IIS reverse proxy add Authorization header - iis

I have set up Application Request Routing in IIS 8.5 for reverse proxy.
Proxy is working but I have to pass additional Authorization header to the site behind the proxy so it can authorize automatically. Problem is that it does not add the header. Is there something wrong with the configuration?
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<allowedServerVariables>
<add name="HTTP_AUTHORIZATION" />
</allowedServerVariables>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://https://my.test.service.url.com/{R:1}" />
<serverVariables>
<set name="HTTP_AUTHORIZATION" value="Bearer token12345=" />
</serverVariables>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

Related

Node App with IIS ARR Proxy Not Handling URLs Properly

I have a node/express app that has special URL characters in it's route. For example, the route would be /urlinspect/https://example.com
This works without issue when I run it locally but when I attempt to run it through IIS with ARR/Reverse Proxy it fails to handle the URL properly. I had already added the useOriginalURLEncoding="false" to my Web.config and set the useOriginalURLEncoding to false in both the system.webServer/rewrite/rules and system.webServer/rewrite/globalrules paths of configuration within IIS.
<configuration>
<system.webServer>
<rewrite>
<rules useOriginalURLEncoding="false">
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:3000/{R:1}" />
</rule>
</rules>
</rewrite>
<security>
<requestFiltering allowDoubleEscaping="false" />
</security>
</system.webServer>
</configuration>

Add POST body with IIS web.config rewrite

I'm using IIS as a reverse proxy to avoid CORS issues for data fetching. I'd like to store auth data (client id and secret) in the web.config and create a request body that gets included with the matching request. Is this possible? If not, is it possible to add that info to a header?
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
...
<rule name="proxyRule" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://dataserver/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

How to set IIS rewrite rule for CORS?

I created an IIS rewrite role for a server url.
When I send request to [https://mysite/back/api/....][1], it will get data from https://remotesite/back/api/....
So my IIS rewrite config is like following.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="api">
<match url="^api/(.*)" />
<action type="Rewrite" url="`https://remotesite/back/api/{R:1}`" />
</rule>
</rules>
<outboundRules>
<clear />
<rule name="api">
<match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{HTTP_ORIGIN}" pattern="(.*)" />
</conditions>
<action type="Rewrite" value="{C:0}" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
But the [https://mydomain/back/api/][1] has a "Referrer Policy: strict-origin-when-cross-origin". So I can not send a javascript request to my domain.
How can I update the config?
You can use the IIS CORS module to solve this problem. For information about "IIS CORS module Configuration Reference", you can refer to this link.

Rewriting a URL in an Azure web app

I have a simple wildcard routing rule I want to apply for my Azure web app.
<rule name="MyRule">
<match url="*" />
<action type="Rewrite" url="/index.html" />
</rule>
Do I have any option here given I can't RDP into the machine and fiddle with IIS? This is not an ASP.Net website, it's a simple SPA application.
You need to create a web.config file in your wwwroot folder and put the relevant config entries there.
Here's an example of an web.config rule, to give you an idea of what it should look like.
The below example redirect the default *.azurewebsites.net domain to a custom domain (via http://zainrizvi.io/blog/block-default-azure-websites-domain/)
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect rquests to default azure websites domain" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="^yoursite\.azurewebsites\.net$" />
</conditions>
<action type="Redirect" url="http://www.yoursite.com/{R:0}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
If simply want all URL's that resolve to this server & site to redirect to index.html you could use this rewrite section:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="SPA">
<match url=".*" />
<action type="Rewrite" url="index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
This is very similar to what you have except some minor syntax fixes e.g. the pattern should be ".*" and the rewrite URL target simply "index.html".
Note this means that ALL URL's to your site will be rewritten, even for other resources like CSS and JS files, images etc. So you'd better be fetching your resources from other domains.
If you want to do actual rewrites (not redirects), dont forget enabling ARR with applicationHost.xdt file put to the site folder with the following content:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="Insert" />
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>

IIS Block Request by X-Requested-With

I want to block any requests if the header X-Requested-With does not contain word "ShockwaveFlash". I am very bard with pattern, could anyone help me with this? Here's what I've tried:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{HTTP_X_Requested_With}" pattern="^Shockwave$" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

Resources