here's my attempt to do a reverse proxy using url rewrite in IIS from mysubdomaintarget.mytargetdomain.com to mysubdomainreal.myrealdomain.com
<configuration>
<system.webServer>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket,Rewrite,RequestRouting" verbosity="Verbose" />
</traceAreas>
<failureDefinitions statusCodes="400-999" />
</add>
</traceFailedRequests>
</tracing>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="https://mysubdomainreal.myrealdomain.com/{R:1}" />
<serverVariables>
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^http(s)?://mysubdomainreal.myrealdomain.com/(.*)" />
<action type="Rewrite" value="http{R:1}://mysubdomainreal.myrealdomain.com/{R:2}" />
</rule>
<rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
<match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
<action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
<preCondition name="NeedsRestoringAcceptEncoding">
<add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
If I call website using mysubdomaintarget.mytargetdomain.com/myApp it works (render the page/etc). But if I call mysubdomaintarget.mytargetdomain.com/myApp.svc I got an 404.
Why? Where am I wrong on this configuration?
EDIT
Here's the failedRequest tag's attribute:
<failedRequest url="http://mysubdomaintarget.mytargetdomain.com/myApp.svc"
siteId="6"
appPoolId="services"
processId="2192"
verb="GET"
remoteUserName=""
userName=""
tokenUserName="NT AUTHORITY\IUSR"
authenticationType="anonymous"
activityId="{8000002B-0000-9900-B63F-84710C7967BB}"
failureReason="STATUS_CODE"
statusCode="404"
triggerStatusCode="404"
timeTaken="141"
xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"
>
EDIT2
Here's the last event I got from failed request tracking:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDA0D9B0F83}"/>
<EventID>0</EventID>
<Version>1</Version>
<Level>0</Level>
<Opcode>2</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2021-05-11T09:26:41.979Z"/>
<Correlation ActivityID="{80000549-1000-FB00-B63F-84710C7967BB}"/>
<Execution ProcessID="2192" ThreadID="2264"/>
<Computer>MyPC</Computer>
</System>
<EventData>
<Data Name="ContextId">{80000549-1000-FB00-B63F-84710C7967BB}</Data>
<Data Name="BytesSent">2180</Data>
<Data Name="BytesReceived">993</Data>
<Data Name="HttpStatus">404</Data>
<Data Name="HttpSubStatus">0</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Opcode>GENERAL_REQUEST_END</Opcode>
</RenderingInfo>
<ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
<EventGuid>{D42CF7EF-DE92-473E-8B6C-621EA663113A}</EventGuid>
</ExtendedTracingInfo>
</Event>
its not "talking" at all. Where do I see any error from this last Event?
EDIT3
xml opened by browser:
In order to allow WCF to use multiple domain you should set multipleSiteBindingsEnabled to true.
The following configuration should fix your issue.
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
multipleSiteBindingsEnabled
A Boolean value that specifies whether multiple IIS bindings per site is enabled.
IIS consists of web sites, which are containers for virtual applications containing virtual directories. The application in a site can be accessed through one or more IIS binding. An IIS binding provides two pieces of information: a binding protocol and binding information. Binding protocol defines the scheme over which communication occurs, and binding information is the information used to access the site. An example of a binding protocol can be HTTP, whereas binding information can contain an IP address, Port, host header, etc.
IIS supports specifying multiple IIS bindings per site, which results in multiple base addresses per scheme. However, a Windows Communication Foundation (WCF) service hosted under a site allows binding to only one baseAddress per scheme.
To enable multiple IIS bindings per site for a Windows Communication Foundation (WCF) service, set this attribute to true. Notice that multiple site binding is supported only for the HTTP protocol. The address of endpoints in the configuration file needs to be a complete URI.
Related
I am new to using IIS and the reverse proxy feature (ARR V3.0).
I have everything working correctly until a backend SSO authentication is enabled with the application.
The feature works from the IIS reverse proxy server if I go straight to the back end application but it fails when you try to authenticate thru the reverse proxy from the outside.
Flow is something like this when SSO is disabled:
Public User --> Public URL --> IIS/ARR --> Authentication --> Application Is Presented to user for login. Everything works. Again this is a single web server in the back end used for logon.
Flow is something like this when SSO is enabled:
Public User --> Public URL --> IIS/ARR --> Authentication --> Application Server --> SSO Application server --> IIS/ARR presents the back end (internal) SSO server name with DNS error. This is where the second server handling SSO is thrown into the mix.
