I essentially have the same issue as desribed here Redirect HTTP to HTTPS in Azure Application Gateway but am trying to solve it a different way.
My back end web application works fine when both http and https are open on the AAG, however when you click on a link generated by the webapp to another page the url sent back to the client is for http not https. Obcviously the proper solution is to make the web app aware it is behind a reverse proxy and generate links accordingly.
In the short term I have been attempting, and failing, to use the IIS url rewrite module to either:
a) Using an inbound rule, rewrite (not redirect) the incoming URLs as https which ought to force the responses to contain https urls (a redirect causes an infitite loop as AAG forwards everything to the back end web servers as http). I'm guessing this is impossible because its essentially creating a secure channel between itself.
b) Using an outbound rule, rewrite the responses so the urls are https instead of http. This is proving to be very difficult as I don't understand what parts of the responses I need to be modifying. I'm hoping this approach is possible though?
For the uninitiated, the answer is to use custom tags in an outbound rule, which match the html elements containing the values that need modifying.
The drawback is of course that it means the web server is having to do a patter match & replace on every single page it serves unless you can use conditions to limit the scope. Still very inefficient compared to fixing the code so it is proxy aware!
Related
I have a web application where users can specify a custom website that they host to be displayed in an iFrame on the page.
The problem is, my web app runs in HTTPS where as user's webpages in the iFrames do not have SSL enabled and are in http. This causes their webpage to be blocked from showing for a mixed content security warning.
My idea, was to setup a reverse proxy on my Apache webserver. This reverse proxy would take something like https://example.com/reverse?theirsite=http://example.com
This reverse proxy would need to work for websocket connections as well:
wss:// -> ws://
and
https:// -> http://
Is this the best way to go about displaying a user's insecure webpage in an iFrame on my web app?
<VirtualHost *:443>
# Reverse proxy for iFrames
# https -> http and wss -> ws
# get the SITE querystring for the IP/Port
ProxyPass /proxy {site}
ProxyPassReverse /proxy {site}
</VirtualHost>
Apache would need to take a custom query string and forward it to the insecure site.
Is this the best way?
If you want to provide a way for everyone on the internet to surf for porn anonymously, attack other websites and generally do bad things, then you're spot on. Unfortunately it won't do what you intend.
First, you're going to need some application logic to implement this is - e.g. PHP, Python, Perl, Java....
Then you'll need a way to store mappings between URLs on your site and those of your users.
Then you write some code which listens at the iframe URL to translate a request using the map. When it receives a response from the origin site, it will hen need to re-write any URLs therein to something which will be routed back to your server.
Once you've done all this, you will have something which looks like it works, however anyone with a user account now has the ability to attack your sites security via XSS. So really you need a dedicated vhost within your domain such that each user's content runs within its own origin.
This is not trivial.
I have many sites hosted on IIS on same machine. Only for one site, I need to have reverse proxy setup. I have written rewrite rules for this site and forward some request to another site hosted on different machine.
Will enabling proxy on application request routing affect other sites? Will it have an affect the performance of other sites?
Eg: I have following websites(few are wcf services)
localhost/A
localhost/B
localhost/C
localhost/D
Only the website C needs reverse proxy, so I have written rewrite rules for it. How will enabling proxy effect A, B and D sites
Yes you can enable Reverse proxy for one website and ensure that it does not affect the others.
You mentioned that you have 4 websites but in the example, you gave description of "application" and not website. Since its unclear what your architecture looks like, I'll go ahead and give solution to both.
Considering you have a single website and multiple applications within it but you want to enable proxy for just one application, following is what you need to do. Open the URL rewrite section, under pattern, choose regular expression and add ^application_name/(.*) For example, ^c/(.)
But if you have multiple websites and want to reverse proxy just one of them, then open URL Rewrite and add a condition for "HTTP_HOST" and its value. This will ensure that only requests for specific website's hostname will be reverse proxied.
With respect to performance, having URL rewrite on one of the websites will not have any impact on other websites. If you are still unsure and want to play it safe, you can have each website running on separate application pool. That way they have their own w3wp process and are independent of each other.
I have 2 web sites installed on the same IIS server. I need them both to listen on port 443 with HTTPS. I want them to use different application pools and be able to stop and start one without affecting the other. The clients of these websites are not able to configure the host header that they use in their HTTP requests.
