IIS Reverse Proxy to a specific internal URL scenario [Answered]RSS

19 replies

Last post Jul 26, 2019 07:02 PM by Chris Becke

  • IIS Reverse Proxy to a specific internal URL scenario

    Jul 23, 2019 11:55 AM|SNarciso|LINK

    Hello,

    I already read a lot for IIS Reverse Proxy with ARR and URL Rewrite but i am not been able to do what i need for my scenario.

    I wan't do have an SSL Offload scenario to redirect to my internal http Linux website. Until now it's a tipical scenario but the internal Linux server does not reply to ip or hostname url only reply to the the public FQDN domain.

    Maybe i even don't need a full Reverse Proxy Scenario because the public domain and internal Linux server respond to the same url.

    Scenario:

    Public internet Browser makes an http request to "http://scenario.example.com"

    That request is accepted by the IIS server but must be converted do SSL request (use certificate) "https://scenario.example.com"

    IIS using SSL Offloading (or another method) instead of rewrite the url to the internal ip "http://192.168.1.50:88", iis server must know that the url to the internal Linux website must be "http://scenario.example.com:88";

    Note: i don't have permission to access or change the Linux configurations to accept ip requests so the only way to make the website work is using that internal url "http://scenario.example.com:88";

    I was thinking that maybe i need a way (DNS? or hosts file?) to match the Linux ip with that url?

    Thanks in advance.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 23, 2019 01:43 PM|lextm|LINK

    Who owns the Linux side web site? A well designed web site/application should learn base URL from the incoming request, such as X-Original-URL.

    Lex Li
    IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 23, 2019 02:15 PM|SNarciso|LINK

    I also have some questions about that and asked directly to the website builder and he confirms that the website only reply to the complete FQDN url on a specific port.

    Well, i didn't want to give you a more complex scenario but actually the computer only reply to 2 full FQDN urls on the same port, example: http://scenario.example.com:88 and http://scenario2.example.com:88 each are individual websites.

    This scenario is already working with his Linux Reverse Proxy, what i intend to do is using our IIS to do the same thing and free us from their proxy services.

    What was done is that the internet DNS domains are pointing to a machine in other Company. What it only does is to encrypt and redirect (Reverse Proxy) the Browser requests to my internet IP in an open port in my router (NAT) that redirects to the internal ip of the Linux computer that has the 2 websites.

    So, now the Magic is done at their Proxy machine and i intend to do the same with our IIS, is that possible?

    The goal here is to point the Internet DNS Domains directly to our external ip and then with IIS sucessfully take care of all browser requests.

     

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 23, 2019 02:20 PM|lextm|LINK

    Then why cannot you use nginx or Apache on that Linux box to set up reverse proxy rules? You already have DNS record pointing to the Linux box, so don't bother to use IIS and mess things up.

    Lex Li
    IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 23, 2019 02:29 PM|SNarciso|LINK

    I already think about that, but then i must have access to that Linux box and need to mess around Nginx and installing certificates.

    I was avoiding that because i was thinking that could easilly do this with IIS and then install all certificates needed in it.

    If not, i must talk to the external Company and try to arrange a way to do that in the Linux box.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 23, 2019 05:13 PM|Chris Becke|LINK

    Servers always know their host name by looking at the host header.

    So, on your IIS ARR server you can setup a site or global rule to catch requests to proxy to this server.

    Make sure that HTTP_HOST is added to the list of server variables. then, create an Inbound Rule:

    Match URL: (.*)

    Match Type: Regular Expression

    If this is a global rule rather than a site based rule then you need a condition:

    Condition: {HTTP_HOST} equals ^public.example.com$

    Server Variables: {HTTP_HOST} scenario.example.com:88

    Action: Rewrite: https://192.158.1.50:88/{R:1}

    Stop Processing etc.

    The goal is to make a rule that 

    1. matches all urls regardless, capturing them as {R:1}
    2. (optionally) conditionally matches requests arriving at IIS for the external dns name of the service.
    3. Forces the "Host:" http header to have the value that the destination server is expecting
    4. Rewrites the request to a server name or IP that IIS can actually reach, passing the full url captured above.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 24, 2019 06:44 PM|SNarciso|LINK

    Hello Chris,

    Thank you for your time.

