Setup IIS with URL Rewrite as a reverse proxy for real world apps.
Url Rewrite, one of the many modules that can be added on to the IIS web-server to make this a very versatile tool can be used to perform a variety of tasks, including allowing you to setup your IIS web-server as a reverse-proxy server to some other back-end HTTP service. A reverse proxy is a network device that takes in traffic coming from the Internet (for example), and forwards this traffic to a backend server on your private network, allow that backend server to be accessible to people who are not necessarily connected to your network. There are a lot of articles on how to use IIS and Url Rewrite as a reverse proxy, but I have found that many are incomplete with regards to real world scenarios from today's web applications.
Scenario: Setting up IIS with URL rewrite as a reverse proxy with SSL offloading for a backend service.
Details: suppose that we have a web-application hosted on one of our backend web-servers, IIS or another web server, and that this application server cannot be configured to use SSL and is not accessible to the end users because the end users do not have access to the network the server is on. We want IIS to perform the following tasks:
- Take in requests from the end users for content from this application using SSL
- Route these requests to the backend application server using HTTP
- Rewrite all responses from the backend server, so that any hyperlinks, form action tags and such are constructed with the URL that the IIS reverse proxy server has.
Below is the diagram of the setup we wish to accomplish using IIS as a reverse proxy server:
I would like to take you through the configuration steps required to setup such a system, where requests are routed via the IIS server to the backend application server and the re-written back again with the public host-name of the IIS server and sent back to the connecting clients.
Install URL Rewrite
The first step is to install the add-on module for URL Rewrite. With Windows Server 2012 R2, you can use the Microsoft Web Platform Installer (WebPI) to download and install the URL Rewrite Module. Just search for 'URL Rewrite' in the search options and click 'Add'. You can also download the extension from IIS.net - https://www.iis.net/downloads/microsoft/url-rewrite .
Once the module is installed in IIS, you will see a new Icon in the IIS Administration Console, called URL Rewrite. This icon is present at the level or each site and web-application you have in the server, and will allow you to configure re-write rules that will apply from that level downwards.
Setup a Reverse Proxy rule using the Wizard.
Open the IIS Manager Console and click on the Default Web Site from the tree view on the left. Select the URL Rewrite Icon from the middle pane, and then double click it to load the URL Rewrite interface.
Chose the 'Add Rule' action from the right pane of the management console, and the select the 'Reverse Proxy Rule' from the 'Inbound and Outbound Rules' category.
Now we can proceed to fill in the routing information based on the diagram above in the Wizard window that is provided to us.
While still in the same configuration window, we also need to provide information to take care of the responses that will be emitted by the backend server and will transit the IIS server on their way back to the requesting browser. These responses may have absolute hyperlinks inside and other information which contains the hostname of the backend server. If these are sent to the browser as is, the end user will not be able to access the resources these links point to simply because the browser does not know where https://privateserver:8080/HomePage.aspx is located and how it can be reached. We need to convert these into the hostname of the reverse proxy server, and have them look like: https://www.mypublicserver.com/HomePage.aspx . For this reason, we will check the 'Rewrite the domain names of the links in HTTP responses' checkbox in the Outbound Rules section.
The basic setup for the reverse proxy is now complete, with IIS able to capture incoming traffic and forward it to the backend server, and inspect responses from the backend server and rewrite URL links inside the responses to match the host headers that IIS uses to publish the site.
Read on in part number 2 to see where the problems with this setup start.
By Paul Cociuba
https://linqto.me/about/pcociuba
Comments
- Anonymous
August 26, 2016
what is the difference between load balancer and reverse proxy? My understanding is that this is just used to filter out traffic to net so that some virtual directories can be blocked.- Anonymous
August 29, 2016
A load balancer is used to do some sort of repartition of incoming traffic to multiple servers... If you were using something like ARR (Application Request Routing for IIS) you could have an IIS server that was equally splitting incoming traffic to multiple backend servers (using some load balancing algorithm -such as round robin, etc). A reverse proxy will forward all incoming traffic to a website to some back-end web-server. You can imagine the case where you have a server in your corporate Intranet: users inside the corporate Intranet can just access the server directly. But if you wanted to expose the site to Internet users, without exposing the server, one way you could achieve this is by creating a reverse proxy - that forwards all traffic from an Internet facing site to your Intranet server.Paul
- Anonymous
- Anonymous
October 26, 2016
I have IIS 8.5 on Windows Server 2012 R2. I installed ARR 3.0 and URL Rewrite 2.0. I restarted the server just to be safe. Both show up as installed products, but there's no entry for ARR in IIS Manager when I click on the server node, and no template for a Reverse Proxy. Any ideas?- Anonymous
January 03, 2017
The comment has been removed- Anonymous
February 08, 2017
I had the same issue on Server 2016/IIS10: the template isn't there.For the "Reverse Proxy" template to appear, both URL Rewrite and ARR must be installed and configured. I have created an ARR server farm then, selecting the WebSite, I was able to see the template in URL Rewrite.If you still don't see the template, reboot the server and if it's still not working, run the URL Rewrite installer selecting "Repair" from https://www.microsoft.com/en-us/download/details.aspx?id=47337
- Anonymous
- Anonymous
- Anonymous
November 24, 2016
Since SSL offloading is checked, where do I provide a cert that will be terminated at the proxy?- Anonymous
January 03, 2017
SSL Offloading means that the secure connection between the client (Browser) and the server will terminate at the proxy level. This would typically be done if the backend application server does not allow you to use SSL. If you enable SSL Offloading, the certificate is to be setup on the IIS server which you configure as a reverse proxy. You can find details on how to setup the SSL binding here: https://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis - Anonymous
May 04, 2017
Yes, you will need to provide an SSL certificate and binding for the IIS website on which you are configuring the Url rewrite rules.
