IIS as Reverse Proxy

From MgmtWiki
Jump to: navigation, search

Full Title

Using Windows Server as a Reverse Proxy for IIS 8 and above (Server 2012 and above).

Context

  • It is often necessary to us a Reverse Proxy to terminate HTTPS requests and then forward those requests to specific server instances for load balancing or similar services.
  • Warning - version 2 of IIS administration has deprecated web.config in favor of security section of appsettings.json.

Soution

  1. action type="Redirect" if you want to have the browser redirect the call to the targeted server
  2. action type="Rewrite"

If you are using Visual Studio to create the web.config file for IIS, it will guide you as the the options allowable at each step.

Example

Goal: Redirect https: requests to a separate IIS instance (or site) which only supports http: scheme.

  1. Open the Server Manager - select the computer to run manager and "add Roles and Features Wizard
  2. Select "Role-based or feature-based Installation - click next
  3. Select Server - click next
  4. Select Web Server (IIS) - it is assumed that IIS has already been installed - if not do that
  5. Add security features - Request Filtering, Basic Authentication - Windows Authentication
  6. Click Install - this takes several minutes, but only if you have actually added any features that were not already present.
  7. Install additional Microsoft IIS modules (If unsure go to cmd.exe and type %windir%\system32\inetsrv\config\applicationhost.config, and search for the string "<globalModules>".
    1. Install the Windows URL RewriteModule. It can be downloaded from https://www.iis.net/downloads/microsoft/url-rewrite (may be present already)
    2. Install Application Request Routing (ARR). It can be downloaded from https://www.iis.net/downloads/microsoft/application-request-routing
    3. an alternative way is to list modules (w/o rev #) in the following directory and command C:\WINDOWS\system32\inetsrv> .\appcmd.exe list modules
  8. Open Internet Information services (IIS) manager (for example from administrative tools)
  9. Click on the Server in the left pane (click a second time if you don't see sites)
  10. Click on sites
  11. Add an new site with some friendly name that will be used locally - point to some empty file directory, for example C:\inetpub\wwwroot\tomjones it will later contain the system.web file, leave rest empty
  12. You probably want to go to SSL Settings and set require for SSL connex
  13. Ensure there is an SSL certificate on the machine that can be used
  14. Click site and "URL Rewrite" - click "Add Rules" - click on "Reverse Proxy"
  15. Remember to get firewall settings to match sites (should be nothing new if http and https are already open on the port for this site)
    1. as required start "Windows Firewall with Advanced Security" (typically go to start and entering "adv" should be enuf) To check if the port number is already enabled click of the port header to sort in port order.
    2. In right pane under "Inbound Rules" click "New Rule" - in New Inbound Rule Wizard select Port and click next - Select "TCP" and add specific port # - click next
  16. Add binding - Click site name - in right pane click "Bindings" - in Site Bindings click "Add" - add type https on port 443 (or other if 443 is not available) - enter domain name - save
    1. It is possible that the binding was created when the site was created - so this step may not be required again.


This is the way the web.config file worked after tweaking it to match existing configuration. In this case the sites were separated by port numbers.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://tomj-hyper:8765/{R:1}" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

References