IIS as Reverse Proxy
From MgmtWiki
Contents
Full Title
Using Windows Server as a Reverse Proxy for IIS 8 and above (Server 2012 and above).
Context
- It is often necessary to us a Reverse Proxy to terminate HTTPS requests and then forward those requests to specific server instances for load balancing or similar services.
- Warning - version 2 of IIS administration has deprecated web.config in favor of security section of appsettings.json.
Soution
- Use IIS with Application Request Routing (ARR)
- There are, inter alia, two modes to run:
- action type="Redirect" if you want to have the browser redirect the call to the targeted server
- action type="Rewrite"
If you are using Visual Studio to create the web.config file for IIS, it will guide you as the the options allowable at each step.
Example
Goal: Redirect https: requests to a separate IIS instance (or site) which only supports http: scheme.
- Open the Server Manager - select the computer to run manager and "add Roles and Features Wizard
- Select "Role-based or feature-based Installation - click next
- Select Server - click next
- Select Web Server (IIS) - it is assumed that IIS has already been installed - if not do that
- Add security features - Request Filtering, Basic Authentication - Windows Authentication
- Click Install - this takes several minutes, but only if you have actually added any features that were not already present.
- Install additional Microsoft IIS modules (If unsure go to cmd.exe and type %windir%\system32\inetsrv\config\applicationhost.config, and search for the string "<globalModules>".
- Install the Windows URL RewriteModule. It can be downloaded from https://www.iis.net/downloads/microsoft/url-rewrite (may be present already)
- Install Application Request Routing (ARR). It can be downloaded from https://www.iis.net/downloads/microsoft/application-request-routing
- an alternative way is to list modules (w/o rev #) in the following directory and command C:\WINDOWS\system32\inetsrv> .\appcmd.exe list modules
- Open Internet Information services (IIS) manager (for example from administrative tools)
- Click on the Server in the left pane (click a second time if you don't see sites)
- Click on sites
- Add an new site with some friendly name that will be used locally - point to some empty file directory, for example C:\inetpub\wwwroot\tomjones it will later contain the system.web file, leave rest empty
- You probably want to go to SSL Settings and set require for SSL connex
- Ensure there is an SSL certificate on the machine that can be used
- Click site and "URL Rewrite" - click "Add Rules" - click on "Reverse Proxy"
- Remember to get firewall settings to match sites (should be nothing new if http and https are already open on the port for this site)
- as required start "Windows Firewall with Advanced Security" (typically go to start and entering "adv" should be enuf) To check if the port number is already enabled click of the port header to sort in port order.
- In right pane under "Inbound Rules" click "New Rule" - in New Inbound Rule Wizard select Port and click next - Select "TCP" and add specific port # - click next
- Add binding - Click site name - in right pane click "Bindings" - in Site Bindings click "Add" - add type https on port 443 (or other if 443 is not available) - enter domain name - save
- It is possible that the binding was created when the site was created - so this step may not be required again.
This is the way the web.config file worked after tweaking it to match existing configuration. In this case the sites were separated by port numbers.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <rule name="ReverseProxyInboundRule1" stopProcessing="true"> <match url="(.*)" /> <action type="Rewrite" url="http://tomj-hyper:8765/{R:1}" /> </rule> </rules> </rewrite> </system.webServer> </configuration>
References
- Setup IIS with URL Rewrite as a reverse proxy for real world apps.
- Preserve Source IP Address Despite Reverse Proxies
The main drawback when using a reverse-proxy is that it will hide the user IP: when acting on behalf of the user, it will use its own IP address to get connected on the server. There is a workaround: using a transparent proxy, but this usage can hardly pass through firewalls or other reverse-proxies: the default gateway of the server must be the reverse-proxy. Unfortunately, it is sometimes very useful to know the user IP when the connections comes in to the application server. It can be mandatory for some applications and it can ease troubleshooting.
- Using the Microsoft Web Platform Installer
- Erez Benari's Blog
- Erez's Installing ARR manually without WebPI shows that arr has a dependence on web farm which as a dependency on IIS 7.0 - so will not install on iisexpress. URL rewrite does install.
- Creating Rewrite Rules for the URL Rewrite Module
- Ruslan Y blog on tips and techniques. (See URL rewriting Tip #7)