|
Once your IIS 10 installation is done you need to do
some web site configuration because you may not
be doing a generic domain for your pages, such as
sales, or a blog vs. a traditional information setup. |
When you did your install were you doing an upgrade from an existing setup or
is this a new concept with out any data? If you selected most of the options you
need from the Roles and Features you will need to configure some of the options
such as ASP or CGI, if you are making a blog you will need to configure the
MIME, Handlers, CGI, and FastCGI or your PHP will not work. (see these two pages
for more information about web site configuration for these modules
IIS 6 and
IIS 7.5)
Web Site Configuration for your Certificate for SSL (Secure Sockets Layer)
If you haven't experienced this yet here is a good site for explanation of
SSL; some configuration advice, and if your hosting company does not supply a
certificate (some do for free!) you could purchase one here:
www.ssl.com
When you get your certificates you will need to add them to your server, if
your company has a Certificate Store and a Administrator you would get it there,
check with the Store Admin on how to link/add it to your server.
Note: You may want to read this all the way though to the end, IIS will
only accept .pfx formatted certificates, you can add any format to the mmc
console but for our purposes it has to be a .pfx certificate.
Note: If you have a domain name and want to add sub domains do so
before obtaining your domain certificate. A sub domain is not a virtual
directory added to your web site such as www.departments\yourdomain.com but
like this www.departments.yourdomain.com the virtual directory uses a \ to add
it to the domain name, where as a sub domain uses a .
to add it to the domain. Your domain registrar is where you would register your
sub domain such as the blog on this site: fix-it-blog.diy-computer-repair.net
Once you have your domain and if you need them sub domains then make your domain
certificate. If you are using sub domains the you would select the "*"
option ( wild card) and not the traditional "www". The wild card option will
serve for any sub domain you add to the bindings.
Web Site Configuration for SSL
To add the certificate you will need to open mmc.exe then add the
certificate snap in. I strongly suggest you do all your work with the "run as
administrator" option, otherwise you will be clicking on "yes" when the pop up
asks if you want to continue with administrator rights... (Some options will
fail otherwise.)
High light "Certificates" and click add to put it in the console
Choose "Computer account"
Click next unless your organization has a Certificate Store, then select the
server path...
Right click on Certificates in the center column, select "Import"
The choices should be grayed out if you chose "Computer Account" if not
choose "Local machine"
Search for your certificate...
Notice the line with the "Personal Information Exchange...."
IIS will only accept certificates that are converted from the .cer to
the .pfx ( I converted one to P12 by mistake and IIS would not accept it...)
You can find a few free services that will convert your .cer certificates to
.pfx, this is the one I used:
Converter
You can add your .pfx at this time or if you don't have it go back through
the steps to import it.
Web Site Configuration Server Certificate
Your next step will be to look at the server module for Server Certificates,
your certificate should be there if not then on the right hand column use the
"Import" to find and add it.
Note: The other web site configuration options you may want to experiment with however I have
read where people run into problems with creating their own certificate and try
to use it on a non domain web site, internally that would be ok but on the www
it will not be "trusted" because there will not be any certifying authority.
Web Site Configuration
On the server Home page there isn't much to do with the ASP section, I did
not change any parameters here.
On the server home page for IIS you will need to look at the Default Document
module, if all the listed document extensions are what you are going to use then
close, however there isn't a document for PHP or some other types of documents,
you will have to create them; you should remove any you are not going to use.
You may want to look at the FastCGI module, if you are using PHP, you need to
give it the full path to the php-cgi.exe in your PHP directory.
Under Handler Mappings you need to add PHP via FastcgiModule. (see image)
You may want to look at the Logging module, the default normally works
however check the path, when I moved my host from the default C: to my new drive
the move scrip did not change the log directory.
If you are adding PHP or some other type extension to your setup you will
need to add that extension to the mime types.
If you added another non-standard feature such as FastCGI check the Modules
for to see if the install of features added the module, if not you may have to
do that manually.
The last thing to do is Server Certificates, if you have the certificates and
they are installed then close, if not you will need to come back to import the
certificates before you can use them to bind to the 443 port for your site.
All other modules may not need to be configured from the default settings.
Web Site Configuration for each individual web site:
There are some areas that you will need to setup some of the module options
if you are hosting one or more sites and are going to use HTTPS exclusively;
they are:
Default Document
What I found when I added my blog was that the configuration listed all
default documents and the blog would give a 404 error when I tried to open a
page, I had to delete all the documents except the index.php to clear the error.
Handler Mappings
Check to see if your added mapping is here for me it was the PHP via
FastcgiModule.
Turn on SSL options
Under the web site configuration SSL
option
you need to check the box for "Require SSL" for the web application, for the
Client certificates I selected "Ignore" your application may require or need to
accept the client certificate before the web site will open.
Web Site Configuration Binding of certificate and IP address
Click on "Bindings", when you have your certificate installed then you can
bind to HTTPS, if not then you will need to use H T T P to bind to the "All
Unassigned" or a specific IP.
Under the right column go to "Edit Site:"
Click on "Add" or "Edit"
If you are using HTTPS and more than one site when you bind the first site
you need to check the box below the "Host Name" that is "Require Server Name
Indication", if you don't you will not be able to add / bind another site to
the HTTPS (port 443) nor will the next site accept the certificate you choose it.
Fill in the blocks, be sure to click te box for "Require Server Name
Indication" (SNI), if you don't do this you will only be able to bind one
name to the 443 Port!
Adding the name www.diy-computer-repair.net with out the www
Add the certificate for this name.
Now there are two names associated to this binding.
On the right hand column you will find the bindings and the Browse Website,
both names, IP and port are there.
Note: for H T T P and port 80 (or any other non HTTPS port) you can
add as many separate web sites you want with out using the SNI feature, it is
only Port 443 (HTTPS) that requires the SNI to add more than one site to the
binding.
Web Site Configuration redirection
The last web site configuration thing with using HTTPS and having had the web site originally
H T T P you may want to look at redirect of H T T P to HTTPS as an option to a
permanent 301 redirect page ( I am considering this although this web site was
never indexed as a site with H T T P. There are a few web sites that have
articles on how to do this including Microsoft.
This is an image of this web sites SSL score, I need to do some more web site
configuration work,
however it is 1000% improvement over the first time I tested the SSL!
SSL Test
|
Proudly Made in The U. S. A.
www.diy-computer-repair.net