IIS 7.5 Reverse Proxy Implementation - iis

I am curious to understand how IIS 7.5 Reverse Proxy is implemented in Rewrite Module (v2).
I am planning to setup a website that will handle proxing between requests coming from users (internet) and my HTTP services that are deployed on the same server. I have setup a website within IIS and configured the reverse proxy logic. I've then setup another website on the same server and deployed all my WCF REST services there. I am planning to implement IIS offloading, common tasks (such as authentication, etc) on the reverse proxy website before the request gets to the actual services (like WCF routing service for SOAP). Configuration is working perfectly fine.
However I am trying to understand the implications of this setup. When IIS does reverse proxing, does it create a new HTTP request (and a new TCP port) between those two websites? And even if both sites are on the same server? Should I expect number of TCP connections opened on this server to get doubled when reverse proxy is used?
Furthermore, has anyone experienced any performance/resource issues with a similar setup?
Cheers,
OS

Related

Redirecting HTTPS call to a .NET Core Web API with IIS and Kestrel

hopefully someone can help me.
This is the scenario I want to implement:
Server A has IIS installed and hosts a web app "mysite.com" and some web apis.
Server B has a .NET Core Web API hosted as a Windows Service.
When a client makes a request to a specific port like "mysite.com:9091/api/get-value"
I would like for IIS to re-route that call with same payload to server B on "myapi:9091/api/get-value" through HTTP.
The reason I want to do this is because We have authentication and certificates already configured on Server A, and also we want all incoming requests to go through the main site.
I have been reading on reverse proxy with IIS, and it would seem to be what I need, but it's not clear if the hosted app that will be running under Kestrel must be on the same physical machine as the IIS Web Server (i.e. Server A), or I can re-route to whichever other server I want, as long as it's on same network.
Any thoughts will be appreciated.
Hopefully my question is clear enough, otherwise please do let me know and I'll try to rephrase.
It is not necesarray to have both kestrel and iis on same server.
You could use the iis URL rewrite rule and reverse proxy to forward the request to the Kestrel server:
https://techcommunity.microsoft.com/t5/iis-support-blog/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world/ba-p/846222
Host ASP.NET Core on Windows with IIS
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1

Is it OK to remove Nginx when using Azure application gateway?

I have a Web app for docker currently running django with gunicorn as wsgi server and Nginx as reverse proxy. I am not serving any static assets via Nginx and the SSL is taken care by Azure.
So my question is, if I use Azure application gateway (with or without WAF) can I remove Nginx? I don't see any use for it, unless I want to use cache, which I don't. HTTP/2 is also provided by application gateway.
Both Nginx and Azure Application Gateway act as a reverse proxy with Layer 7 load‑balancing features plus a WAF to ensure strong protection against common web vulnerabilities and exploits.
Application Gateway supports autoscaling, SSL offloading, and end-to-end SSL, a web application firewall (WAF), cookie-based session affinity, URL path-based routing, multisite hosting, redirection, rewrite HTTP headers and other features. For a full list of supported features, see Introduction to Application Gateway. Also, you're aware of application gateway limits.
Whereas Nginx provides better URL rewriting and redirecting features than Application gateway. See the feedback. With Nginx, you can rewrite the URL of a request before passing it to a backend server. This means you can alter the location of files or request paths without modifying the URL advertised to clients. You can also redirect requests.
In my opinion, if you just want to simply use for load balancing without complex rewriting the URL, it's enough to use Azure Application Gateway. For complex use rewrite cases, you can plus Nginx. Read create Nginx rewrite rules and more details here.
Go for Azure Application gateway... and get rid of Nginx. When in cloud, it makes sense to use all PaaS platform features.

