If you require a reverse proxy using IIS, mainly in this example, we will be using this reverse proxy server to talk to servers that would otherwise be behind a firewall, with this approach, if you have sensitive web applications, you need to protect you can allow access from this one reverse proxy to the destination server, so you have to go through this reverse proxy to get your applications/services.
The Goal
I always like to have a goal and this is the mission, we have a device that is required but does not support HTTPS or Certificates, so the plan is to secure the device using IIS and rewrites to keep the footprint limited to one IIS server, so the requirement is:
This website : https://secureiis.bear.local will talk to http://redirect.bear.local which is not secure but will keep the session secured on the "secureiis" server
We will be using Windows Server 2022, at the time of this post, that was the latest version of the operating system.
Firstly you need a server with IIS installed, if you are using anything newer than Server 2016 then you have no horrible web application platform installer, go riddance to that rubbish, this means you need to manually down the files to work with IIS after installing it.
Install IIS and the management tools
Note : if you insist on using server manager to install IIS, please ensure you do not install features you do not require or will not use.
You only need this command to complete that here it is:
Install-WindowsFeature -name Web-Server -IncludeManagementTools
That should look like this:
Once installed you job is done, moving right along.
Installing URL Rewrite
This is the software that will do the magic and re-write URL based on the syntax you provide, this requires ARR without that this will not work as you expect it to.
Note : You will require the x64 version, so this will not work with the x32 version.
Once download install this application and ensure it is installed, we will check this later.
Check software status
Now we check that the software is installed as it should be, so to complete this get up a run box and type in the run box "appwiz.cpl" (without quotes) you should then see this:
This confirms we have installed URL Rewrite, all looks good, let move on.
Start IIS Manager
You will be managing this from IIS manager for some portions of this guide, others with be with the web.config file from PowerShell, so from the Start menu type "iis" and then choose IIS manager as below:
IIS Website Bindings
Add HTTPS IIS Binding
We will then need a add a HTTPS binding, to complete this highlight the website then on the right click Bindings as below:
Then we need to add a HTTS binding on port 443, the other options you select are preferences but I do not like legacy protocols running, and you need to choose the valid certificate as below:
You need to give this a name:
Then you need to add the servers you wish to use in this farm, it will use the default ports on HTTP and HTTPS so it should say online:
If you need to change the ports used from the defaults, use the advanced settings and you can customise the ports as below:
Once created you will see the farm below with all your options:
Next we need to use the monitoring and management option, you should notice that this will be blank, this is to be expected its not being used yet:
Then if you navigate to routing rules you should see that box the tick boxes are selected which means the rewrite rule should have been created as well, so next we need the "URL rewrite" option:
Double click the rule for editing purposes, and that will look like this, first is the "Match URL" for this we need to ensure that its a regular expression then we want the regex set to "^ssl(/.*)?$" this will look for a folder with SSL and anythign after it:
Using : Regular Expressions
Pattern : ^ssl(/.*)?$
Next we need to set the Conditions, here we required to match {HTTP_HOST} to the value "^redirect\.bear\.local$" (this will match the name of the server in regex) as a pattern match:
Input: {HTTP_HOST}
Type: Matches the Pattern
Pattern: ^redirect\.bear\.local$
Finally we need to set the Action which is what the rule will do with that traffic and here we need the options as below:
Action Type : Route to the Server Farm
Server Farm : RedirectBear
Path: /{R:0} (this will include anything sent from the client after the / as well)
Warning : If you have more than one rule setup in URL rewrite ensure you clear this box to process more than one rule!
In order for the rewrite to work we will need to use /ssl to confirm this is working, but first if we visit that site with the rule disabled we should see a 404 error, which we do:
However if we enable this rule we should see the contents of the HTTP webserver while staying on "secureiis" which is exactly what has occurred as you can see below:
The website is being served from "redirect.bear.local" but as its a re-write the URL is still "secureiis.bear.local" as the webserver, the webserver is talking to the remote server on our behalf.
Then as more people use this rule, the caching status will be updated, here we now have 107 hits, up from the 48 hits earlier:
