IIS : URL-Rewrite to back-end services

If you require a reverse proxy using IIS, mainly in this example, we will be using this reverse proxy server to talk to servers that would otherwise be behind a firewall, with this approach, if you have sensitive web applications, you need to protect you can allow access from this one reverse proxy to the destination server, so you have to go through this reverse proxy to get your applications/services.

The Goal

I always like to have a goal and this is the mission, we have a device that is required but does not support HTTPS or Certificates, so the plan is to secure the device using IIS and rewrites to keep the footprint limited to one IIS server, so the requirement is:

This website : https://secureiis.bear.local will talk to http://redirect.bear.local which is not secure but will keep the session secured on the "secureiis" server

We will be using Windows Server 2022, at the time of this post, that was the latest version of the operating system.

Firstly you need a server with IIS installed, if you are using anything newer than Server 2016 then you have no horrible web application platform installer, go riddance to that rubbish, this means you need to manually down the files to work with IIS after installing it.

Install IIS and the management tools

Note : if you insist on using server manager to install IIS, please ensure you do not install features you do not require or will not use.

You only need this command to complete that here it is:

Install-WindowsFeature -name Web-Server -IncludeManagementTools

That should look like this:


You should then see the install running along nicely:


Once installed you job is done, moving right along.

Installing URL Rewrite

This is the software that will do the magic and re-write URL based on the syntax you provide, this requires ARR without that this will not work as you expect it to.

Note : You will require the x64 version, so this will not work with the x32 version.

https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi

Once download install this application and ensure it is installed, we will check this later.

Check software status

Now we check that the software is installed as it should be, so to complete this get up a run box and type in the run box "appwiz.cpl" (without quotes) you should then see this:


This confirms we have installed URL Rewrite, all looks good, let move on.

Start IIS Manager

You will be managing this from IIS manager for some portions of this guide, others with be with the web.config file from PowerShell, so from the Start menu type "iis" and then choose IIS manager as below:


When this loads we are looking for the ARR and URL rewrite shown in the green boxes below, these should absolutely be there....


IIS Website Bindings

Check Bindings of "Default Web Site you need to ensure that this has a HTTP (TCP:80) and a HTTPS (TCP:443) binding by default it will not have a HTTPS binding as you can see here:


Add HTTPS IIS Binding

We will then need a add a HTTPS binding, to complete this highlight the website then on the right click Bindings as below:


This will bring up a list of active bindings of which we need to click add:



Then we need to add a HTTS binding on port 443, the other options you select are preferences but I do not like legacy protocols running, and  you need to choose the valid certificate as below:


Then when you check the Sites section you will now see the HTTPS binding as active:


Create new Server Farm

We now need to create a new server farm which will handle all the load balancing, so from IIS manager right click on the server farms and choose "Create Server Farm"


You need to give this a name:



Then you need to add the servers you wish to use in this farm, it will use the default ports on HTTP and HTTPS so it should say online:


If you need to change the ports used from the defaults, use the advanced settings and you can customise the ports as below:



Once created you will see the farm below with all your options:



First we need to ensure the load balancing is setup to weight round robin as below, however if you have another requirement update it here:


Next we need to use the monitoring and management option, you should notice that this will be blank, this is to be expected its not being used yet:


Then if you navigate to routing rules you should see that box the tick boxes are selected which means the rewrite rule should have been created as well, so next we need the "URL rewrite" option:

This will then show you the rule created:


Double click the rule for editing purposes, and that will look like this, first is the "Match URL" for this we need to ensure that its a regular expression then we want the regex set to "^ssl(/.*)?$" this will look for a folder with SSL and anythign after it:

Request URL : Matches the Pattern
Using : Regular Expressions
Pattern : ^ssl(/.*)?$



Next we need to set the Conditions, here we required to match {HTTP_HOST} to the value "^redirect\.bear\.local$" (this will match the name of the server in regex) as a pattern match:

Logical Grouping : Match All
Input: {HTTP_HOST}
Type: Matches the Pattern
Pattern: ^redirect\.bear\.local$



Finally we need to set the Action which is what the rule will do with that traffic and here we need the options as below:

Action Type : Route to the Server Farm
Scheme : HTTP:// (in this example)
Server Farm : RedirectBear
Path: /{R:0} (this will include anything sent from the client after the / as well)

Warning : If you have more than one rule setup in URL rewrite ensure you clear this box to process more than one rule!



Testing the Rewrite and Logic

This is the simple and fun bit, first we need to visit the URL from the start which is https://secureiis.bear.local that should show you the IIS10 welcome screen like this, the rule is not listening on the root website:


In order for the rewrite to work we will need to use /ssl to confirm this is working, but first if we visit that site with the rule disabled we should see a 404 error, which we do:


However if we enable this rule we should see the contents of the HTTP webserver while staying on "secureiis" which is exactly what has occurred as you can see below:


The website is being served from "redirect.bear.local" but as its a re-write the URL is still "secureiis.bear.local" as the webserver, the webserver is talking to the remote server on our behalf.

Monitor for Traffic and Hits

You can view the status of the traffic from the server farm monitoring and management as you can see below, here we are all healthy and we have 48 requests with 100% hitting the cache:


Then as more people use this rule, the caching status will be updated, here we now have 107 hits, up from the 48 hits earlier:



Previous Post Next Post

نموذج الاتصال