Is there a solution? I have been trying to use IIS Rewrite rules. I have one website deployed on port 443 and the other on some unusual port. I tried setting up a URL rewrite on the first one that did a rewrite (not a redirect) to an absolute URL referencing the 2nd site on the unusual port. This always seems to produce an HTTP 404 response.
I can't do a redirect because the client gets redirected to the unusual port and the client is not allowed to make internet requests to non-standard ports.
I believe I am using IIS 6.2, that's what is says in the Help about in IIS MAnager
What options do I have?
It is not possible to rewrite to different applications in IIS, especially if they are in different application pools. Your only option is redirect if you want to do it simply using URL Rewrite.
Another alternative is to use ARR (Application Request Routing) and then proxy the call to the actual site depending on rules, this has also the advantage that sites could be in different machines or in the same one, and give you more flexibility. Obviously it does come with more complexity.
Our company has two sites
www.mysite.com -- Wordpress site
www.mysite.com/portal -- asp.net mvc site
We want to move the wordpress site (www.mysite.com) to Azure and the other site stays local. We need to url stay the same. How can we achieve this?
Since you state that you need the URL to stay the same, this can be achieved through a reverse proxy. You would set up a web server (typically nginx or IIS) answering on www.mysite.com.
This web server would have reverse proxy rules to forward requests for /portal to your on-premises server (in a given, non-public IP and port) and all other requests to another web server running WordPress (on the same server/cluster that runs the reverse proxy, or a separate one), also with a given IP and port.
All user requests, then, would reach the reverse proxy, that would serve them from cache if possible, or forward them to the internal web servers, and send the response back to the user, transparently. Notice that this is an internal operation, not a redirect response.
Although this setup is more complex than the simpler solution of using different subdomains (www.mysite.com for website and portal.mysite.com for application), it comes with certain advantages that are described in the referenced Wikipedia article, such as security and acceleration.
Alternatively you could create separate subdomains as described above, and use a redirect rule to redirect requests for www.mysite.com/portal/x to portal.mysite.com/x. In this case, the user would see the updated URL in their browser, but the old ones would still work.
Is it possible to manipulate an inbound request at the IIS level, before it even gets assigned to site on the server?
Essentially, I want to rewrite this --
www.somegenericdomain.com?site=someotherdomain
To this --
www.someotherdomain.com
And I need to do this before IIS picks which site the request belongs to, so I need to change the host header prior to this point.
Possible, or crazy? We're running IIS7.
You can rewrite, redirect, or proxy requests.
Rewrite changes the request, but does not change the site to which it is assigned. With a rewrite you can:
return an HTTP error code (503, 404, 401, etc);
manipulate the query string or URL path. one example is to transform a query string param into a URL path element. www.server.com/default.aspx?s=foo becomes www.server.com/foo, or vice versa.
set headers in the request.
Redirect sends back a 301 or 302 response to the browser with an updated address. You can receive a request for www.example.com/foo and respond to the browser with a 302 and an updated address of www.otherdomain.com , etc.
Proxy the request. In this case the web server is said to act as a "transparent proxy". It means the initial IIS server can call out to a second server, grab the response, and then package it up back to the original requester.
These three actions are often done in combination. The tools used to perform these actions are called "URL Rewriters". IIS7 has a built-in option from Microsoft (The IIS URL Rewrite Module), and there are third-party options as well, some free and some commercial, for IIS6, IIS7, and other non-Windows web servers. Apache's mod_proxy is the big one for Linux. All of these tools do basically the same kinds of things.
To answer your specific question, NO, you cannot rewrite a request from one domain to another. For web servers, rewrite is a meaningful term, and a URL Rewrite excludes the possibility of a server change.
It is possible though, to transform a request from one server to another, either via redirect or proxy. One of those may actually be what you want, when you ask about "rewriting" a request.
I guess the whole thing is possible, but not in the way of running before IIS. One part of the server even works as a low-level driver.
But you may use URL rewriting solutions such as mod_rewrite module of Helicon Ape http://www.helicontech.com/ape/doc/mod_rewrite.htm. Having set the software globally for all the sites, you may get what you need as follows:
RewriteEngine on
RewriteCond %{HTTP_HOST} www.somegenericdomain.com [NC]
RewriteProxy (.*) http://www.someotherdomain.com$1