重新格式化 `GCI IIS:\SSLBindings` 以避免截断
reformatting `GCI IIS:\SSLBindings` to avoid truncation
我的 Windows 2016 服务器上有 8 个 IIS 站点。 6 个具有相同的 multi-SAN 证书,2 个具有不同的证书。
GCI IIS:\SSLBindings 用省略号截断列表:
IP Address Port Host Name Store Sites
---------- ---- --------- ----- -----
443 CentralCertStore QA.ARIAUTODIRECT.COM
QA.ARIBUYDIRECT.COM
QA.ARIDEALERDIRECT.CA
QA.ARIDEALERDIRECT.COM
QA.ARITRUCKDIRECT.COM
...
0.0.0.0 443 WebHosting QA.ARIAUTODIRECT.COM
第一组中的每个站点都有针对 *:443:hostname 的 SSL 绑定——即所有 IP、端口 443 都需要 SNI 并指定主机名。最后一个绑定是默认绑定,不需要 SNI,也没有指定主机名,用于不支持 SNI 的旧浏览器。
我真正希望看到的输出是这样的,格式非常适合电子邮件报告:
IP Address Port Host Name (SNI) Store SiteName
---------- ---- --------- ----- -----
* 443 QA.ARIAUTODIRECT.COM CentralCertStore QA.ARIAUTODIRECT.COM
* 443 QA.ARIBUYDIRECT.COM CentralCertStore QA.ARIBUYDIRECT.COM
* 443 QA.ARIDEALERDIRECT.CA CentralCertStore QA.ARIDEALERDIRECT.CA
* 443 QA.ARIDEALERDIRECT.COM CentralCertStore QA.ARIDEALERDIRECT.COM
* 443 QA.ARITRUCKDIRECT.COM CentralCertStore QA.ARITRUCKDIRECT.COM
* 443 QA.VR.ARITRUCKDIRECT.COM CentralCertStore QA.VR.ARITRUCKDIRECT.COM
* 443 OPSSCQA.ARIFLEET.COM CentralCertStore OPS -SC- QA
0.0.0.0 443 -none- WebHosting QA.ARIAUTODIRECT.COM
我一直在破解 PowerShell 脚本,试图克服无法将 $null 更改为字符串或将整数更改为字符串等的警告。所以我是退后一步,询问是否有任何我忽略的明显方法。
举个例子,这是我试过的。它只显示站点名称,没有 headers.
PS C:\windows\system32> dir iis:\sslbindings |%{
$x = $_; $paths = $x.Sites |%{ $_.ItemXPath.Split("'")[1]};
Add-Member -inputobject $_ -membertype NoteProperty -Name "SiteName" -Value $paths;
$_.SiteName } |FT
QA.ARIAUTODIRECT.COM
QA.ARIBUYDIRECT.COM
QA.ARIDEALERDIRECT.CA
QA.ARIDEALERDIRECT.COM
QA.ARITRUCKDIRECT.COM
QA.VR.ARIAUTODIRECT.COM
OPS -SC- QA
ARIXSSQA
QA.ARIAUTODIRECT.COM
编辑:@thepip3r 尝试的结果。 (可能我稍后会删除此编辑,因为它并没有真正增加问题,但让我对 pip3r 的回答做出 well-formatted 回应)
给定:
IpAddress :
Port : 443
Hostname_SNI :
Store : CentralCertStore
Site : {QA.ARIAUTODIRECT.COM, QA.ARIBUYDIRECT.COM, QA.ARIDEALERDIRECT.CA, QA.ARIDEALERDIRECT.COM...}
IpAddress : 0.0.0.0
Port : 443
Hostname_SNI : 0.0.0.0
Store : WebHosting
Site : QA.ARIAUTODIRECT.COM
当 FT 添加到管道时:
IpAddress Port Hostname_SNI Store Site
--------- ---- ------------ ----- ----
443 CentralCertStore {QA.ARIAUTODIRECT.COM, QA.ARIBUYDIRECT.COM, QA.ARIDEALERDIRECT.CA, QA.ARIDEALERDIRECT.COM...}
0.0.0.0 443 0.0.0.0 WebHosting QA.ARIAUTODIRECT.COM
第一次尝试:
Import-Module WebAdministration
$SslBindings = @(gci IIS:\SslBindings)
if ($SslBindings.count -gt 0) {
foreach ($Binding in $SslBindings) {
[pscustomobject]@{
'IpAddress' = $Binding.IpAddress.IpAddressToString
'Port' = $Binding.Port
'Hostname_SNI' = ($Binding.PSPath | Split-Path -Leaf).Split('!')[0]
'Store' = $Binding.Store
'Site' = $Binding.Sites.Value
}
}
}
更好的答案
Get-WebBinding 产生的解决方案比 IIS:\WebBindings.
