PDA

View Full Version : ISAPI Extension for IIS over https://



pauln
2021-03-22, 09:24
Hello All

Been battling along getting my understanding up to speed on Certificates following DOCS here:
https://www.lianja.com/doc/index.php/ISAPI_Extension_for_IIS#Redirect_Default_Document
https://www.lianja.com/doc/index.php/Creating_a_Self-Signed_Certificate

I managed to create a SSCert, deployed and tested :o

The Item I am not clear on is references in both documents to "select the web site" and "Select the target site" where the DOC shows "Default Site" highlighted in all instances.
I am sure this should be a deployed Lianja site?
2493

The reason for asking is when using the handler mappings with wildcard "*" it overrides another SSL on the same server.

If I should be replacing all references in the DOCS for "site" to "mySite" for a AWS instance of LCS - can I please ask for instructions on how to add to the App pool:
C:\lianja\cloudserver\tenants\public\wwwroot\apps\ mySite

I also notice there is no web.conf in mySite as well.

Thanks Paul.

yvonne.milne
2021-03-22, 11:31
Hi Paul,

Yes, you should add the handler to your target site. That IIS Manager screenshot is from my laptop, where I currently only have a single site set up. The Edit Site -> Basic Settings... allow you to select the Application Pool.

Regards,

Yvonne

pauln
2021-03-22, 20:20
Hello Yvonne

I think I need to ADD the Site first to the APP Pool? So I am asking where do I point it to?
Originally I thought here:
C:\lianja\cloudserver\tenants\public\wwwroot\apps\ mySite

But looking at the Physical Path I think it needs to go up 1 level as we need to encompass CloudAdmin shown below?
2494

Can you please confirm.

HankFay
2021-03-22, 20:51
Hi Paul,

On IIS 8.5 this is all you need to do.

1) Register the certificate with IIS (Server / Server Certificates)

2) Bind the certificate to the site (Site / Bindings (upper right panel) You can have different SSL certs on a given site by using the hostname column. Or if there is only one, all will go through that one certificate.

That's all.

Unless you have high traffic, you don't need to allocate App Pools.

Hank

PS LetsEncrypt gets you a real certificate (with a trusted root) for nothing. Here's one install that is thought to work well: https://www.win-acme.com/

pauln
2021-03-22, 22:47
Hi Hank
Thanks for your help.

The reason why I think I need to be more specific is that the Handler Script uses a wildcard of "*".
2498
When I did that it stopped all the traffic to a West-Wind site that was running.

I think the handler must be more specific if you have more than one Web Site running from IIS?

barrymavin
2021-03-23, 00:55
The Lianja IIS extension will pass back requests it can't handle. So it needs a wildcard request path. This proxies all traffic for an application server not simple requests.

You need to be more specific as to what's "not working" that conflicted with other handlers.

If you have conflicting handlers then create a unique site for Lianja to isolate it and add the lianja handler into that site.

You would then need to access the website with a special url.

pauln
2021-03-23, 02:58
Hi Barry
Here are the specifics with SSCert installed with IIS ext settings:

http://localhost/wconnect/TestPage.wwd => Works OK
https://localhost/wconnect/TestPage.wwd => Works OK
http://localhost:8001/login.rsp => Works OK
https://localhost/login.rsp => FAILS as physical resource cannot be found AT C:\inetpub\wwwroot\login.rsp | https://localhost:443/login.rsp

This is the site setup:
2499

The wildcard script is currently under Lianja Node but think http:/ is only working above due to the fact of the specific port used 8001.

You said "The Lianja IIS extension will pass back requests it can't handle" and "If you have conflicting handlers..." - I don't think the requests are being passed on?

If I move the wildcard script up to "Default Web Site" then Lianja works for Http & Https but the original site "wconnect" stops on both bindings.

If the intention was Lianja wildcard to proxy and pass through unwanted requests then this is not occurring I am thinking.
Thanks Paul

barrymavin
2021-03-23, 03:34
It is proxying. I have looked at the code. It ignores .wwd files.

I do not have any wconnect or Lianja below "Default Web site" I only have system_web.

The Lianja ISAPI extension is configured and it reads the url and rejects file extension and paths it does not handle.

So yes my intention was and is proxying as designed.

You don't need any Lianja under the default website, Why was that done? I never suggested that.

FYI the Lianja ISAPI extension proxies http and https traffic to the LCS running on port 8001 locally. The Lianja Server Manager is used to configure wwwroot paths and tenancies (in your case public). You don't need to do anything in IIS (or apache on linux for that matter). Just setup the handler as documented.

barrymavin
2021-03-23, 03:38
FYI port 8001 bypasses IIS completely. Nothing to do with it.

pauln
2021-03-23, 03:42
HI Barry

As I tell my son, "never give up" - the problem was if you do have a site under "Default Web Site" (as I did wconnect) then when you add the script map it adds it to sites below :rolleyes:
I just removed the "inherited" script map from that wconnect site and all 4 tests are working for both http:// and https://

I will now remove the Lianja site as that just me beating down every door to to find a solution.

barrymavin
2021-03-23, 03:45
HI Barry

As I tell my son, "never give up" - the problem was if you do have a site under "Default Web Site" (as I did wconnect) then when you add the script map it adds it to sites below :rolleyes:
I just removed the "inherited" script map from that wconnect site and all 4 tests are working for both http:// and https://

I will now remove the Lianja site as that just me beating down every door to to find a solution.

Good to know. So the Lianja ISAPI extension is proxying as expected?

pauln
2021-03-23, 03:55
Hi Barry - Yes proxying as expected, both sites running happily under 1 browser (4 TABS), beautifully :D
(Removed Lianja site as you said not required and tested ok.)

Also site builders using AWS should remember to turn on https:// with the instance tool, it caught me again for a bit...
Thanks