Setup IIS with URL Rewrite as a reverse proxy for real world apps.


Url Rewrite, one of the many modules that can be added on to the IIS web-server to make this a very versatile tool can be used to perform a variety of tasks, including allowing you to setup your IIS web-server as a reverse-proxy server to some other back-end HTTP service. A reverse proxy is a network device that takes in traffic coming from the Internet (for example), and forwards this traffic to a backend server on your private network, allow that backend server to be accessible to people who are not necessarily connected to your network. There are a lot of articles on how to use IIS and Url Rewrite as a reverse proxy, but I have found that many are incomplete with regards to real world scenarios from today’s web applications.

Scenario: Setting up IIS with URL rewrite as a reverse proxy with SSL offloading for a backend service.

Details: suppose that we have a web-application hosted on one of our backend web-servers, IIS or another web server, and that this application server cannot be configured to use SSL and is not accessible to the end users because the end users do not have access to the network the server is on. We want IIS to perform the following tasks:

  • Take in requests from the end users for content from this application using SSL
  • Route these requests to the backend application server using HTTP
  • Rewrite all responses from the backend server, so that any hyperlinks, form action tags and such are constructed with the URL that the IIS reverse proxy server has.

Below is the diagram of the setup we wish to accomplish using IIS as a reverse proxy server:

I would like to take you through the configuration steps required to setup such a system, where requests are routed via the IIS server to the backend application server and the re-written back again with the public host-name of the IIS server and sent back to the connecting clients.

Install URL Rewrite

The first step is to install the add-on module for URL Rewrite. With Windows Server 2012 R2, you can use the Microsoft Web Platform Installer (WebPI) to download and install the URL Rewrite Module. Just search for ‘URL Rewrite’ in the search options and click ‘Add’. You can also download the extension from IIS.net – http://www.iis.net/downloads/microsoft/url-rewrite .

Once the module is installed in IIS, you will see a new Icon in the IIS Administration Console, called URL Rewrite. This icon is present at the level or each site and web-application you have in the server, and will allow you to configure re-write rules that will apply from that level downwards.


Setup a Reverse Proxy rule using the Wizard.

Open the IIS Manager Console and click on the Default Web Site from the tree view on the left. Select the URL Rewrite Icon from the middle pane, and then double click it to load the URL Rewrite interface.

Chose the ‘Add Rule’ action from the right pane of the management console, and the select the ‘Reverse Proxy Rule’ from the ‘Inbound and Outbound Rules’ category.

Now we can proceed to fill in the routing information based on the diagram above in the Wizard window that is provided to us.

While still in the same configuration window, we also need to provide information to take care of the responses that will be emitted by the backend server and will transit the IIS server on their way back to the requesting browser. These responses may have absolute hyperlinks inside and other information which contains the hostname of the backend server. If these are sent to the browser as is, the end user will not be able to access the resources these links point to simply because the browser does not know where http://privateserver:8080/HomePage.aspx is located and how it can be reached. We need to convert these into the hostname of the reverse proxy server, and have them look like: https://www.mypublicserver.com/HomePage.aspx . For this reason, we will check the ‘Rewrite the domain names of the links in HTTP responses’ checkbox in the Outbound Rules section.

The basic setup for the reverse proxy is now complete, with IIS able to capture incoming traffic and forward it to the backend server, and inspect responses from the backend server and rewrite URL links inside the responses to match the host headers that IIS uses to publish the site.

Read on in part number 2 to see where the problems with this setup start.

By Paul Cociuba
http://linqto.me/about/pcociuba

Comments (10)

  1. ppindia says:

    what is the difference between load balancer and reverse proxy? My understanding is that this is just used to filter out traffic to net so that some virtual directories can be blocked.

    1. A load balancer is used to do some sort of repartition of incoming traffic to multiple servers… If you were using something like ARR (Application Request Routing for IIS) you could have an IIS server that was equally splitting incoming traffic to multiple backend servers (using some load balancing algorithm -such as round robin, etc). A reverse proxy will forward all incoming traffic to a website to some back-end web-server. You can imagine the case where you have a server in your corporate Intranet: users inside the corporate Intranet can just access the server directly. But if you wanted to expose the site to Internet users, without exposing the server, one way you could achieve this is by creating a reverse proxy – that forwards all traffic from an Internet facing site to your Intranet server.

      Paul

  2. Richard Schaefer says:

    I have IIS 8.5 on Windows Server 2012 R2. I installed ARR 3.0 and URL Rewrite 2.0. I restarted the server just to be safe. Both show up as installed products, but there’s no entry for ARR in IIS Manager when I click on the server node, and no template for a Reverse Proxy. Any ideas?

    1. Hello Richard, In the blog I am explaining how to go about doing the configuration only using URL Rewrite and not ARR. ARR works a bit differently, since it will create a ‘Web Farms’ node underneath the ‘Sites’ node in the IIS Manager tree view (displayed on the left hand side). It then depends on what you want your server to do:
      – do you want to setup just a reverse proxy where all incoming traffic to a site is routed to another backend server? Then use the URL rewrite module and follow this article.
      – do you want your IIS server to load balance requests to multiple servers in the backend (each of these servers hosting a copy of the site)? Then you should use the ARR (Application Request Routing) module to turn the IIS server into a load balancer.

      BTW: ARR will install Url Rewrite directly. So what I would do is decide which of the above scenarios you wish to implement and only install ARR or Url Rewrite.

      Paul

  3. Eugene says:

    Since SSL offloading is checked, where do I provide a cert that will be terminated at the proxy?

    1. SSL Offloading means that the secure connection between the client (Browser) and the server will terminate at the proxy level. This would typically be done if the backend application server does not allow you to use SSL. If you enable SSL Offloading, the certificate is to be setup on the IIS server which you configure as a reverse proxy. You can find details on how to setup the SSL binding here: https://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

  4. taithinye says:

    Hi, does it able to configure the server 2 different application server at backend but using the same external facing web server ? I have two different app server , App Server A : app1.domain.com and App Server B: app2.domain.com, both are serves from a single web server using the same IP. I would like to achieve when users want to access Server A, they will enter URL app1.domain.com , and if to Server B, they will enter app2.domain.com

    1. This can be done with the with the aid of the ARR (Application Request Routing) module for IIS. This module will allow you to create a farm of servers for each site you host, and add servers to that farm. Hence your site will be http://www.contoso.com but then hosted on server1.contoso.com and server2.contoso.com. The way load is distributed between the two servers can also be configured with different load balancing algorithms. Have a look at: https://www.iis.net/downloads/microsoft/application-request-routing

      Paul

  5. Mike says:

    How would this reverse proxy setup affect an application that uses cookie authentication? If http://privateserver:8080 issues a cookie in the response does the rewrite module update the source domain of the cookie?

    1. Responses from the content server (including the headers) are taken and forwarded by the reverse proxy to the connecting client. In the case you mentioned, the cookie is represented by a SET COOKIE Http header. If the cookie includes a domain inside the value, this will not be modified and you will have to setup a URL rewrite rule to address this.

Skip to main content