好得多
Get-WebBinding -Protocol https `
|%{
$bi = $_.bindingInformation.Split(":");
[PsCustomObject]@{
'IpAddress' = $bi[0]
'Port' = $bi[1]
'Hostname_SNI' = $bi[2]
Store = $( if ($_.sslFlags -eq 3) {"CentralCertStore"} else {$_.certificatestorename} )
SiteName = $_.ItemXPath.split("'")[1]
}
} |ft
结果:
IpAddress Port Hostname_SNI Store SiteName
--------- ---- ------------ ----- --------
* 443 WebHosting QA.ARIAUTODIRECT.COM
* 443 qa.ariautodirect.com CentralCertStore QA.ARIAUTODIRECT.COM
* 443 qa.aribuydirect.com CentralCertStore QA.ARIBUYDIRECT.COM
* 443 qa.aridealerdirect.ca CentralCertStore QA.ARIDEALERDIRECT.CA
* 443 qa.aridealerdirect.com CentralCertStore QA.ARIDEALERDIRECT.COM
* 443 qa.aritruckdirect.com CentralCertStore QA.ARITRUCKDIRECT.COM
* 443 qa.vr.ariautodirect.com CentralCertStore QA.VR.ARIAUTODIRECT.COM
* 443 OPSSCQA.ARIFLEET.COM CentralCertStore OPS -SC- QA
10.220.100.98 443 arixssqa.arifleet.com CentralCertStore ARIXSSQA
上一个答案
感谢我从 中学到的两件事(Split-Path -Leaf 和 [pscustomobject]@{...}),我已经克服了 格式化 问题。空白 Hostname_SNI 问题仍然存在,这是由于绑定的折叠造成的。我猜是因为每个绑定都使用 *:443、SNI 和 CCS,所以它会将它们折叠在一起。这仍然有点无法解释,因为这些绑定实际上有主机名。但我现在对此很满意。
import-module webadministration
dir iis:\sslbindings `
|%{ $Binding = $_
$Binding.Sites.ItemXPath |%{ $_.split("'")[1] } `
|% {
[pscustomobject]@{
'IpAddress' = $( $ip = $Binding.IpAddress.IpAddressToString; if ([String]::IsNullOrWhiteSpace($ip)) { "*" } else { $ip } )
'Port' = $Binding.Port
'Hostname_SNI' = $( $h = ($Binding.PSPath | Split-Path -Leaf).Split('!')[0]; if ([String]::IsNullOrWhiteSpace($h)) { "--none--" } else {$h} )
'Store' = $Binding.Store
'SiteName' = $_
}
}
} |ft
输出:
IpAddress Port Hostname_SNI Store SiteName
--------- ---- ------------ ----- --------
* 443 --none-- CentralCertStore QA.ARIAUTODIRECT.COM
* 443 --none-- CentralCertStore QA.ARIBUYDIRECT.COM
* 443 --none-- CentralCertStore QA.ARIDEALERDIRECT.CA
* 443 --none-- CentralCertStore QA.ARIDEALERDIRECT.COM
* 443 --none-- CentralCertStore QA.ARITRUCKDIRECT.COM
* 443 --none-- CentralCertStore QA.VR.ARIAUTODIRECT.COM
* 443 --none-- CentralCertStore OPS -SC- QA
* 443 --none-- CentralCertStore ARIXSSQA
0.0.0.0 443 0.0.0.0 WebHosting QA.ARIAUTODIRECT.COM
我的 Windows 2016 服务器上有 8 个 IIS 站点。 6 个具有相同的 multi-SAN 证书,2 个具有不同的证书。
GCI IIS:\SSLBindings 用省略号截断列表:
IP Address Port Host Name Store Sites
---------- ---- --------- ----- -----
443 CentralCertStore QA.ARIAUTODIRECT.COM
QA.ARIBUYDIRECT.COM
QA.ARIDEALERDIRECT.CA
QA.ARIDEALERDIRECT.COM
QA.ARITRUCKDIRECT.COM
...
