Nowadays I do most of my Windows development on a Windows 7 VM running on OS X macOS (Windows 8 and Windows Server 2012 left some scars so I’m very reluctance on moving to Windows 10). On this development environment I like to mimic some production environment characteristics, namely:
- Using IIS based hosting
- Having each site using different host names
- Using HTTPS
For the site names I typically use example.com subdomains (e.g. id.example.com, app1.example.com, app2.example.com), which are reserved by IANA for documentation purposes (see RFC 6761). I associate these names to local addresses via the hosts file.
For generating the server certificates I use makecert and the scripts published at Appendix G of the Designing Evolvable Web APIs with ASP.NET.
However, having multiple sites using distinct certificates hosted on the same IP and port address presents some challenges. This is because IIS/HTTP.SYS uses the Host header to demultiplex the incoming requests to the different sites bound to the same IP and port.
However, when using TLS, the server certificate must be provided on the TLS handshake, well before the TLS connection is established and the Host header is received. Since at this time HTTP.SYS does not know the target site it also cannot select the appropriate certificate.
Server Name Indication (SNI) is a TLS extension (see RFC 3546) that addresses this issue, by letting the client send the host name in the TLS handshake, allowing the server to identity the target site and use the corresponding certificate.
Unfortunately, HTTP.SYS on Windows 7 does not support SNI (that’s what I get for using 2009 operating systems). To circumvent this I took advantage of the fact that there are more loopback addresses other than 127.0.0.1. So, what I do is to use different loopback IP addresses for each site on my machine as illustrated by the following my hosts file excerpt
127.0.0.2 app1.example.com 127.0.0.3 app2.example.com 127.0.0.4 id.example.com
When I configure the HTTPS IIS bindings I explicitly configure the listening IP addresses using these different values for each site, which allows me to use different certificates.
And that’s it. Hope it helps.
I like the approach of leveraging multiple loopback IP addresses but why do you need more than one certificate if it’s a self signed one? Why not using a wildcard certificate? I even use localtest.me to avoid having to touch my hosts file
The main purpose is to mimic the production environments where I’ll have multiple certificates. Not also that I don’t use self-signed certificates for the HTTP Server. I have a dev certification authority that issues end-entity certificates for the HTTP servers.
Pingback: Client-side development on OS X using Windows hosted HTTP Web APIs | Tech News