Date: Fri, 29 Mar 2024 14:55:29 +0000 (UTC) Message-ID: <428145169.23.1711724129431@197a019a32c3> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_22_953303923.1711724129430" ------=_Part_22_953303923.1711724129430 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The <ISAPI>
element provides a piece of funct=
ionality missing from IIS, namely the ability to obtain canonical scheme, h=
ost, and port information about an incoming request.
You'll need to restart IIS after changing this particular set of options= .
This is essential for enforcing request-specific access policy from outs= ide the IIS core engine (which filters like Shibboleth's have to do). It's = also necessary to enable proper generation of redirects when running virtua= lized servers on internal ports.
Apache handles this with the ServerName
and UseCanoni=
calName
commands, and Sun/iPlanet servers have an extensible configu=
ration file, but IIS is broken and does not support this capability. IIS wi=
ll only report scheme, host, and port values based on what the client suppl=
ies in its request. This is impossible to trust and cannot be used to look =
up settings.
<ISAP= I normalizeRequest=3D"true"> <Site id=3D"1" name=3D"www.example.org"> <Alias>web.example.org</Alias> </Site> <Site id=3D"1534573457" scheme=3D"https" name=3D"virtual.example.org= " port=3D"443"> </ISAPI>
The first element defines a default IIS web site with an Instance ID of = "1" that runs on the standard ports. It also authorizes clients to access t= he site with an alias, and allows the alias to be used when redirects are g= enerated.
The second example element is a virtual web site running behind an SSL a=
ccelerator that translates SSL requests to non-SSL requests. The sche=
me
and port
attributes override the physical settings w=
ith logical values seen by the client.
normalizeRequest
(boolean) (defaults to true)
UseCanonicalName
option, it determi=
nes whether the client's request determines the "effective" scheme, hostnam=
e, and port of the request, or whether the enclosing <ISAPI> element's mappings do. Should be left true in most cases or security h=
oles can result.
safeHeaderNames
(boolean) (defaults to false) (Version 2.2 and Above)
<Site>
id
(string)
name
(string)
scheme
(string)
port
(integer)
sslport
(integer)
<Alias>