Early problems with this blog and IIS Reverse Proxy

When I first began this WordPress based blog, I had it set in my mind to run this one in Ubuntu / Apache, pending experiments with Docker.

And I had planned the use of IIS Reverse Proxy.

January 2017

Initially the IIS Reverse Proxy lead to great difficulties and it turned out my aged installation on my main (at the time) Windows 8.1 based IIS Server had become subtly corrupted, causing behaviour that didn’t meet what I expected from tutorials in an exasperating and confusing way. That forced me to make a new installation – eventually becoming my post-pfSense DMZ point of entry for https.

Simplified flow diagram for reverse proxy and webserver indicating requests, responses, and how gzip fits in
Using IIS 8.5 for URL-ReWrite. Putting it in front of a simple LAMP VM (Ubuntu 16.04, Apache 2, MySql, Php) that I’m using for this WordPress blog.

SSL was at the time StartSSLStartcom for the public side, ‘though Firefox and Chrome were due to be updated January 2017, potentially distrusting that certificate. I’m using self-signed PKI (managing with XCA) for the private network side, so SSL all the way.

In order for rewriting of response content to work, that response can’t be gzipped. So I terminated the SNI (Server Name Indication) SSL with the Reverse Proxy, requested a non-gzip response – over internal SSL unfortunately (no choice) without SNI, and then gzipped it if the original (saved) request wanted it that way.

Back then (end-January 2017) I didn’t have pfSense. My organically grown network with limited BT Business Hub 3, using my 5 public IP addresses, had become progressively tangled over time with constant experimentation and profligate virtual machines and different hardware.

Setting-up the blog, I had in mind that I wanted it to be a critical document repository for my set-up, available completely independently of the internet, using its server/domain name as the url, also set in WordPress settings, and to use rewrite rules in .htaccess and on the IIS reverse proxy for headers and content, to switch between whatever external URI I gave it and the internal one. This proved to be hard work.

I wanted something I could depend on for documentation, regardless of whether the internet or my router/BT Business Hub was working correctly and without having to remember to set-up host files etc. but now I think I was just foolish. (The way I went about it).

July 2017

Now, with pfSense, I use split-DNS. Also I just set host files differently on certain machines; I’ve reset WordPress’s URL settings to simply be the blog URL, and also .htaccess on Apache to not mess with the header or content for the URL. Just in case there are any deep references to the internal domain left in any posts etc. I’m leaving my IIS Reverse Proxy rule on to change that internal name to the external URL.

Screenshot of my DMZ IIS Reverse Proxy Rewrite Rules

...