- Anonymous
- Anonymous
December 08, 2016
Hi, does it able to configure the server 2 different application server at backend but using the same external facing web server ? I have two different app server , App Server A : app1.domain.com and App Server B: app2.domain.com, both are serves from a single web server using the same IP. I would like to achieve when users want to access Server A, they will enter URL app1.domain.com , and if to Server B, they will enter app2.domain.com- Anonymous
January 03, 2017
This can be done with the with the aid of the ARR (Application Request Routing) module for IIS. This module will allow you to create a farm of servers for each site you host, and add servers to that farm. Hence your site will be www.contoso.com but then hosted on server1.contoso.com and server2.contoso.com. The way load is distributed between the two servers can also be configured with different load balancing algorithms. Have a look at: https://www.iis.net/downloads/microsoft/application-request-routing Paul
- Anonymous
- Anonymous
December 14, 2016
How would this reverse proxy setup affect an application that uses cookie authentication? If http://privateserver:8080 issues a cookie in the response does the rewrite module update the source domain of the cookie?- Anonymous
January 03, 2017
Responses from the content server (including the headers) are taken and forwarded by the reverse proxy to the connecting client. In the case you mentioned, the cookie is represented by a SET COOKIE Http header. If the cookie includes a domain inside the value, this will not be modified and you will have to setup a URL rewrite rule to address this.
- Anonymous
- Anonymous
January 26, 2017
The comment has been removed- Anonymous
May 04, 2017
Hello David,ARR (short for application request routing) is the IIS module that allows the IIS server to work as a load balancer. This product (ARR) uses url-rewrite under the covers to get the routing done for reverse proxy scenarios. So just installing Url-rewrite will get you the reverse proxy template for rule creation in Url-Rewrite, but to use it you need to install ARR. Installing ARR brings in Url Rewrite directly.
- Anonymous
- Anonymous
January 31, 2017
The comment has been removed- Anonymous
February 01, 2017
The comment has been removed
- Anonymous
- Anonymous
February 17, 2017
Thanks for the great article series.i have found another "gotcha" after implementing all relevant parts: some websites nowadays give really huge HTTP responses. In my case the internal server responded to a login with 380kB of data (hey, why use external JavaScript when you can inline everything?). On the external side the login never succeeded, because I got a connection reset after receiving only part of this data packet.The reason is that the Response Buffer Threshold of the sites ARR Cache is by default only 256kB... I greatly upgraded that number to 2048kB but don't know if that will give other strange results in the future.- Anonymous
May 04, 2017
This is an output buffer that ARR uses to cache the response on the ARR server (IIS server). Should the buffer value be lower than the response to be sent, ARR will used chunked encoding, and will send a first chunk which the size of the buffer (256k), then a second chunk and so on until we finish sending all the response. In you case, I would expect that the client did not react well to receiving an authentication request in chunked encoding. Increasing the buffer as a workaround is fine and will not cause any issues, apart from increasing the memory footprint of the IIS worker process slightly.
- Anonymous
- Anonymous
March 23, 2017
Hello, I have a question, this configuration means that we only need this IIS setup to hide the real SharePoint URL?- Anonymous
May 04, 2017
Not sure what you mean by 'hide' a Sharepoint URL. But if you are implying that you wish to rewrite your SharePoint urls to look like something else, then you can use Url rewrite to achieve this.
- Anonymous
- Anonymous
April 03, 2017
Hi,I have two separate app servers that I would like to set up to be reverse proxied through a web server. I followed your directions on this blog and I was able to successfully set up the reverse proxy for one of the app servers. However, I'm confused on how to add the 2nd app server to be set up to run through the reverse proxy. These directions are great for setting up 1 site to be set up for reverse proxy but it would be nice if you could add how to configure multiple sites as well.- Anonymous
May 04, 2017
For a webfarm scenario, you would need to look into ARR (Application Request Routing). This will allow the introduction of the concept of a 'farm' in IIS. A farm can be comprised of one or more servers, which can be dynamically taken on and offline. There are also multiple load balancing algorithms you can setup for farm scenarios. You can then modify the rule to have an action of 'route to farm'. Have a look at:https://www.iis.net/downloads/microsoft/application-request-routing
- Anonymous
- Anonymous
February 21, 2019
Any idea why the Reverse proxy option would not be available anymore on Windows Server 2016 when trying to add a rule?- Anonymous
April 17, 2019
Hello Rok,You will need to also install Application Request Router (ARR for short) - https://www.microsoft.com/en-us/download/details.aspx?id=47333 - which brings in the extra functionality for Url Rewrite and allows you to have the Reverse Proxy rule available in the templates.HTH,Paul
- Anonymous