    I tried your answer but is not working right now but maybe it needs some adjusts because i have some data to add:

    Right now i can make IIS to recognise the right internal server using the correct url: http://scenario.example.com:88
    I create in my internal DNS server an entry for the domain scenario.example.com for the Host (A) 192.168.1.50
    So, right now when the IIS receive a request for http://scenario.example.com he knows that the correct machine is 192.168.1.50

    When using your solution i receive an internal error 500 (The physical path is to Dummy directory in IIS)

    If i use your example but choose Redirect instead of Rewrite, i can reach the website correctly but of course with the url changed to the real port of the server that i prefer not to show to the outside browser http://scenario.example.com:88 i need that the internet browser receives only the url http://scenario.example.com

    Chris Becke

    Action: Rewrite: https://192.158.1.50:88/{R:1}

    This url is not working, the server returns a message that the website cannot be found, only reply to the correct url (not needed anymore because now IIS knows the corresponding ip from the correct url)

    With this new information can you provide the possible rules for this to work?

    Thank you.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 25, 2019 04:14 AM|Chris Becke|LINK

    In order for Rewrite to rewrite the url to a different server you need to have installed the full Application Request Routing module - which includes UrlRewrite.

    If this is installed, you can find a configuration node called Application Request Routing in IIS Manager at the server level. You need to open that, click on Proxy Settings and enable the proxy.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 25, 2019 10:18 AM|SNarciso|LINK

    That was the first two things i do when started this proxy configuration.

    https://ibb.co/WvykX5q

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 25, 2019 10:43 AM|Chris Becke|LINK

    The next step would then to be to setup Failed Request Tracing on the site, and/or provide a screenshot of your exact anonymised rewrite rule settings so we can see if there is something weird there.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 25, 2019 11:44 AM|SNarciso|LINK

    I just activated the Failed Request Tracing.

    About the rewrite rule, using your previous example give me the 500 error but like i said after, the ip is not needed anymore and beside that with ip is not getting to the website.

    I have created another testing rules to see if something worked but now i think its better to start again. Can you provide another rewrite rule for me to test? If not working then i could provide the Failed Request Tracing log to see what is going wrong.

    Just to elucidate this scenario a litle more, i am not using the Default Web Site, i have created a dedicated website for the external domain.

    I don't have the SSL yet, i will use Let's Encrypt but i can only create the certificates when the internet DNS records are pointed to my external ip, right now i need to make this scenario work before do that external DNS change to create the certificates.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 25, 2019 12:39 PM|Chris Becke|LINK

    This is how I would setup a rule that would route traffic directed to a server with a site bound to https://issues.organization.com where the jira server itself is running on localhost:9090 and believes its hostname is jira.example.com

    In your case, "localhost:9090" needs to be the ip address, or something that you can test from the browser on the server to make sure the server can actually resolve the remote address.

    Also, in your case, the HTTP_HOST value needs to include the :88 port number as your server is expecting that.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 25, 2019 02:11 PM|SNarciso|LINK

    Another thing is that in my scenario i edited a computer host file so that the pc is forced to redirect scenario.example.com to my external public ip address to simulate a real connection from internet to the url http://scenario.example.com

    I think the browser requests are going to the Default Web Site and not to the correct website because i can't find any log file for Failed Request Tracing, or i need to create a rule? Is returning the 500 Internal Server Error.

    Here is my web site bindings (masked the real external dns url)

    https://ibb.co/cr4Vkxp

    Here is the rewrite rule

    https://ibb.co/rwnRTzj

     

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 25, 2019 05:18 PM|Chris Becke|LINK

    Are you sure then that the server is going to the "internal" scenario.example.com, or is being routed to the external ip and back to itself in an infinite loop.

    rather use the IP address of the internal server - or an explicitly internal name - in the rewrite rule so you know its getting where it needs to go.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 26, 2019 12:10 PM|SNarciso|LINK

    Using th ip the result is the same, but now i manage to create Failed Request Tracing Rules and have some logs.

