mod_proxy in Windows (IIS ARR?)

Forums › IT Pro and developers › mod_proxy in Windows (IIS ARR?)

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#137997 16-Dec-2013 15:20

On Linux boxes I commonly install a combination of applications on different ports bound to localhost. I then put Apache mod_proxy (with SSL) on the network adapter. I'm now looking at doing the same in Windows (one application on ROOT, another on a named context). A local instance of ISA/TMG is not the solution I've considered, but maybe it's the only way (it's got a lot of features I don't need)?

wasabi2k

2096 posts

Uber Geek

#953117 16-Dec-2013 15:32

What exactly are you trying to achieve?

Multiple websites with SSL on a single IP? Why?

ISA/TMG is end of life and won't do what you want it to.

You can do it with URL Rewrite and ARR but it's pretty ugly.

http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

Why do you want to do this?

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#953146 16-Dec-2013 16:12

I want to have multiple applications on a single host, presented as a single URL, keeping unencrypted traffic limited to localhost.

i.e. a legacy application with no SSL support runs on 8090 under /oldapp context, while new app runs in ROOT context on default port, so in Apache I would add a VirtualHost with these mod_proxy directives (example excludes SSL directives):

ProxyPass /oldapp http://127.0.0.1:8090/oldapp
ProxyPassReverse /oldapp http://127.0.0.1:8090/oldapp
ProxyPass / http://127.0.0.1/
ProxyPassReverse / http://127.0.0.1/

so when the users access our.intranet.com, then get the new app, but if they access our.intranet.com/oldapp then get the old app, but it all appears under the same URL. I've read quite a bit of the ARR documentation and I'm pretty sure it will do the same features, but I'm just not googling the right keywords.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#953147 16-Dec-2013 16:14

wasabi2k: What exactly are you trying to achieve?

Multiple websites with SSL on a single IP? Why?

ISA/TMG is end of life and won't do what you want it to.

You can do it with URL Rewrite and ARR but it's pretty ugly.

http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

Why do you want to do this?

Note: this is the base documentation I've been trying to apply, but instead of three hosts, I have one, with ARR, and, given their example, webmail and payroll all bound to localhost (using different posts). Maybe it just can't be done that way and each application has to be bound to a network adapter with the same port that will be used by ARR?

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#953480 17-Dec-2013 08:27

wasabi2k: What exactly are you trying to achieve?

Multiple websites with SSL on a single IP? Why?

ISA/TMG is end of life and won't do what you want it to.

You can do it with URL Rewrite and ARR but it's pretty ugly.

http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

Why do you want to do this?

I suspect the root problem is at the proxy enabling phase, where "default setting" does not work (I suspect the documentation is for version 1 and not updated for version 2. If I try an enable the URL rewrite feature I have to enter a Reverse proxy. I've hibernated the machine and abandoned it, I'll rebuild it in Linux.

Maybe this only works with IIS sites?

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#953509 17-Dec-2013 09:24

If I understand your issues correctly, I believe that ISA/TMG would work, and it will be supported for a while yet.

Web Application Proxy, new to Windows Server 2012 R2, may also fit the bill: http://technet.microsoft.com/en-us/library/dn280944.aspx

when you say 'legacy app with no ssl support' - does it use a bunch of hard-coded URLs instead of relative paths? If so then url-rewrite might be required.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#953514 17-Dec-2013 09:28

ps. I refreshed the install to ARR v3, with URL Rewrite module v2, which made the template referenced here available : http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-rule-template

After applying the rule, still no proxy action is performed. The documentation makes not reference to any settings in Proxy Type (see image above), which I am convinced is needed to make this do anything (which I believe is the IIS equivalent of Apaches "LoadModule proxy_module modules/mod_proxy.so").

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#953517 17-Dec-2013 09:32

Regs: If I understand your issues correctly, I believe that ISA/TMG would work, and it will be supported for a while yet. Web Application Proxy, new to Windows Server 2012 R2, may also fit the bill: http://technet.microsoft.com/en-us/library/dn280944.aspx

when you say 'legacy app with no ssl support' - does it use a bunch of hard-coded URLs instead of relative paths? If so then url-rewrite might be required.

No, the legacy application has a "base URL" configuration so it will work with a reverse proxy. ISA/TMG would incur another license which is why I'm steering away from it currently. It also does not require context rewrite because it has a context configuration also, so what I want to apply is a URL rewrite and SSL, i.e. https://blahblah.com/context to http://localhost:81/context

AliExpress

Shop now on AliExpress (affiliate link).

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#953791 17-Dec-2013 15:39

By installing ARR v3 and URL Rewrite v2 separately I was able to get the reverse proxy rule template. This would have worked but there were previous configurations stuck in the underlying web.config which did not display in the GUI. I cleaned out the file, created new rules based on the reverse proxy template and with some tweaking, I got this working with the following configuration:

Important aspects for the first (non ROOT) rule were using /context/{R:1} not /{R:0}, and setting stopProcessing

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#953794 17-Dec-2013 15:48

A side effect of this is that IIS is providing a local SSO for the two sites (as both are basic auth, ARR is passing through the credentials captured for the first application accessed to both applications).