I have come across an interesting issue where the internal ip address is revealed when using OPENSSL and HTTP 1.0. However if we use HTTP 1.1 then IIS does not reveal the address.

Here is what happens when I use the OPENSSL

openssl s_client -connect 10.x.y.z:443

GET /Test
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://10.x.y.z/Test/">here</a></body>read:errno=0

 

How to prevent this?

You will need to host header on the website that you have issues with. You have to set the host header using the adsutil.vbs script as follows.

cscript c:\inetpub\adminscripts\adsuitl.vbs set w3svc/<siteidentifier>/SecureBindings ":443:myhostname"

Make sure the host header that you set here, eg:myhostname is resolving to the ip adress of the IIS and you can browse the secured website using the specified host header.

Note: <siteidentifier> is the numeric value that you can obtain from the IIS6 Manager.

 

Important: If you make changes to the host header from the IIS manager, you may have to re-run the above command.

Setting the host header using the IIS manager on Secure Bindings does not yield any good results. Setting through the above command should be the way.

 

After the host header is set, you will see the results similar to the following

GET /Test
<h1>Bad Request (Invalid Hostname)</h1>read:errno=0