows Server to Use a Specific Outgoing IP Address, you can use powershell to exclude specific IP addresses from being used as the external source.
Assuming the IP address you want to be primary is 192.168.33.129.
$primaryIP = "192.168.0.4"
Set-NetIPAddress -IPAddress $primaryIP -SkipAsSource $false
Get-NetAdapter | Get-NetIPAddress | ? { $_.IPAddress -ne $primaryIP } | % {
Set-NetIPAddress -IPAddress $_.IPAddress -SkipAsSource $true
}
Now all IP addresses, except the one you are designating as "primary," will be excluded from consideration as primary. We can verify this using...
Get-NetAdapter | Get-NetIPAddress | Select-Object IPAddress,SkipAsSource
It must also be said that communications outside of your IIS host can be routed via VPNs and Firewalls, even if you manage to fix the internal IIS server outbound IP address, the external site will still register your network's external IP address, not the internal 192.168.0.4 on the NIC.
Most enterprise firewalls will have the ability to configure Source NAT (SNAT) rules or policies, sometimes referred to as Multipath Routing, that will allow you to bypass or negate any configuration on the IIS NIC as described above.
Related
I have developed an IOT module which can connect to the Wi-Fi and send data to the internet, the module can send data (string) to specific IP address on the specific port.
The internet server should store that information to the data base and display that information to the user via HTTP (web page).
When I set the port to the 9081 (any random number) and my local computer IP address as IP address that module should send data to, I can see data on my local computer terminal.
My question is that how can I send that data to the internet?
What I have in mind is that I can purchase domain name, host and develop a web site (HTTP) which by default listen to port 80. The service provider only give me a basic services such as HTTP, HTTPS and FTP which make it possible to upload website and I don’t have access to other protocols and ports.
Should I purchase virtual private server or I should use any specific cloud services or the module can send data to the server on port 80 without getting conflict with web pages and web contents?
Please give me some suggestion.
I did something similar with an IoT module. There are two options that I also considered. Before we describe, there is no need to buy a domain name. You can comfortably use the IP address to connect to. If you have some spare cash go for it.
Send everything to the web server on your local computer. To have access to the local computer you must enable port 80 to be accessible over the internet. You do this on a router. This is called port forwarding. You setup a rule such that all the requests made to your IP address on port 80 should be redirected to your local computer on whatever port the web server is listening to. This is the cheapest method available. Also, there is an important limitation: you're local computer needs to be switched on all the time if you want to access the data.
Buy a droplet (virtual private server). The workflow is the same as 1, but you don't need to port forwarding anything. These are usually setup and ready to use. However, this is usually expensive. Most of these providers offer pay-as-you-go services (e.g., Digital Ocean is the one that I used). There are other providers which offer free but limited versions. These are usually developer trial versions. If you go over a number of transactions, or space, you will have to pay (have a look at Parse).
We are trying to specify IP address instead of hostname(eg: www.abc.com) for WCF service hosted in IIS v8.0 on windows server 2012
This gives error saying special characters not allowed. Is this not allowed?
But it works fine when we specify IP address as host name in our local systems which runs IIS v7.5.
A hostname is not an IP address, therefore you can't specify it in the site bindings as a host name.
If you are trying to access a service on your local IIS machine, simply having the site binding present is enough, but you may want to bind it to a specific IP address (the IP address dropdown), or if you leave it as "All Unassigned" then the application will be available on all IPs registered with the server, on your chosen port.
If you are trying to access an app on another machine from yours, you can either get a DNS value added by your network admin, or change your HOSTS file (C:\windows\system32\drivers\etc\HOSTS) and add in your own alias:
54.XXX.XXX.XXX myalias
Which means you should then be able to access http://myalias:8092/ from your browser.
Update The validation message is apparently by design:
http://blogs.msdn.com/b/dasane/archive/2013/10/16/adding-ip-address-like-host-head-in-iis-8-shows-ui-validation-error-this-worked-fine-in-iis-7-5-and-earlier.aspx
Reading that article, I can now understand why you may want to use an IP address as a host-header, as it effectively allows you to route external IP address calls to your local machine without requirement of DNS changes. For what you need though, if the IP address is bound to an NIC on your local machine, just leave it blank as it will resolve locally anyway.
Check what you provided in Hosts file (C:\Windows\system32\drivers\etc folder) in your local machine
For the above case you need to provide the hostname not ip address
I have a self host service in a WPF application and a client. It works fine if the client and the service are in the same LAN, so I can send messages from client to the service.
However, I would like to know how I can consume the service from internet.
I open the TCP ports for the listing port and the mex in my router in the NAT section and I have disabled my firewall of windows (I am working in a virtual windows xp).
I am trying to use net.tcp binding, is my first option, but also I am trying with wsHttpBinding and the problem is the same, I can send message in the LAN but I can't from internet.
Perhaps it's because I don't know how to configure the address in the service or in the client, or something like that.
Thanks you very much.
Daimroc.
EDIT1: if I use the www.canyouseeme.org the can access to my service. If I stop my service then i get an error. So it looks like that the service is visible. Then why can't send messages from the client?
Since you're on a LAN, it is very likely that the machine that is hosting the WCF service is not assigned an IP address accessible from the Internet. For example, if the machine has an IP address starting with 10... or 172... or 192... then that is an internally assigned IP address.
Your machine must be set up to use an IP address assigned by a registrar and optionally, assigned a domain name (e.g. canyouseeme.org) so the Internet DNS servers can translate it to the assigned IP address.
I have client server cocoa application. client communicate with server by using server's IP address. My questions are how can i check that my server IP address is changed in my cocoa application and how can i notify clients that server's IP address is changed (should i store IP address of client #server and notify to client). I am using Distributed object for communication between client and server.
Use DNS. It supports finding the current IP address of a server, which means that you can easily detect when the IP address changes (and have clients automatically use the updated address). If you envisage rapid changes of the server's address you can use a short time-to-live on your DNS responses.
Can anyone confirm or deny that it is possible to set an IP address as a host header on IIS 6.0?
I have seen others on forums that claim to have made this work however I am having no luck with a "Bad Request (Invalid Hostname)" for reply.
I believe you can assign a website to different IP addresses, if your server has multiple addresses. However looking at our server, its assigned to the local network IP address, not the internet IP address. I don't think what your asking can happen since the IP address is not sent as part of the HTTP request. The only way I think it would work is if you have your router/firewall redirect different IP address requests to different ports on the web server, then you can bind your sites to the ports instead of the host header.