Setup IIS with URL Rewrite as a reverse proxy for real world apps.


Url Rewrite, one of the many modules that can be added on to the IIS web-server to make this a very versatile tool can be used to perform a variety of tasks, including allowing you to setup your IIS web-server as a reverse-proxy server to some other back-end HTTP service. A reverse proxy is a network device that takes in traffic coming from the Internet (for example), and forwards this traffic to a backend server on your private network, allow that backend server to be accessible to people who are not necessarily connected to your network. There are a lot of articles on how to use IIS and Url Rewrite as a reverse proxy, but I have found that many are incomplete with regards to real world scenarios from today's web applications.

Scenario: Setting up IIS with URL rewrite as a reverse proxy with SSL offloading for a backend service.

Details: suppose that we have a web-application hosted on one of our backend web-servers, IIS or another web server, and that this application server cannot be configured to use SSL and is not accessible to the end users because the end users do not have access to the network the server is on. We want IIS to perform the following tasks:

  • Take in requests from the end users for content from this application using SSL
  • Route these requests to the backend application server using HTTP
  • Rewrite all responses from the backend server, so that any hyperlinks, form action tags and such are constructed with the URL that the IIS reverse proxy server has.

Below is the diagram of the setup we wish to accomplish using IIS as a reverse proxy server:

I would like to take you through the configuration steps required to setup such a system, where requests are routed via the IIS server to the backend application server and the re-written back again with the public host-name of the IIS server and sent back to the connecting clients.

Install URL Rewrite

The first step is to install the add-on module for URL Rewrite. With Windows Server 2012 R2, you can use the Microsoft Web Platform Installer (WebPI) to download and install the URL Rewrite Module. Just search for 'URL Rewrite' in the search options and click 'Add'. You can also download the extension from IIS.net - http://www.iis.net/downloads/microsoft/url-rewrite .

Once the module is installed in IIS, you will see a new Icon in the IIS Administration Console, called URL Rewrite. This icon is present at the level or each site and web-application you have in the server, and will allow you to configure re-write rules that will apply from that level downwards.


Setup a Reverse Proxy rule using the Wizard.

Open the IIS Manager Console and click on the Default Web Site from the tree view on the left. Select the URL Rewrite Icon from the middle pane, and then double click it to load the URL Rewrite interface.

Chose the 'Add Rule' action from the right pane of the management console, and the select the 'Reverse Proxy Rule' from the 'Inbound and Outbound Rules' category.

Now we can proceed to fill in the routing information based on the diagram above in the Wizard window that is provided to us.

While still in the same configuration window, we also need to provide information to take care of the responses that will be emitted by the backend server and will transit the IIS server on their way back to the requesting browser. These responses may have absolute hyperlinks inside and other information which contains the hostname of the backend server. If these are sent to the browser as is, the end user will not be able to access the resources these links point to simply because the browser does not know where http://privateserver:8080/HomePage.aspx is located and how it can be reached. We need to convert these into the hostname of the reverse proxy server, and have them look like: https://www.mypublicserver.com/HomePage.aspx . For this reason, we will check the 'Rewrite the domain names of the links in HTTP responses' checkbox in the Outbound Rules section.

The basic setup for the reverse proxy is now complete, with IIS able to capture incoming traffic and forward it to the backend server, and inspect responses from the backend server and rewrite URL links inside the responses to match the host headers that IIS uses to publish the site.

Read on in part number 2 to see where the problems with this setup start.

By Paul Cociuba
http://linqto.me/about/pcociuba

Comments (22)

  1. ppindia says:

    what is the difference between load balancer and reverse proxy? My understanding is that this is just used to filter out traffic to net so that some virtual directories can be blocked.

    1. A load balancer is used to do some sort of repartition of incoming traffic to multiple servers… If you were using something like ARR (Application Request Routing for IIS) you could have an IIS server that was equally splitting incoming traffic to multiple backend servers (using some load balancing algorithm -such as round robin, etc). A reverse proxy will forward all incoming traffic to a website to some back-end web-server. You can imagine the case where you have a server in your corporate Intranet: users inside the corporate Intranet can just access the server directly. But if you wanted to expose the site to Internet users, without exposing the server, one way you could achieve this is by creating a reverse proxy – that forwards all traffic from an Internet facing site to your Intranet server.