how to transparently wrap tcp/ip request with ssl using windows api

I'm developing a security system. It has a proxy server acting like a ssl termination using Nginx which will forwards all tcp/ip connections from clients to other third-party systems.
The client-proxy connections must be authenticated and securely encrypted by ssl.
And my problems is:
Each client is a computer which installed Windows 7 OS or higher. It has been installed with some third-party applications which cannot be interfered. For the better user experience, all clients' tcp/ip outbound requests from any applications must be transparently "converted" into (or "wrapped" in) ssl requests before coming to proxy server. And my first idea is to develop a network driver to access these requests using windows api, namely WFP(Windows Filtering Platform). I have read its online documentation but it's not easy to understand. Can you have to find some projects like this or tell me which sections in the documentation need to be focused? Thank you in advance!
Your issue is a bit unclear but here are my thoughts:
You want to have full encryption between the End User Client to the App Service.
Current:
Client --(443: TLS)--> NGINX --(Clear; Port 80)--> App Service
(Terminate TLS)
Change:
Client --(443: TLS)--> NGINX --(TLS; Port 443)--> App Proxy -(Plain; 80)-> App Service
(Terminate TLS) (Nginx with self-signed Cert)
The change is to add an additional Nginx server on the app server to provide the last layer of TLS between the load balancer and the App Service.
If your App service has the capability to serve SSL connections directly that's even better as you can just configure that in place of running an additional Nginx server on the app host. (If you wanted you could run apache or any other web server that supports proxy/load balancing capabilities)
If you are worried about the App Service port, it won't make a difference, the idea is that the App Proxy (being Nginx or the likes) will handle the encryption on a different port to then pass via localhost to the App Service (in plain text).
Additional Resources:
Can Nginx do TCP load balance with SSL termination?
https://serverfault.com/questions/978922/nginx-proxy-pass-to-https
https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html
https://nginx.org/en/docs/http/ngx_http_ssl_module.html

IIS 8.0 and SSL and Subdomains Webapi/Angular

I am Developing a web site that has Angular.js based client and Web API 2 server.
Both will be deployed under my website subdoman: "Admin.myDomain.com".
I would like to have ssl support. (on client and also requests for server)
Thinking that the client will be under Admin.myDomain.com and the Webapi : Admin.myDomain.com/admin/
In term SSL connection - What should be the best way to deploy this?
What I thought:
1. Connect the IP to the machine - Conenct the SSL work on entire IIS level.
2. Have the angular client side deployed on default web site on IIS.
3. have the web api deployed as subfolder (another applicaation).
will this work?
Is there a better way?
You can create your certificate specifically for admin.website.com or with a wildcard for *.website.com. It depends based in your future needs and available budget.
I would suggest to avoid Default Web Site and create a new WebSite that accepts only 443 (and link the certificate here) then you put your API running there with something like.
https://admin.website.com/v1/api
and your angular application at:
https://admin.website.com/app

Hosting a Web Server and Web Service locally on same port

I seem to miss somehting really obvious.
Anyways, i am developing a ReactJs web app and use nodejs (browser-sync) to host a simple web server for testing on localhost. Everything's working fine.
As for the server side i have a REST Service hosted in ASP.NET WebAPI.
I want to keep the urls in the web app relative for deployment reasons (because then it doesn't matter what the hostname is, as long it's running on the same domain).
I know out of experience that it's possible to host a self hosted ASP.NET WebAPI and a Web Application in IIS Express (at least in different paths) at the same time.
But now when i start browser-sync (which uses node http server internally as far as i can tell) and then WebAPI service host, the service host tells me it can't host on this url.
When i start it the other way around, browser-sync automatically increases the port so that it's on the next free port.
Does somebody have experience with it?
EDIT:
My question maybe in a more general sense: How do you develop web apps that are hosted on a local web server (in my case via nodejs) against a local running web service? And do you use relative URLs in your web app? Which leads to the problem that the service and the web have to run on the same server
I solved my problem like this:
ASP.NET WebAPI hosts under a different port then the nodejs web server
I set up a proxy in nodejs webserver for all urls starting with '/api/' and proxy these requests to the WebAPI port
I can use relative URLs in my client

Resources