Using Windows Server 2016 IIS as Reverse Proxy by URL Rewrite

Objective:


I have an IIS which connects to Internet.  I want to use it as an inbound proxy to connect to a Linux web server behind. I want to do SSL termination at IIS.  I can share the same SSL certificate and  I don't want to manage SSL certificates for one more server.

Internet<--https--><--https--> -- IIS -- Inbound Proxy <--http-->--<--http--> Linux Web Server


The Linux web server can be accessed inside DMZ, say http://192.168.1.3/mywebserver.  The IIS web server can be accessed from Internet, say https://mydomain.myip.com/. I want to access the Linux Web server from Internet, say https://mydomain.myip.com/mywebserver/.

This is the easiest setting to have the same virtual path in public URL and internal URL.  It is because the HTTP response rewrite is much simpler (only to replace internal hostname with public hostname).  If you have different virtual path for public URL and internal URL, then you need to work on the "Edit Outbound Rule" session.

Steps:

The below steps works on my testing Windows Server 2012 and Windows Server 2016:
  1. Install URL Rewrite on IIS
    1. Download URL rewrite from Microsoft: https://www.iis.net/downloads/microsoft/url-rewrite#additionalDownloads
    2. Install the URL rewrite as instructed
  2. Install Application Request Routing (ARR) 3.0.
    1. Download from Microsoft.
    2. Follow the instruction to install.
  3. Inside IIS Manager, find HOSTNAME - Default Web Site.
    1. Open "URL Rewrite"
  4. Add Rule by Wizard:
    1. Click "Add Rule(s)... " at right side.
    2. Click "Reverse Proxy"
    3. Click "OK" if asked for "enable proxy functionality"
    4. Enter internal IP address (e.g. 192.168.1.3).
    5. Keep the check box checked for "Enable SSL Offloading".
    6. Enable "Rewrite the domain names of the links in HTTP responses"
    7. Enter internal IP at "From:"
    8. In "To:", enter external hostname.
    9. Click OK.
    10. One Inbound Rule and one Outbound Rule are created.
  5. Edit Inbound Rule
    Since the default wizard assumes all traffic will be forward, but I want to only forward URL request with "/mywebserver/", I need to edit the rule
    1. Double click on the inbound rule "ReverseProxyInboundRule" to edit it.
    2. Edit below items:
      1. Match URL - Pattern:  Change from original "(.*)" to "^mywebserver(.*)"
      2. Action - Action Properties - Rewrite URL, change to: http://192.168.1.3/mywebserver{R:1}
        Note: If service on your internal server is accessed as root folder, than you don't need to edit this.
    3. Click "Apply" to save and click "Back to Rules".
  6. Edit Outbound Rule
    The default value is fine as it  assume my URL structure for public and internal are the same (e.g. https://mydomain.myip.com --> http://192.168.1.3).  However, if you have folder name in your public URL, but use / to access internal server (e.g. https://mydomain.myip.com/mywebserver/ --> http://192.168.1.3), you may need to edit here.
      1. Double click on the  "ReverseProxyOutboundRule1" to edit it.
      2. Match
        1. In "Match the content within:", select all items except "Use Custom Tags".
        2. Pattern: the default is "^http(s)?://192.168.1.3/(.*)".  This should be keep as is for most case.
      3. Action
        1. Action type: Rewrite
        2. Action Properties - Value: The default is "http{R:1}://mydomain.myip.com/{R:2}".  You can change to "http{R:1}://mydomain.myip.com/mywebserver/{R:2}" in order to add the virtual path.
      4. Click "Apply" and "Back to Rules".
  7. Finish!

Comments