      Paul

  2. Richard Schaefer says:

    I have IIS 8.5 on Windows Server 2012 R2. I installed ARR 3.0 and URL Rewrite 2.0. I restarted the server just to be safe. Both show up as installed products, but there’s no entry for ARR in IIS Manager when I click on the server node, and no template for a Reverse Proxy. Any ideas?

    1. Hello Richard, In the blog I am explaining how to go about doing the configuration only using URL Rewrite and not ARR. ARR works a bit differently, since it will create a ‘Web Farms’ node underneath the ‘Sites’ node in the IIS Manager tree view (displayed on the left hand side). It then depends on what you want your server to do:
      – do you want to setup just a reverse proxy where all incoming traffic to a site is routed to another backend server? Then use the URL rewrite module and follow this article.
      – do you want your IIS server to load balance requests to multiple servers in the backend (each of these servers hosting a copy of the site)? Then you should use the ARR (Application Request Routing) module to turn the IIS server into a load balancer.

      BTW: ARR will install Url Rewrite directly. So what I would do is decide which of the above scenarios you wish to implement and only install ARR or Url Rewrite.

      Paul

      1. Chris [MSFT] says:

        I had the same issue on Server 2016/IIS10: the template isn’t there.
        For the “Reverse Proxy” template to appear, both URL Rewrite and ARR must be installed and configured. I have created an ARR server farm then, selecting the WebSite, I was able to see the template in URL Rewrite.

        If you still don’t see the template, reboot the server and if it’s still not working, run the URL Rewrite installer selecting “Repair” from https://www.microsoft.com/en-us/download/details.aspx?id=47337

  3. Eugene says:

    Since SSL offloading is checked, where do I provide a cert that will be terminated at the proxy?

    1. SSL Offloading means that the secure connection between the client (Browser) and the server will terminate at the proxy level. This would typically be done if the backend application server does not allow you to use SSL. If you enable SSL Offloading, the certificate is to be setup on the IIS server which you configure as a reverse proxy. You can find details on how to setup the SSL binding here: https://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

    2. Yes, you will need to provide an SSL certificate and binding for the IIS website on which you are configuring the Url rewrite rules.

  4. taithinye says:

    Hi, does it able to configure the server 2 different application server at backend but using the same external facing web server ? I have two different app server , App Server A : app1.domain.com and App Server B: app2.domain.com, both are serves from a single web server using the same IP. I would like to achieve when users want to access Server A, they will enter URL app1.domain.com , and if to Server B, they will enter app2.domain.com

    1. This can be done with the with the aid of the ARR (Application Request Routing) module for IIS. This module will allow you to create a farm of servers for each site you host, and add servers to that farm. Hence your site will be http://www.contoso.com but then hosted on server1.contoso.com and server2.contoso.com. The way load is distributed between the two servers can also be configured with different load balancing algorithms. Have a look at: https://www.iis.net/downloads/microsoft/application-request-routing

      Paul

  5. Mike says:

    How would this reverse proxy setup affect an application that uses cookie authentication? If http://privateserver:8080 issues a cookie in the response does the rewrite module update the source domain of the cookie?

    1. Responses from the content server (including the headers) are taken and forwarded by the reverse proxy to the connecting client. In the case you mentioned, the cookie is represented by a SET COOKIE Http header. If the cookie includes a domain inside the value, this will not be modified and you will have to setup a URL rewrite rule to address this.

  6. Hi … I’ve been having no-end of issues … no matter what I tried I couldn’t get dynamic compression to work after the outbound rewrite rules.

