none
IIS and HTTP CONNECT requests RRS feed

  • Question

  • Hi,

    We're trying to share a single port number between a web application (running in tomcat) and a HTTP relay using HTTP CONNECT to tunnel through to another application.

    We've tried several options, but it would appear that IIS is blocking the CONNECT requests specifically.
    The relay does conform to the IEFT standard for tunnelling.
    Could someone verify if CONNECT requests should be permitted and if so how IIS can be configured to allow this.
     
    Wednesday, April 26, 2017 5:14 PM

All replies

  • What do you mean by “http connect request”? Do you want to share port between IIS web application and Socket application?

    What is IEFT standard? Is it IETF?

    As far as I know, two separate processes on a given IP address cannot both listen for the same incoming port. You could not have both IIS or Socket application listening for the same port. You may need to try proxy which will distribute the request.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, April 27, 2017 5:51 AM
  • Thanks for the reply, I do indeed want to share a port number between multiple applications.

    The situation is that we can only open 1 port "into" a system (443), but want to access webapps running in a tomcat and a separate application via a proxy. So we have IIS monitoring this open port and and ISAPI (AJP) connector redirecting requests to a tomcat.

    We also want http CONNECT requests to be redirected from IIS to a relay / proxy running on the same box. We've tried ARR (application request routing) and RRAS (routing and remove access services) without success. We've also tried HttpPlatformHandler.

    https://www.iis.net/downloads/microsoft/httpplatformhandlerhttps://www.iis.net/downloads/microsoft/httpplatformhandler

    In all cases GET requests could be redirected successfully to the relay, but all CONNECT requests returned 400 "Bad Request" from IIS. 

    At the moment it looks like ISS is always blocking CONNECT requests.

    Yes I mis-typed, I did mean IETF standard: https://www.ietf.org/archive/id/draft-luotonen-web-proxy-tunneling-01.txt

    Thursday, May 4, 2017 2:05 PM
  • >>In all cases GET requests could be redirected successfully to the relay, but all CONNECT requests returned 400 "Bad Request" from IIS. 

    What do you mean by CONNECT request? Could you share us how did you implement CONNECT request?

    Based on 400, it seems your request is invalid. If you Open the port for CONNECT Request tempo, will it work?


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, May 5, 2017 1:53 AM
  • Yes, if we open a second port and send the same request directly to the relay we're successful.

    Here's an example of the request & response exchange:

    curl -v --proxytunnel --proxy http://hostname:80 http://127.0.0.1:8080
    * Rebuilt URL to: http://127.0.0.1:8080/
    *   Trying xx.xxx.xx.xx...
    * TCP_NODELAY set
    * Connected to (nil) (xx.xxx.xx.xx) port 80 (#0)
    * Establish HTTP proxy tunnel to 127.0.0.1:8080
    > CONNECT 127.0.0.1:8080 HTTP/1.1
    > Host: 127.0.0.1:8080
    > User-Agent: curl/7.52.1
    > Proxy-Connection: Keep-Alive
    < HTTP/1.1 400 Bad Request
    < Content-Type: text/html; charset=us-ascii
    < Server: Microsoft-HTTPAPI/2.0
    < Date: Wed, 26 Apr 2017 12:13:00 GMT
    < Connection: close
    < Content-Length: 324
    * Received HTTP code 400 from proxy after CONNECT
    * Curl_http_done: called premature == 0
    * Closing connection 0
    curl: (56) Received HTTP code 400 from proxy after CONNECT

    Compare this to the exchange for a GET:

    curl -v --proxy http://hostname:80 www.google.com

    * Rebuilt URL to: www.google.com/

    *   Trying xx.xxx.xx.xx...

    * TCP_NODELAY set

    * Connected to (nil) (xx.xxx.xx.xx) port 80 (#0)

    > GET http://www.google.com/ HTTP/1.1

    > Host: www.google.com

    > User-Agent: curl/7.52.1

    > Accept: */*

    > Proxy-Connection: Keep-Alive

    < HTTP/1.1 405 Method Not Allowed /* (response from our relay) */

    < Date: Thu, 04 May 2017 11:30:41 GMT

    < Content-Length: 0

    * Curl_http_done: called premature == 0

    * Connection #0 to host (nil) left intact

    This morning we had a breakthrough and actually resolved the problem. Adding a '/' prefix to the hostname appears to allow the request "into" IIS, so next we'll configure ARR to process:

    telnet <hostname> 80

    CONNECT /myserver:671 HTTP/1.0

     

    HTTP/1.1 404 Not Found

    Content-Type: text/html

    Server: Microsoft-IIS/7.5

    Date: Fri, 05 May 2017 08:56:00 GMT

    Connection: close

    Content-Length: 1245

    So it would appear that the original 400 error was correct and the format was not correct after all.

    Friday, May 5, 2017 9:11 AM
  • It seems you have resolved your issue, am I right? If so, I would suggest you mark your reply as answer, and then others who run into the same issue would find the solution easily.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, May 8, 2017 2:08 AM