0.0.0.0 443 WebHosting QA.ARIAUTODIRECT.COM
第一组中的每个站点都有针对 *:443:hostname 的 SSL 绑定——即所有 IP、端口 443 都需要 SNI 并指定主机名。最后一个绑定是默认绑定,不需要 SNI,也没有指定主机名,用于不支持 SNI 的旧浏览器。
我真正希望看到的输出是这样的,格式非常适合电子邮件报告:
IP Address Port Host Name (SNI) Store SiteName
---------- ---- --------- ----- -----
* 443 QA.ARIAUTODIRECT.COM CentralCertStore QA.ARIAUTODIRECT.COM
* 443 QA.ARIBUYDIRECT.COM CentralCertStore QA.ARIBUYDIRECT.COM
* 443 QA.ARIDEALERDIRECT.CA CentralCertStore QA.ARIDEALERDIRECT.CA
* 443 QA.ARIDEALERDIRECT.COM CentralCertStore QA.ARIDEALERDIRECT.COM
* 443 QA.ARITRUCKDIRECT.COM CentralCertStore QA.ARITRUCKDIRECT.COM
* 443 QA.VR.ARITRUCKDIRECT.COM CentralCertStore QA.VR.ARITRUCKDIRECT.COM
* 443 OPSSCQA.ARIFLEET.COM CentralCertStore OPS -SC- QA
0.0.0.0 443 -none- WebHosting QA.ARIAUTODIRECT.COM
我一直在破解 PowerShell 脚本,试图克服无法将 $null 更改为字符串或将整数更改为字符串等的警告。所以我是退后一步,询问是否有任何我忽略的明显方法。
举个例子,这是我试过的。它只显示站点名称,没有 headers.
PS C:\windows\system32> dir iis:\sslbindings |%{
$x = $_; $paths = $x.Sites |%{ $_.ItemXPath.Split("'")[1]};
Add-Member -inputobject $_ -membertype NoteProperty -Name "SiteName" -Value $paths;
$_.SiteName } |FT
QA.ARIAUTODIRECT.COM
QA.ARIBUYDIRECT.COM
QA.ARIDEALERDIRECT.CA
QA.ARIDEALERDIRECT.COM
QA.ARITRUCKDIRECT.COM
QA.VR.ARIAUTODIRECT.COM
OPS -SC- QA
ARIXSSQA
QA.ARIAUTODIRECT.COM
编辑:@thepip3r
给定:
IpAddress :
Port : 443
Hostname_SNI :
Store : CentralCertStore
Site : {QA.ARIAUTODIRECT.COM, QA.ARIBUYDIRECT.COM, QA.ARIDEALERDIRECT.CA, QA.ARIDEALERDIRECT.COM...}
IpAddress : 0.0.0.0
Port : 443
Hostname_SNI : 0.0.0.0
Store : WebHosting
Site : QA.ARIAUTODIRECT.COM
当 FT 添加到管道时:
IpAddress Port Hostname_SNI Store Site
--------- ---- ------------ ----- ----
443 CentralCertStore {QA.ARIAUTODIRECT.COM, QA.ARIBUYDIRECT.COM, QA.ARIDEALERDIRECT.CA, QA.ARIDEALERDIRECT.COM...}
0.0.0.0 443 0.0.0.0 WebHosting QA.ARIAUTODIRECT.COM
第一次尝试:
Import-Module WebAdministration
$SslBindings = @(gci IIS:\SslBindings)
if ($SslBindings.count -gt 0) {
foreach ($Binding in $SslBindings) {
[pscustomobject]@{
'IpAddress' = $Binding.IpAddress.IpAddressToString
'Port' = $Binding.Port
'Hostname_SNI' = ($Binding.PSPath | Split-Path -Leaf).Split('!')[0]
'Store' = $Binding.Store
'Site' = $Binding.Sites.Value
}
}
}
更好的答案
Get-WebBinding 产生的解决方案比 IIS:\WebBindings.