    After some days, I decided to retrace my steps and review my understanding. I’ve realised, something must be very wrong for me, because I am always forced to install ARR. When I click on the reverse-proxy rule to get the wizard you get, IIS first says that I must install ARR for reverse proxy functionality (or words to that effect). It doesn’t let me continue without doing that. I already had URL-rewrite-2. I’m very confused. Windows 8.1, IIS 8.5. Just to be sure, I enabled IIS in a Windows 10 1607 edition, used WebPI to install URL-rewrite-2. Same result (dialogue). Maybe the functionality is different on 2012 R2? At first I thought nothing of it – but after days of problems, and then reading comments here that seem to differentiate between ARR and URL-Rewrite as having the potential to be discreet components … I figured my understanding must be very flawed on a fundamental level. I’d assumed IIS was the same (barring number of simultaneous connections) per edition, across platforms?

    1. Hello David,

      ARR (short for application request routing) is the IIS module that allows the IIS server to work as a load balancer. This product (ARR) uses url-rewrite under the covers to get the routing done for reverse proxy scenarios. So just installing Url-rewrite will get you the reverse proxy template for rule creation in Url-Rewrite, but to use it you need to install ARR. Installing ARR brings in Url Rewrite directly.

  7. John Stevenson says:

    Mr Cociuba… thanks for the detailed tutorial… my head was spinning after going through it — I am absorbing slowly the idea but I seem to be missing the secret sauce here. I have a Godaddy website called http://www.myGodaddySite.com. I have a privateserver with a webpage at localhost:8080/mycrazywebpage. I want customers on the outside to be able to type in http://www.myGodaddySite.com/mycrazywebpage without having to type in http://www.myGodaddySite.com:8080/mycrazywebpage. This article is the correct way to handle inbound and outbound messages for such a thing, correct?

    1. Hello John,

      Yes, if you follow the setup described in this article you should be able to route all incoming traffic to port 8080. The way it should work is the following:
      – you configure your DNS to point the http://www.myGodaddaysite.com to the IP (ANAME record) or Name (CNAME record) of your server.
      – then on the IIS server you configure the reverse proxy rule to route all traffic coming in on port 80 to port 8080, just as I show.
      – then you create the rest of the outbound rules (to rewrite the responses coming from port 8080 to port 80) and change any URLs in the HTML responses.

      Hope this helps,
      Paul

  8. GP.Burth says:

    Thanks for the great article series.

    i have found another “gotcha” after implementing all relevant parts: some websites nowadays give really huge HTTP responses. In my case the internal server responded to a login with 380kB of data (hey, why use external JavaScript when you can inline everything?). On the external side the login never succeeded, because I got a connection reset after receiving only part of this data packet.

    The reason is that the Response Buffer Threshold of the sites ARR Cache is by default only 256kB… I greatly upgraded that number to 2048kB but don’t know if that will give other strange results in the future.

    1. This is an output buffer that ARR uses to cache the response on the ARR server (IIS server). Should the buffer value be lower than the response to be sent, ARR will used chunked encoding, and will send a first chunk which the size of the buffer (256k), then a second chunk and so on until we finish sending all the response. In you case, I would expect that the client did not react well to receiving an authentication request in chunked encoding. Increasing the buffer as a workaround is fine and will not cause any issues, apart from increasing the memory footprint of the IIS worker process slightly.

  9. Marcia Pelaez Gonzalez says:

    Hello, I have a question, this configuration means that we only need this IIS setup to hide the real SharePoint URL?

    1. Not sure what you mean by ‘hide’ a Sharepoint URL. But if you are implying that you wish to rewrite your SharePoint urls to look like something else, then you can use Url rewrite to achieve this.

  10. Tim Meiner says:

    Hi,

    I have two separate app servers that I would like to set up to be reverse proxied through a web server. I followed your directions on this blog and I was able to successfully set up the reverse proxy for one of the app servers. However, I’m confused on how to add the 2nd app server to be set up to run through the reverse proxy. These directions are great for setting up 1 site to be set up for reverse proxy but it would be nice if you could add how to configure multiple sites as well.

    1. For a webfarm scenario, you would need to look into ARR (Application Request Routing). This will allow the introduction of the concept of a ‘farm’ in IIS. A farm can be comprised of one or more servers, which can be dynamically taken on and offline. There are also multiple load balancing algorithms you can setup for farm scenarios. You can then modify the rule to have an action of ‘route to farm’. Have a look at:
      https://www.iis.net/downloads/microsoft/application-request-routing

Skip to main content