        <rewrite>
            <globalRules>
                <clear />
                <rule name="Set LETSENCRYPT if (.*).well-known/acme-challenge/(.+)">
                    <match url="(.*).well-known/acme-challenge/(.+)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <serverVariables>
                        <set name="LETSENCRYPT" value="TRUE" />
                    </serverVariables>
                    <action type="None" />
                </rule>
                <rule name="LETSENCRYPT local IP only" enabled="false" patternSyntax="ECMAScript" stopProcessing="true">
                    <match url=".*" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{REMOTE_ADDR}" pattern="^192.168.2.52|127.0.0.1|192.168.3.54|::1|fe80::a033:6bf1:2f4d:7861%3$" negate="true" />
                        <add input="{LETSENCRYPT}" pattern="TRUE" />
                    </conditions>
                    <action type="CustomResponse" statusCode="404" subStatusCode="0" statusReason="Not permitted" statusDescription="Let's Encrypt protected." />
                </rule>
                <rule name="Enforce HTTPS except localhost" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTPS}" pattern="Off" />
                        <add input="{LETSENCRYPT}" pattern="TRUE" negate="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" />
                </rule>
                <rule name="SaveHttpAcceptEncoding" patternSyntax="Wildcard">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="None" />
                </rule>
                <rule name="ARR_x_loadbalance" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_HOST}" pattern="x.xarta.co.uk" />
                    </conditions>
                    <action type="Rewrite" url="https://x/{R:0}" />
                </rule>
                <rule name="ARR_timeouttherapy_loadbalance" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_HOST}" pattern="*timeouttherapy.co.uk" />
                        <add input="{LETSENCRYPT}" pattern="TRUE" negate="true" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_HOST" value="timeouttherapy.co.uk" />
                    </serverVariables>
                    <action type="Rewrite" url="https://timeouttherapy/{R:0}" />
                </rule>
                <rule name="ARR_xarta-blog_loadbalance" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_HOST}" pattern="blog.xarta.co.uk" />
                        <add input="{LETSENCRYPT}" pattern="TRUE" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="https://xarta-blog/{R:0}" />
                </rule>
                <rule name="ARR_xarta-xarta_loadbalance" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_HOST}" pattern="*xarta.co.uk" />
                        <add input="{LETSENCRYPT}" pattern="TRUE" negate="true" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_HOST" value="xarta.co.uk" />
                    </serverVariables>
                    <action type="Rewrite" url="https://xarta-xarta/{R:0}" />
                </rule>
                <rule name="ARR_the-icons_loadbalance" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_HOST}" pattern="*the-icons.co.uk" />
                        <add input="{LETSENCRYPT}" pattern="TRUE" negate="true" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_HOST" value="the-icons.co.uk" />
                    </serverVariables>
                    <action type="Rewrite" url="https://the-icons/{R:0}" />
                </rule>
                <rule name="Maintenance Mode" enabled="false" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*MaintenanceMode.htm*" negate="true" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{LETSENCRYPT}" pattern="TRUE" negate="true" />
                    </conditions>
                    <action type="Redirect" url="http://xarta.co.uk/MaintenanceMode.htm" appendQueryString="false" />
                </rule>
                <rule name="Default WebSite" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="MaintenanceMode.htm" ignoreCase="false" negate="true" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{LETSENCRYPT}" pattern="TRUE" negate="true" />
                    </conditions>
                    <action type="Redirect" url="https://xarta.co.uk" appendQueryString="false" />
                </rule>
            </globalRules>
            <outboundRules>
                <clear />
                <rule name="RestoreHttpAcceptEncoding" preCondition="AcceptEncodingExists" patternSyntax="Wildcard">
                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <rule name="SimpleRewrite blog.xarta.co.uk" preCondition="IsBlogXartaCoUk" patternSyntax="ExactMatch">
                    <match filterByTags="None" pattern="blog.xarta.co.uk" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true">
                    </conditions>
                    <action type="Rewrite" value="blog.xarta.co.uk" />
                </rule>
                <rule name="Server Variables" preCondition="NOT-wp-admin" patternSyntax="ExactMatch">
                    <match filterByTags="None" pattern="DAVESAYSHERE" />
                    <action type="Rewrite" value="<h2>ALL_HTTP:</h2><br />{ALL_HTTP}<br /><br /><h2>ALL_RAW</h2><br />{ALL_RAW}<br /><br />RemoteAddress:...{REMOTE_ADDR}...<br />LetsEncrypt: ...{LETSENCRYPT}..." />
                    <conditions logicalGrouping="MatchAny">
                        <add input="{REMOTE_ADDR}" pattern="fe80::a033:6bf1:2f4d:7861%3" />
                        <add input="{REMOTE_ADDR}" pattern="81.137.121.100" />
                        <add input="{REMOTE_ADDR}" pattern="81.137.121.98" />
                    </conditions>
                </rule>
                <preConditions>
                    <preCondition name="IsBlogXartaCoUk">
                        <add input="{HTTP_HOST}" pattern="blog.xarta.co.uk" />
                    </preCondition>
                    <preCondition name="NOT-wp-admin">
                        <add input="{URL}" pattern="(.*)wp-admin(.+)" negate="true" />
                    </preCondition>
                    <preCondition name="AcceptEncodingExists">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern="(.+)" />
                    </preCondition>
                </preConditions>
            </outboundRules>
            <allowedServerVariables>
                <add name="HTTP_ACCEPT_ENCODING" />
                <add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" />
                <add name="HTTPS" />
                <add name="LETSENCRYPT" />
            </allowedServerVariables>
        </rewrite>

Print Friendly, PDF & Email