The error displayed in a browser shows the internal server name in URL
(https://em004tcss066.xxxx.xxxx.xxx:8443/) with a DNS error (expected since the external DNS records do not contain the internal server names. I do see the redirectToSSO message above the address bar as it does that in the background but eventually times out with DNS error.
Current rules:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="ReverseProxyInboundRule1" stopProcessing="false">
<match url="^(.*)$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<serverVariables>
<set name="HTTP_REFERER" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
<action type="Rewrite" url="https://em004tcweb062.xxx.xxxxxxxxx.xxx:3000/{R:1}" logRewrittenUrl="true" />
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Base, Form, Img" pattern="^http(s)?://em004tcweb062.xxx.xxxxxxxxx.xxx:3000/(.*)" />
<action type="Rewrite" value="https{R:1}://xxxxxteamcentertraining.xxx.xxxxxxxxx.xxx/{R:2}" />
</rule>
<rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
<match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
<action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
<preCondition name="NeedsRestoringAcceptEncoding">
<add input="{RESPONSE_CONTENT_TYPE}" pattern=".+" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<defaultDocument enabled="true" />
</system.webServer>
</configuration>
I know this is an issue with ARR, but I am not sure what rule needs added/modified to resolve it?
I'm trying to configure Azure App Service Reverse Proxy to expose webserver in Azure Virtual Network to the internet and I had limited success - it's working when I'm not using encrypted connection between reverse proxy and target server.
Here is my currently working configuration:
web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
<rewrite>
<rules>
<rule name="ForceSSL" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Proxy" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://example.com/{R:1}" />
<serverVariables>
<set name="HTTP_X_UNPROXIED_URL" value="http://example.com/{R:1}" />
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<preConditions>
<preCondition name="CheckContentType">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text/html|text/plain|text/xml|application/rss\+xml)" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
applicationHost.xdt
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false"/>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_X_UNPROXIED_URL" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
IP Address of the server has been replaced by example.com
When I change web.config rewrite rule and HTTP_X_UNPROXIED_URL to https I get following IIS Error
Detailed Error Information:
Module ApplicationRequestRouting
Notification ExecuteRequestHandler
Handler ApplicationRequestRoutingHandler
Error Code 0x80072f8f
Requested URL https://example.com:80/
Physical Path D:\home\site\wwwroot
Logon Method Anonymous
Logon User Anonymous
Request Tracing Directory D:\home\LogFiles
This suggests, that for some reason it's trying to request https on port 80.
I tried to follow guide from here: https://www.patrickob.com/2018/11/10/adding-ca-certs-to-the-trusted-root-store-for-web-apps-hosted-in-an-ase/
I have added my organizations root cert to SSL certificated and added WEBSITE_LOAD_ROOT_CERTIFICATES setting.
Any help will be appreciated.
WEBSITE_LOAD_ROOT_CERTIFICATES is only supported in an App Service Environment, its not supported in multi-tenant app services. If the endpoint on-premises is signed by a certificate not using a public CA at this time there's no direct workaround to make this work outside of updating the certificate or possibly writing a simple proxy app that can ignore SSL cert validation (I typically wouldn't recommend this option unless you do the cert validation yourself in code).
A application which contains a web interface is running on a Windows Server 2019 system with IIS 10 and ARR installed. When navigating to the webpage using IP:Port the webpage loads correctly. When navigating to the webpage using domain.com the website has some content that shows a 401 error in the console, and page does not load correctly.
When navigating to the domain the request passes through IIS and URL Rewrite. It would seem that there is some issue in regards to passing the information through the proxy.
This is the code for the rewrite rule in IIS:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:33337/{R:1}" />
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^http(s)?://localhost:33337\/?(.*)" />
<action type="Rewrite" value="http{R:1}://sub.domain.com/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<urlCompression doStaticCompression="false" doDynamicCompression="true" dynamicCompressionBeforeCache="false" />
</system.webServer>
</configuration>
This is the GitHub Issue link for this specific issue:
https://github.com/qbittorrent/qBittorrent/issues/11207
I reproduced the issue.
Apparently qBittorrent expecting clients to send same-origin Referer headers. In your case it must be localhost:33337 but obviously sub.domain.com is being sent.
This security measure is activated by Enable Cross-Site Request Forgery (CSRF) protection setting that can be reached via qBitorrent > Options > Web UI > Security.
You have two options for the solution.
Disable the setting.
Rewrite the Referer header with an appropriate value.