    Site 4
    Process 11172
    Failure Reason STATUS_CODE
    Trigger Status 500.50
    Final Status 500.50
    Time Taken 0 msec
    Url http://scenario.example.com:80/
    App Pool DefaultAppPool
    Authentication NOT_AVAILABLE
    User from token
    Activity ID {00000000-0000-0000-D60A-0080060000FF}

    Errors & Warnings
    No. Severity Event Module Name
    121. view trace Warning -MODULE_SET_RESPONSE_ERROR_STATUS 
    ModuleName RewriteModule
    Notification 1
    HttpStatus 500
    HttpReason URL Rewrite Module Error.
    HttpSubStatus 50
    ErrorCode 2147942405
    ConfigExceptionInfo
    Notification BEGIN_REQUEST
    ErrorCode Access is denied. (0x80070005)
    RewriteModule
    122. view trace Warning -SET_RESPONSE_ERROR_DESCRIPTION 
    ErrorDescription The server variable "HTTP_HOST" is not allowed to be set. Add the server variable name to the allowed server variable list.
  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 26, 2019 03:58 PM|Chris Becke|LINK

    You havn't added HTTP_HOST to the list of variables that your rules are allowed to change. On the ARR base page there is a setting in the right hand panel "Server Variables...". Use that to add HTTP_HOST.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 26, 2019 05:19 PM|SNarciso|LINK

    Thank you,

    I have no clue that i need to do that.

    Now the error is the same 500 error but the log changed:

    -Request Summary
    Site 4
    Process 23100
    Failure Reason STATUS_CODE
    Trigger Status 500.52
    Final Status 500.52
    Time Taken 32 msec
    Url http://scenario.example.com:80/
    App Pool DefaultAppPool
    Authentication anonymous
    User from token NT AUTHORITY\IUSR
    Activity ID {00000000-0000-0000-8D0D-0080000000ED}

    Errors & Warnings
    No. Severity Event
    148. view trace Warning -MODULE_SET_RESPONSE_ERROR_STATUS 
    ModuleName RewriteModule
    Notification 536870912
    HttpStatus 500
    HttpReason URL Rewrite Module Error.
    HttpSubStatus 52
    ErrorCode 2147500036
    ConfigExceptionInfo
    Notification SEND_RESPONSE
    ErrorCode Operation aborted (0x80004004)
    149. view trace Warning -SET_RESPONSE_ERROR_DESCRIPTION 
    ErrorDescription Outbound rewrite rules cannot be applied when the content of the HTTP response is encoded ("gzip").
  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 26, 2019 05:44 PM|Chris Becke|LINK

    What outbound rule do you have? delete them if you don't need them.

    Although I guess the problem is, the server is going to be writing links to its own content with absolute urls, so you have a rule to rewrite those?

    If you must keep the re-write rule then you must convince the internal server to not compress its content. The most brute force way of doing that would be to add, to the Server Variables, an Accept Encoding header that doesn't include gzip. I havn't done that so I don't know the exact variable names. The same will apply though :- add the variable to the list of allowed server variables, and then set it in the inbound rule.

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 26, 2019 05:52 PM|SNarciso|LINK

    Searching for the HTTP response encoded error, i find that i need to disable "Enable dynamic content compression" in Compression Feature. After do that all works like a charm!!!!

    I don't know if disable that compression option is the right solution but at least now is working.

    I will do more tests to figure out if all is working like it should.

    About https, need to add another condition? Or the http to https is automatic after i add the certificate? (i wan't to force the external internet browser to use https instead of http)

  • Re: IIS Reverse Proxy to a specific internal URL scenario

    Jul 26, 2019 07:02 PM|Chris Becke|LINK

    Im glad that its working finally :)

    http to https redirection is frequently asked. there should be other threads covering that. If you can't find one, it should be a separate question to keep in the spirit of making the q&a here a resource to be searchable.