IIS Rewrite Reverse Proxy getting HTTP 502 error when using SSL

Question

I am looking for ideas/suggestions to setup/troubleshoot a configuration that allows me to debug a scenario as follows. I am using IIS 10, Visual Studio 2017

I have a web application that posts a message to a 3rd party site. The 3rd party site then posts a response back to my web application. IIS has a reverse proxy (shown below) the directs the post from the 3rd party application to IIS Express where my app is running in IIS Express (VS 2017).

All connections use SSL. IIS Express is using a self signed cert that comes with VS2017.

Calling the app running on IIS Express from the 3rd party app via the reverse proxy worked until I changed to using SSL. (This solution requires SSL).

url="https://10.10.203.132:44349/{R:1}" -> this is the computer where my app is running in VS2017.

Now I get a 502 error subcode 3 and my app is never called. No other info in Failed request tracing

Any suggestions?

<configuration>
<system.webServer>
    <rewrite>
        <rules>
            <rule name="Reverse Proxy" enabled="true" stopProcessing="true">
                <match url="(.*)" />
                <action type="Rewrite" url="https://10.10.203.132:44349/{R:1}" />
            </rule>
        </rules>
        <outboundRules>
            <rule name="Ensure samesite Cookies" preCondition="Missing samesite cookie">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                <action type="Rewrite" value="{R:0}; SameSite=None" />
            </rule>     
            <preConditions>
                <preCondition name="Missing samesite cookie">
                    <!-- Don't remove the first line here, it does do stuff! -->
                    <add input="{RESPONSE_Set_Cookie}" pattern="." />
                    <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
                </preCondition>
            </preConditions>            
        </outboundRules>
    </rewrite>
</system.webServer>

Would you mind sharing me a working example? I will try to reproduce your issue. It seems that the Rewrite rules failed to work. What about the situation when using HTTP protocol. Besides, when using the self-signed certificate, the request with IP url will be blocked by the browsers. We can verify it by simply accessing it in the browser. — Abraham Qian, Apr 21 '20 at 09:35
I would like to know the scenario with a working example. Is the Rewrite action applicable to this case? — Abraham Qian, Apr 22 '20 at 10:09
Since most of the solution is behind a firewall I can't give you a working example. Yes the rewrite action is applicable to this case. — haler212, Apr 22 '20 at 13:29
I don’ think so, for forwarding http request to https, the Redirect action might be useful, Rewrite action usually is used to rewrite the path string instead of the machine name. Please try the below configuration. — Abraham Qian, Apr 24 '20 at 10:25

score 0 · Answer 1 · answered Apr 24 '20 at 10:28

0

  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Reverse Proxy" enabled="true" stopProcessing="true">
          <match url="(.*)" />
          <action type="Redirect" url="https://10.10.203.132:44349/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
          <conditions logicalGrouping="MatchAll">
                        <add input="{SERVER_PORT_SECURE}" pattern="0" /></conditions>
        </rule>
      </rules>

Here is another solution.
https://www.namecheap.com/support/knowledgebase/article.aspx/9953/38/iis-redirect-http-to-https
Feel free to let me know if the problem still exists.

answered Apr 24 '20 at 10:28

Abraham Qian

7,117
1
8
22

You are write rewrite is not necessary. I don't think I need the server_port_secure. I now am getting a 404 using:` ` – haler212 Apr 24 '20 at 18:30
if I remove the {R:1} I don't get the 404 but the query string is empty. Getting closer... – haler212 Apr 24 '20 at 18:50
Rule conditions are used to exclusively match the HTTP request so that the https forwarding request will work properly. otherwise, the https request will get no response, the https forwarding request will remain forward and can not be completed. – Abraham Qian Apr 27 '20 at 08:42

score 0 · Answer 2 · answered Feb 23 '23 at 16:32

The far server may have Sever Name Identification enabled (SNI) which can cause the 502.3 issue since the request isn't being made properly and so it fails.

You could test on a server you control, turn on SNI and your config should fail. Turn it off and it should succeed.

The far end server may not need SNI but turned it on "just because". It could also get its site running on its own IP and disable SNI.

I have also seen configuring IIS proxy to properly handle SNI but I never have had to do it. I leave this for reference:

https://techcommunity.microsoft.com/t5/iis-support-blog/arr-configuration-for-backend-sites-with-sni-binding-on-iis/ba-p/2658104

IIS Rewrite Reverse Proxy getting HTTP 502 error when using SSL

2 Answers2