If you want to rewrite the header, after allowing server variables HTTP_REFERER and HTTP_ORIGIN as you did for HTTP_ACCEPT_ENCODING, you should change your rules as follows.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:33337/{R:1}" />
<!-- New Optional Condition -->
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_REFERER}" pattern="^(?:https?://[^/]*/(.*))?$" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING" value="" />
<!-- New Header Rewrite -->
<set name="HTTP_REFERER" value="http://localhost:33337/{C:1}" />
<!-- Remove Origin Header -->
<set name="HTTP_ORIGIN" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^http(s)?://localhost:33337\/?(.*)" />
<action type="Rewrite" value="http{R:1}://sub.domain.com/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<urlCompression doStaticCompression="false" doDynamicCompression="true" dynamicCompressionBeforeCache="false" />
</system.webServer>
</configuration>
BTW bear in mind that, qBittorrent warns you about the issue. Remember to check Execution Log tab.
I'm trying to integrate ASP.net and Node.js on a single server.
ASP.net is at localhost:8080
NodeJs is at localhost:4000
My expectation is here.
client ----> IIS Server ----> ASP.NET (no rewriting except /api/* localhost:80)
(rev.0970.co.kr) |---> Node.js (matching with /api/* localhost:4000)
Node app is executed as a windows service, and serve localhost:4000/api/ locally. And should be accessed with http://rev.0970.co.kr/api/signin
All request excepting /api/ should be served normal IIS asp.net. (ex. http://rev.0970.co.kr/index.aspx)
My Setting Steps
- install ARR and UrlRewrite module
- enable proxy of ARR
- add rule to urlrewrite section as below.
<rule name="Proxy">
<match url="api/(.*)"/>
<conditions>
<add input="{HTTP_HOST}" pattern="rev.0970.co.kr" />
</conditions>
<action type="Rewrite" url="http://localhost:4000/api/{R:1}" />
</rule>
Result
- http://rev.0970.co.kr/api/signin : success
- http://rev.0970.co.kr/index.aspx : fail - 404 not found
I thought http://rev.0970.co.kr/index.aspx did not match api/(.*), so IIS might render index.aspx.
When I removed whole rule settings of urlrewrite, http://rev.0970.co.kr/index.aspx worked.
What did I do wrong?
edit
Here is my full web.config file.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^http(s)?://localhost:4000/(.*)" />
<action type="Rewrite" value="http{R:1}://rev.0970.co.kr/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="Proxy">
<match url="api/(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="rev.0970.co.kr" />
</conditions>
<action type="Rewrite" url="http://localhost:4000/api/{R:1}" />
</rule>
</rules>
</rewrite>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="WWW Server" areas="Security,CGI,RequestNotifications,Module,FastCGI" verbosity="General" />
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="404" />
</add>
</traceFailedRequests>
</tracing>
</system.webServer>
</configuration>
I'm hosting a private NuGet server which is behind a load balancer. The load balancer accepts ssl traffic (442) and forwards to port 80 on the web server.
NuGet looks to be detecting the requesting protocol and returns a base href with http vs. https.
So requests for https://nuget.privaterepo.org are returned with the following content:
<service xml:base="http://nuget.privaterepo.org/nuget/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app" xmlns="http://www.w3.org/2007/app">
<workspace>
<atom:title>Default</atom:title>
<collection href="Packages">
<atom:title>Packages</atom:title>
</collection>
</workspace>
</service>
This should render <service xml:base="http://nuget.privaterepo.com/nuget/"... as <service xml:base="https://nuget.privaterepo.com/nuget/"... notice the difference in protocol.
So... i'm attempting to outbound rewrite the value of service xml:base with https. with the following:
<configuration>
<system.webServer>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Rewrite Product Outbound" preCondition="IsHTML" enabled="true" stopProcessing="true">
<match filterByTags="A, CustomTags" customTags="NuGet service base" pattern="http://" ignoreCase="true" />
<action type="Rewrite" value="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
<preConditions>
<preCondition name="IsHTML" logicalGrouping="MatchAny">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^application/xml" />
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^application/atom+xml" />
</preCondition>
</preConditions>
<customTags>
<tags name="NuGet service base">
<tag name="service" attribute="xml:base" />
<tag name="feed" attribute="xml:base" />
</tags>
</customTags>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
where i've hit a stumbling block is writing <tag name="service" attribute="xml:base" /> which seems correct. however, it is not rewriting the value with the https protocol.
I've tested this with the NuGet server and a test project using the same output. using the test project if i change xml:base to base the rewrite rule will work.