Get-WebBinding -Protocol https `
|%{
$bi = $_.bindingInformation.Split(":");
[PsCustomObject]@{
'IpAddress' = $bi[0]
'Port' = $bi[1]
'Hostname_SNI' = $bi[2]
Store = $( if ($_.sslFlags -eq 3) {"CentralCertStore"} else {$_.certificatestorename} )
SiteName = $_.ItemXPath.split("'")[1]
}
} |ft
结果:
IpAddress Port Hostname_SNI Store SiteName
--------- ---- ------------ ----- --------
* 443 WebHosting QA.ARIAUTODIRECT.COM
* 443 qa.ariautodirect.com CentralCertStore QA.ARIAUTODIRECT.COM
* 443 qa.aribuydirect.com CentralCertStore QA.ARIBUYDIRECT.COM
* 443 qa.aridealerdirect.ca CentralCertStore QA.ARIDEALERDIRECT.CA
* 443 qa.aridealerdirect.com CentralCertStore QA.ARIDEALERDIRECT.COM
* 443 qa.aritruckdirect.com CentralCertStore QA.ARITRUCKDIRECT.COM
* 443 qa.vr.ariautodirect.com CentralCertStore QA.VR.ARIAUTODIRECT.COM
* 443 OPSSCQA.ARIFLEET.COM CentralCertStore OPS -SC- QA
10.220.100.98 443 arixssqa.arifleet.com CentralCertStore ARIXSSQA
上一个答案
感谢我从 Split-Path -Leaf 和 [pscustomobject]@{...}),我已经克服了 格式化 问题。空白 Hostname_SNI 问题仍然存在,这是由于绑定的折叠造成的。我猜是因为每个绑定都使用 *:443、SNI 和 CCS,所以它会将它们折叠在一起。这仍然有点无法解释,因为这些绑定实际上有主机名。但我现在对此很满意。
import-module webadministration
dir iis:\sslbindings `
|%{ $Binding = $_
$Binding.Sites.ItemXPath |%{ $_.split("'")[1] } `
|% {
[pscustomobject]@{
'IpAddress' = $( $ip = $Binding.IpAddress.IpAddressToString; if ([String]::IsNullOrWhiteSpace($ip)) { "*" } else { $ip } )
'Port' = $Binding.Port
'Hostname_SNI' = $( $h = ($Binding.PSPath | Split-Path -Leaf).Split('!')[0]; if ([String]::IsNullOrWhiteSpace($h)) { "--none--" } else {$h} )
'Store' = $Binding.Store
'SiteName' = $_
}
}
} |ft
输出:
IpAddress Port Hostname_SNI Store SiteName
--------- ---- ------------ ----- --------
* 443 --none-- CentralCertStore QA.ARIAUTODIRECT.COM
* 443 --none-- CentralCertStore QA.ARIBUYDIRECT.COM
* 443 --none-- CentralCertStore QA.ARIDEALERDIRECT.CA
* 443 --none-- CentralCertStore QA.ARIDEALERDIRECT.COM
* 443 --none-- CentralCertStore QA.ARITRUCKDIRECT.COM
* 443 --none-- CentralCertStore QA.VR.ARIAUTODIRECT.COM
* 443 --none-- CentralCertStore OPS -SC- QA
* 443 --none-- CentralCertStore ARIXSSQA
0.0.0.0 443 0.0.0.0 WebHosting QA.ARIAUTODIRECT.COM