Simplified visual representation of reverse proxy and gzip flow

Simplified flow diagram for reverse proxy and webserver indicating requests, responses, and how gzip fits in
Click on image for description. Using IIS 8.5 for URL-ReWrite. Putting it in front of a simple LAMP VM (Ubuntu 16.04, Apache 2, MySql, Php) that I’m using to get WordPress working on Linux (used to have it directly on a Windows / IIS set-up). SSL (currently StartSSLStartcom for the public side, 'though Firefox and Chrome update this month – January 2016, might distrust my issued certificate). I’m using self-signed PKI (managing with XCA) for the private network side, so SSL all the way.

Why I’m doing this, and what isn’t working

I want to move my WordPress based websites including this new/fresh blog site from Windows/IIS to individual linux-based docker containers running on very lean, electrically low-power hardware. I want much more control. I want each container/site to be independent in terms of host-domain and internal ssl. Eventually I’d like to use an nginx front-end (reverse-proxy) – maybe on a Raspberry Pi. And maybe Redis in a docker image, so together with some docker management I can scale up from low-power to higher-power VMs running other docker images. In the meantime, I’m using my current IIS 8.5 installation running in a Windows 8.1 VM as a reverse proxy, and for Application Request Routing.

The internal ssl is there out of principle, and part of my network hardening plans, particularly as my IoT project will include actuators. And obviously I use public facing ssl, so there has to be ssl off-loading on the reserve proxy. The reverse proxy includes outbound rewrite rules (form the internal server) to rewrite any instance of the internal server address to the public facing address. But in order to do that, the response from the internal server can’t be encrypted. So the reverse proxy stores the “accept_encoding” part of the request header from the client, so it can set it to an empty string when passing the request to the internal server, prompting it to respond without compression. The idea is, that the reserve proxy then restores the “accept_encoding” part of the header, before the dynamic compression module on the reverse proxy sees it. I can’t get it to work. After many days of trying different solutions and permutations. I know gzip works on my other sites running on the IIS performing the reserve proxy function for this particular site (so far).

Print Friendly