How to setup a reverse proxy in IIS using host file? - iis

I'm trying to setup a reverse proxy in IIS 10 using some fake urls.
In my host file I set up :
127.0.0.1 somedomain.com
Then I created a website in IIS 10 binding to this domain and a fake page :
When typing somedomain.com on chrome, the fake page shows properly. I assume the fake domain website works.
I have then another website with a reverse proy rewrite rule. I expect requests to the new website to be rewritten and show the first somedomain.com
When running my reverse proxy website I'm getting the error :
HTTP Error 400.605 - Bad Request
The request cannot be routed because it has reached the Max-Forwards limit. The server may be self-referencing itself in request routing topology.
Does anyone know what I'm doing wrong please ?
I tried changing the rule action type to "Redirect" and I can see that the redirection works correctly.

Related

Application Request Routing: Why some sites return HTTP 404 some don't?

I want to add a load balancer to an existing asp.net project using Application Request Routing. So I made myself familiar with the concepts and created a local test-setup:
IIS locally running on Windows 10:
Installed Application Request Routing 3.0 with Windows Platform Installer
Created server farm with following servers:
<test-server-name>.de (Microsoft 2012 R2 Server: contains the asp.net project)
www.google.com (just to see if load balancing and url rewriting works because I don't have two test servers available)
URL-Rewriting rule:
After typing localhost multiple times in any browser, I can see that load balancing (weighted round robin) is working fine. It's alternating between 1. and 2. website.
The problem I'm facing is a 404 Error on both websites.
I already tried the following:
Installing and enabling Failed Request Tracing Rules (on local IIS): URL Rewriting is working properly i think.
Failed Request Log for www.google.com: google drive, unzip and open xml in e.g. IE for better view
Create Server Farm without automatic creation of URL Rewrite rules
(selecting No and create own URL Rewrite rule)
Change "Managed Pipeline Mode"-setting of Applcation Pool from Integrated to Classic
Healthcheck on other Websites I have absolutly no clue why it's working on Git-websites and why facebook is returning a 400 error code.
Enabling/disabling proxy (IIS-Manager -> Application Request Routing Cache -> Server Proxy Settings...)
I don't know what i could do next, so I appreciate any help. Thanks.
Answer can be found here: https://forums.iis.net/t/1238739.aspx?Why+some+sites+return+HTTP+404+some+don+t+
Some websites simply don't support localhost as hostname, which is why localhost can't be found (error 404) e.g. on google.com
Detailed answer if link above is not working in future:
That is not an effective test.
What you are doing is sending the hostname of your request to the third party servers. Like Google.
So if your request is say http://example.com you are sending this to say www.google.com and the Google servers will likely reject this as you can see
Web server admins generally don't let themselves receive traffic from domain thet do not host.
If you sent a request to my servers IP with mysite.com I too would likely reject it. (Things get complex if you have wildcard sites and you allow all traffic through)
But simply showing that 404 page from Google means tour request hit there server so that implies ARR is working.
If you really wanted to test it this way have a local host file with www.google.com resolving to your servers IP. Set up a site with www.google.com as the hostheader and then you should see the correct info hitting Google. But there is no accounting for what 3rd party admins do on their side.

IIS 8.5 Proxy rewrite failing

I'm new to setting up proxy servers. On our actual web server. We have our website and within IIS this sits under wwwroot. I then have 2 other directories outside wwwroot, one with images and one with documents. Before I introduced the proxy the main site had virtual directories to the other 2 areas and all was ok. Moving to a more complex setup I have removed the virtual directories as these need to be re-directed via the proxy. So, basically any address for an image or document from the main site needs to redirect via the proxy to either the images or document area.
I've created 2 more websites in IIS one for documents and one for images and I've set the IP for these to be the same as the main site including the same port. Now moving to the proxy. I've created server farms for all the sites calling them the same name here (dns) as the names on the webserver. This has created default ARR URL Rewrite rules for each server in the farm. I wrote an inbound rule at the Proxy Server level that should redirect the images and using the in-built test showed that I'd put the test together correctly. However, placing it here or on an outbound rule made no difference.
I installed the IIS Trace facility on the proxy and noticed that the test wasn't being hit after looking at the trace logs. I moved my rule to the url rewrite inbound against the default site as opposed to the server. Now in the trace on step 4 I can correctly see that the old url has changed to my newURL and the NewUrl is my expected url, Great!. however, by the time the Trace reaches step 40, it is taking my new correct url as input and removing the domain name for the new url at this step, thus effectively putting the address back to the original. On the inbound rule that made the initial change I have Stop processing of subsequent rules checked.
These are the steps I have done for images and they are finally coming through.
on the web server all my sites have the same IP and port number, only the hostnames are different.
on my local client machine for now in my hosts file I point the main site to the ip of the proxy, but the other sites that I want to redirect to I point their ip to the actual webserver.
in the server the server farm has just 1 ARR entry that is the main site. Leave this as the default, but uncheck the stop processing flag. Create a new inbound URL ReWrite rule for the first redirect. Make the action type a Redirect (not a rewrite this is important.)
On the proxy under the default website, create binding entries for each hostname setting ports the same with ip address set to * then additionally create a blank hostname of the same.

