1

I have a web application running on one server and use IIS with rewriteURL on another server as a reverse proxy.

I configured the incoming rules to rewrite the reverse proxy address with the address of the web application server. This works fine.

However, the application allows users to download some content and redirects them to the download address. Right now, users get forwarded to the local IP address of the web application server, not the public address of the reverse proxy.

I understand, I need to edit the outbounding rules as well to catch this, but I somehow don't get it right.

I followed the instructions here https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/modifying-http-response-headers

and my current rewrite rules look like this

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="er-platform" stopProcessing="true">
                    <match url="^er-platform(.*)" />
                    <conditions>
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <action type="Rewrite" url="{C:1}://192.168.80.6:8443/{R:0}" />
                    <serverVariables>
                        <set name="ORIGINAL_HOST" value="{HTTP_HOST}" />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="er-platform" preCondition="IsRedirection" enabled="true">
                    <match serverVariable="RESPONSE_LOCATION" pattern="^(https?)://[^/]+/(.*)" />
                    <conditions logicalGrouping="MatchAny">
                        <add input="{ORIGINAL_HOST}" pattern=".+" />
                    </conditions>
                    <action type="Rewrite" value="{R:1}://{ORIGINAL_HOST}/{R:2}" />
                </rule>
                <preConditions>
                    <preCondition name="IsRedirection">
                        <add input="{RESPONSE_STATUS}" pattern="3\d\d" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

I still get redirected to the local IP when trying to download something. How do I need to change the rules to get this right?

Thanks,

Thomas

Thomas
  • 1,026
  • 7
  • 18

1 Answers1

1

I don't think your outbound rule is incorrect. I have a couple of guesses for why it is failing.

First: Your inbound rule must match for your outbound rule to work. This is because ORIGINAL_HOST is captured when the inbound rule executes. Right now, your inbound rule is match the URL against ^er-platform(.*). I am going to assume that since this is a reverse proxy, that it is working because you wouldn't be able to start the download if it wasn't.

Second: The output rule only triggers on a 3xx code. This isn't the only way to redirect though. It's possible that you're redirecting using JavaScript. E.g. `window.location = 'http://wrongaddress'. In which case your outbound rule wouldn't work.

Next steps for debugging this: Turn on Logging for the inbound rule. IIS Manager Log rewritten URL checkbox Your logs will be written to %SystemDrive%\inetpub\logs\LogFiles\. Verify the inbound rule is being hit.

Verify what's happening on the wire: Fiddler is a great tool for understanding what's actually happening on the wire. Use this to confirm that the URL rewrite rules should be hitting. I.e. that the request URL matches ^er-platform(.*) and that the response code is in the 300s.

Alternatively to Fiddler you could just get away with using Chrome Developer Tools Network tab. Turn on the 'Preserve log' checkbox so that it doesn't clear after you've been redirected. Verify what you think should be happening is actually happening.

Sam Rueby
  • 5,914
  • 6
  • 36
  • 52
  • Thanks for the hints! I tracked the network and found some odd behavior. Once I triggered the download, the app refers me to the download file. But what I get is a 401 "not authorized" from the local server. My current session is not valid for that host. If I create a second session in my browser using the local IP I can download the file. In that scenario, the local IP never shows up in the network tab. The download comes from the reverse proxy host. It looks like the session is some how not correctly handled. Is this something I can control with IIS? – Thomas Oct 02 '17 at 14:02
  • Is the server setting cookies? Perhaps for the wrong domain or path rather than the external? – Sam Rueby Oct 02 '17 at 14:24
  • yes, there is a cookie for the session. I uses the external domain and the right path. – Thomas Oct 02 '17 at 17:11
  • Verify the same cookies and their values are being received/sent in both the working and not-working scenarios. – Sam Rueby Oct 02 '17 at 17:57
  • For the not working scenario I have one cookie (with host set to the external domain), for the working scenario I have two cookies, one of the external domain, one for the internal IP. The two cookie were created in separate browser taps but shared (one per tap) but are shared for the browser session. – Thomas Oct 02 '17 at 18:23
  • I think the issue is with the cookie. the session ID is not correctly preseved behind the reverse proxy. I reformulated my question here https://stackoverflow.com/questions/46534125/proxypassreversecookiedomain-equivalent-for-iis . Thanks a gain for your response. It helped me a lot to narrow down the issue! – Thomas Oct 02 '17 at 21:42
  • I also suspected that. Glad I was able to point you in the right direction. – Sam Rueby Oct 02 '17 at 23:52