MicrosoftDocs · wadepickett · Dec 19, 2025 · Nov 24, 2025 · Dec 19, 2025 · Dec 19, 2025
@@ -69,6 +69,41 @@ To test that the rewrite rules generated by the rule template work correctly ope
 
 ![Screenshot of a browser window displaying a Reverse Proxy Test Page.](reverse-proxy-rule-template/_static/image22.png)
 
+## Using ARR Reverse Proxy for Tomcat Servlets
+To add defense in depth when hosting Tomcat servlets behind an IIS + ARR reverse proxy, you can use URL Rewrite rules to mitigate path traversal attacks. These attacks often exploit discrepancies in how Tomcat handles path parameters within URL segments, e.g. "/..;a=b/" as described in [Apache Tomcat Security Considerations](https://tomcat.apache.org/tomcat-11.0-doc/security-howto.html#Reverse_Proxies).
+
+### Why This Matters
+Tomcat interprets semicolon-based path parameters differently than IIS, which can lead to unexpected traversal behavior. 
+Blocking or normalizing such patterns before they get handled by ARR module helps prevent exploitation.
+
+
+If your goal is simply to block requests containing traversal attempts (such as "/..;a=b/"), you can use either wildcard or regular expression syntax.
+
+#### Wildcard rule example
+[!code-xml[Main](reverse-proxy-rule-template/samples/sample6.xml)]
+
+#### RegEx rule example
+[!code-xml[Main](reverse-proxy-rule-template/samples/sample7.xml)]
+
+### Important Notes
+- Test thoroughly in your end-to-end environment. You may need additional rules for encoded or double-encoded patterns (e.g., %252F..%253Bfoo%252F).
+- Rule order matters: Ensure blocking rules run before ARR proxy-related rules.
+- Performance trade-off: RegEx offers flexibility but incurs higher overhead.
+
+### Advanced Scenario: URL Renormalization
+If your goal is to strip path parameters and re-normalize the URL so all URL Rewrite rules apply to normalized URL, you’ll need a redirect round trip. For example:
+Input:
+/abc/..;boo/xyz/
+Redirected to:
+/abc/../xyz/ → normalized to /xyz/ → re-evaluated by rewrite rules.
+
+#### Example rule:
+[!code-xml[Main](reverse-proxy-rule-template/samples/sample8.xml)]
+
+### When RegEx Gets Too Complex
+For highly complex cases, consider [writing a custom URL Rewrite Provider](developing-a-custom-rewrite-provider-for-url-rewrite-module.md)
+
+
 ## Summary
 
 In this walkthrough you have learned how to use "Reverse Proxy" rule template to generate rewrite rules to implement a simple reverse proxy configuration in IIS. This rule template can be used as a starting point to generate the base rules which can be adjusted or modified later to address the specific routing and rewriting requirements that you have for your web application.
@@ -0,0 +1,4 @@
+<rule name="BlockDotDotWildcard" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
+ <match url="*/..;*/*" />
+ <action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="" />
+</rule>
@@ -0,0 +1,4 @@
+<rule name="BlockDotDotRegEx" stopProcessing="true">
+ <match url="\/\.\.;.*\/" />
+ <action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="" />
+</rule>
@@ -0,0 +1,5 @@
+<rule name="RenormalizeURL" stopProcessing="true">
+ <match url="^([^;]*)(;[^/]*)(/.*)$" />
+ <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
+ <action type="Redirect" url="http://{HTTP_HOST}/{R:1}{R:3}" redirectType="Found" />
+</rule>