Difference between revisions of "IIS as Reverse Proxy"

Revision as of 17:31, 12 November 2019

Full Title

Using Windows Server as a Reverse Proxy for IIS 8 and above (Server 2012 and above).

Context

• It is often necessary to us a Reverse Proxy to terminate HTTPS requests and then forward those requests to specific server instances for load balancing or similar services.

Example

Goal: Redirect https: requests to a separate IIS instance (or site) which only supports http: scheme.

1. Open the Server Manager - select the computer to run manager and "add Roles and Features Wizard
2. Select "Role-based or feature-based Installation - click next
3. Select Server - click next
4. Select Web Server (IIS) - it is assumed that IIS has already been installed - if not do that
5. Add security features - Request Filtering, Basic Authentication - Windows Authentication
6. Click Install - this takes several minutes
7. Install additional Microsoft IIS modules (If unsure go to cmd.exe and type %windir%\system32\inetsrv\config\applicationhost.config, and search for the string "<globalModules>".
   1. Install the Windows URL RewriteModule. It can be downloaded from https://www.iis.net/downloads/microsoft/url-rewrite (may be present already)
   2. Install Application Request Routing (ARR). It can be downloaded from https://www.iis.net/downloads/microsoft/application-request-routing
8. Open Internet Information services (IIS) manager (for example from administrative tools)
9. Click on the Server in the left pane (click a second time if you don't see sites)
10. Click on sites
11. Add an new site with some friendly name that will be used locally - point to some empty file directory, for example C:\inetpub\wwwroot\tomjones it will later contain the system.web file, leave rest empty
12. You probably want to go to SSL Settings and set require for SSL connex
13. Ensure there is an SSL certificate on the machine that can be used
14. Click site and "URL Rewrite" - click "Add Rules" - click on "Reverse Proxy"
15. Remember to get firewall settings to match sites (should be nothing new if http and https are already open on the port for this site)
    1. as required start "Windows Firewall with Advanced Security" (typically go to start an entering "adv" should be enuf) To check if the port number is already enabled click of the port header to sort in port order.
    2. In right pane under "Inbound Rules" click "New Rule" - in New Inbound Rule Wizard select Port and click next - Select "TCP" and add specific port # - click next
16. Add binding - Click site name - in right pane click "Bindings" - in Site Bindings click "Add" - add type https on port 443 (or other if 443 is not available) - enter domain name - save
    1. It is possible that the binding was created when the site was created - so this step may not be required again.

This is the way the web.config file worked after tweaking it to match existing configuration. In this case the sites were separated by port numbers.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://tomj-hyper:8765/{R:1}" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

References

• Setup IIS with URL Rewrite as a reverse proxy for real world apps.