6

I have an IIS server that is hosting a number of sites and apis. These sites include Confluence and Jira instances. These products actually run their own web servers so the Application Request Routing and Url Rewrite modules are being used to reverse proxy incoming requests to documents.example.com and jira.example.com to localhost:8080 and localhost:8090 - where the confluence and jira instances are running.

Now I am trying to setup a reverse proxy to a small simple-storage-server (s3) api (minio) - that is hosted on localhost:9000 - but the s3 protocol requires that the host header is part of its Message Authentication Codes.

However, when Application Request Routing reroutes a request following a URL Rewrite rule it also rewrites the host header to reflect the new destination header.

This can be disabled by setting system.webServer.proxy:preserveHostHeaders but only in ApplicationHost.config as ARR runs at the server, not the site level.

So now I have a conundrum:

If I set this setting, then the REST APIs that use host header in their MAC can function, but Confluence and Jira as their supported reverse proxy configuration expects rewritten host headers.

For reference, this sets enables host headers to be preserved

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost
Improve this question
2
  • What do you mean by "that use host header in their MAC"? Commented Oct 24, 2018 at 14:10
  • The value of the "Host:" header field is part of the message authentication hash used by the s3 protocol to ensure the request is from someone who has an authorized api key. So if the Host header is rewritten the s3 server can't authenticate the command and fails the operation. Commented Oct 24, 2018 at 15:47

2 Answers 2

Reset to default
3

I'm struggling with the same problem. I have a solution I don't like (and I bet you won't like it either), but it does work.

If you enable preserveHostHeaders, you can then add outbound URL Rewrite rules to remap all the cases when you do want to replace host headers.

Improve this answer
1
  • I cannot make sense of your answer. Outbound rules are meant to alter responses. Here, we want to alter the host header in the request ARR will forward to the proxified server. What am I missing? Can you provide sample rule configuration code to help understand what you mean please? Commented Mar 6 at 13:48
2

When not activating preserveHostHeaders, I am unable to rewrite the host header for the proxied sites needing the original host.

But as stated by this answer, it is possible to do the opposite, activate preserveHostHeaders then rewrite the host header but for proxied sites requiring to keep their actual host. But that is not done through an outbound rule.

It is done through a server variable rewrite on the reverse proxy rule, as shown in this StackOverflow answer to another question on the subject.

So, a reverse proxy done for a site requiring to not have the original host preserved should be configured like this:

<rule name="rewrite-without-preserved-host" stopProcessing="true"> <match url="^(.*)" /> <action type="Rewrite" url="http://some.example.com/{R:1}" /> <serverVariables> <set name="HTTP_HOST" value="some.example.com" /> </serverVariables> </rule>

(Do not forget to allow setting HTTP_HOST in allowed server variable, in URL Rewrite configuration.)

The reverse proxies which have to preserve the host should not try to set the HTTP_HOST variable and should leave it to ARR through its preserveHostHeaders setting, enabled.

<rule name="rewrite-with-preserved-host" stopProcessing="true"> <match url="^(.*)" /> <action type="Rewrite" url="http://other.example.com/{R:1}" /> </rule>

See also this other related StackOverflow question and answers if need be.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.