IIS 8 redirect loop when loading https

I have 2 Windows 2012r2 Servers (Dev and Production) both running IIS 8. Both were configured identically as far I as know. I am in the process of installing wildcard certs on both of them.
I installed the cert on my Dev server and it's working. One thing that surprised me though was that I didn't have to add any additional bindings to any of my site configs (eg: I didn't add https/443) and just simply changing http to https in the browser is working, and showing the cert. Why is that?
My main question though is that on my Production server, before importing the wildcard cert, I tried simply changing the url for a couple of the domains I host from http to https in a browser to see what the result would be. When I do this I'm getting a redirect loop for all https tests. ???
I don't have any https URL Rewrites configured so I don't know what the cause of the redirect loop is. It does it for all sites on this server when trying to load it using https.
example:
http://mydomain.example.com (works)
https://mydomain.example.com (redirect loop)
Safari says, "...redirected you too many times. ERR_TOO_MANY_REDIRECTS"
Chrome says, "Too many redirects occurred..."
Additionally, if I load http://localhost on the server itself it works. If I load https://localhost I get an error, "Not Found - HTTP Error 404".
I should add that this Production server is behind an F5 Load Balancer so that could be playing into this behavior as well.
The cause of the redirect loop for all sites on the Production server was an irule on the F5 LB, that shouldn't have been there, that was looping port 443 back to itself. HTTPS for all sites worked after the irule was removed.
With regards to the Dev server and https sites working without having to add a binding. I also discovered that the F5 was configured to handle certs with a wildcard cert so local certs weren't even required. The data center team didn't communicate to me that the LB was configured to handle certs for these servers.

Avoid rewriting URL's to external applications with reverse proxy on IIS?

Confluence IIS Reverse Proxy Setup
I have set up a reverse proxy on IIS 7.5 for Atlassian Confluence according to instructions found in the internet.
I wanted to redirect all traffic to "docs.unimaze.com" to "localhost:8090" on the same server.
This is how I did it:
Installed URL Rewrite 2.0
Installed Application Request Routing 3.0
Set up a reverse proxy rule:
Match URL: Matches the pattern (.*) using regular expressions (ignore case)
Conditions: (none)
Server variables: (none)
Action: Rewrite with http://localhost:8090/{R:1} (append to query string and stop processing of subsequent rules.
The only other thing I had to in order to make everything work (from https://serverfault.com/questions/76013/iis6-vs-iis7-and-iis7-5-handling-urls-with-plus-sign-in-base-not-querystr) was to run this command on the server so that URL's with "plus signs" in the URL's would be allowed.
%windir%\system32\inetsrv\appcmd set config "WebSiteName"
-section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
Problem with external redirects
Confluence itself, seems to work perfectly BUT when attempting to edit a module from an external application (LucidChart Diagrams it fails), because a redirection to the external application also is rewritten, e.g. an attempt is made to redirect to this URL:
http://docs.unimaze.com/documents/edit/4b157fd9-8e28-4d70-8587-0fdd0839fbca?callback=...
when the redirect should actually be to the external application, so it should remain untouched by the rewriting rule:
https://www.lucidchart.com/documents/edit/4b157fd9-8e28-4d70-8587-0fdd0839fbca?callback=...
Is there an easy way to solve this?
This here helped: appcmd.exe set config -section:system.webServer/proxy /reverseRewriteHostInResponseHeaders:"False" -commit:apphost
In UI, the setting corresponding to this action on the Application Request Routing in IIS on the server node (select „Server Proxy Settings“) should be unchecked.
However, this had the effect that the page can not be loaded in Internet Explorer 11 L
The page is shown, but with empty space where the diagram is and it tries loading something forever.
In Firefox and Chrome it works fine.
I have no idea why it "freezes" in IE 11. Will check from other machines to see if this is always happening or not.
The easiest way to handle this is to take advantage of IIS host headers and make the proxied site believe it is responding as www.example.com:80 rather than localhost:8080. It turns out the AAR reverse proxy has an equivalent of Apache's ProxyPerserveHost setting it just isn't very well documented nor exposed in the UI.
To enable this setting you will need to open an elevated shell and run:
%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true
Then configure the target site to listen at 127.0.0.1:80 with the appropriate host header and then configure the proxy to proxy back to localhost with the request and it should line up.

.htaccess redirection to an IP Address of a different server

I am hosting my public facing site at a shared host (Hostgator) with the domain pointing to the same. I also have my application hosted on a dedicated server with a different host. Both servers have their own SSL certificates installed.
Is there any way to edit the .htaccess file to do the following:
https://www.domain.com/CUSTOMER redirects to https://x.x.x.x/CUSTOMER while the browser still shows www.domain.com/CUSTOMER?
I'm vary of using frames due to the SSL ramifications. My domain registrar is Hostway and they do not offer URL masking/forwarding.
This can be done by making your server act as a proxy. Even if you have no access to the servers configuration you might be lucky that apaches proxy module is loaded: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
If so you can 'map' the remote site (IP) as if being served by your normal server.
Also apaches rewriting module can make use of that module by using the [P] flag in a RewriteRule.
Be sure you have a copy of that site on the different server, preverally with the same database, so you don't get in trouble with i.e. order numbers or user logins between http and https. The certificate server must be the web server for your SSL provided web content.
Take a look here foor further informations. "Google Search Result"

Resources