Beginner Q: Reverse proxy from IIS6 to Apache2

Topics: Developer Forum, User Forum
Aug 10, 2010 at 2:57 AM

Hi everyone,

Sorry for asking some basic question(s). After studying URLrewriter and working with it for a while, I may come in with a different view at Iconics Isapi Rewriter then I actually should have. Maybe I need to get some terminology straight, but I am sure there are a few folks on here that will be able to help.

Let me start of with a 10,000ft overview: I have a MS Windows 2003 Server ISS6 machine, which is the primary target for inbound WAN connections. So all port 80 communication goes to the MS Win 2003 box with IIS6. Inside the LAN I got another machine with Apache2 running. I would like to simply route traffic from IIS6 to Apache - not redirect, but simply rewrite some URL headers, since redirect would require me to publish a different URL and port number.

In other words, I may have a site http://www.mydomain.com and a subpage http://subpage.mydomain.com - the first would go to IIS and be handled on Windows Server, the second should be reverse proxied ("reverse proxy") from Windows to Apache2. I found some articles in this forum from 4/2008 time frame that state that reverse proxy is not available with Ionics. However, the Operator's Guide clearly spells out "reverse proxy" for the "ProxyPass" function (maybe a feature added in a later version).

So, while I was using "RewriteRule" with "URLrewriter", I am wondering if that function does something other than reverse proxy for Ionics. Do I need to use ProxyPass instead, or will I have to use "RewriteRule" with Ionics as well for being able to have certain pages served from the Apache2 server rather than IIS6?

You may be asking of why I am not using URLrewriter any longer? - Well, that answer unfortunately is pretty simple as URLrewriter is not able to handle (basic) authentication correctly using reverse proxy. I know digest authentication would never work, so I tried my luck with basic authentication.

Now I want to find out if "Ionics Isapi Rewrite Filter" will be able to handle that any better.

One of the basic setup questions that remains is also of how to configure and setup IIS6 correctly so that Ionics will e.g. handle requests for http://subpage.mydomain.com but not http://www.mydomain.com? I have created a virtual site called subpage.mydomain.com and pointed that to a specific folder beneath wwwroot. I have placed a special iirf.ini file in that folder and made sure that the global iirf.ini will include it. However, when I enter subpage.mydomain.com in the web browser on the IIS6 machine, I get a 403 error response.

Setup so far:

D:\Inetpub\wwwroot\IIRF.INI

#
#  IIRF.INI file
#  http://iirf.codeplex.com
#
RewriteLog D:\Temp\iirf
RewriteLogLevel 5
IncludeIni D:\Inetpub\wwwroot\hosted_sites\subpage\iirf.ini

D:\Inetpub\wwwroot\hosted_sites\subpage\iirf.ini

#
#  IIRF.INI file
#  http://iirf.codeplex.com
#
IterationLimit 10
MaxMatchCount 10
RewriteEngine ON
StatusInquiry ON
ProxyPass .*.com(/?(subpage)?/?)?/?(.*) http://apache2/subpage/$3 [P]

BTW: The page http://apache2/subpage/ does pull up nicely within IE7 on the Windows 2003 Server box when entered directly. Basic authentication is working as well when used this way.

So, I guess the two main questions are:
1) Will I have to use "RewriteRule" or "ProxyPass" - or will none of them work for what I need?
2) What configuration changes are necessary for IIS6 to initiate Ionics rather than trying to find the page locally? Will a Web.config be required and if so, what content will be necessary?

Thank you all for your help in advance - I hope it will help somebody else as well!
Wolfgang

Coordinator
Aug 10, 2010 at 11:37 AM
Edited Aug 13, 2010 at 5:10 PM
Hi wolfgang, I suggest you read the documentation. In it, you will find the answers to you questions, namely , that ProxyPass is the same as RewriteRule with the [P] modifier, and all config is read from Iirf.ini, never from web.config. Good luck.
Aug 11, 2010 at 3:43 AM
Cheeso wrote:
Hi wolfgang, I suggest you read the documentation. In it, you will find the answers to you questions, namely , that ProxyPass is the se as RewriteRule with the [P] modifier, and all config is read from Iirf.ini, never from web.config. Good luck.

Hi Cheeso,

I did read the documentation (quite a bit of it actually) and there is not a single mentioning of "web.config". So I was not sure if it is simply not needed or if it was left out. Again, I may have had some different perception since another tool here on codeplex does require that file.

Lesson learned: Thank you for clarifying that with Ionics ISAPI Rewrite Filter no web.config will be required, actually, it does not do anything for IIRF.

A couple of things I have been able to fix since the posting:
I changed RewriteEngine from OFF to ON in the IirfGlobal.ini file. I was under the impression that the global setting would turn off the RewriteEngine for every virtual site on the server, but that the local iirf.ini file had the power for turning that option on for a single virtual directory/site. The documentation in respect to "RewriteEngine" for the "IirfGlobal.ini" file is simply poorly written. A one liner stating that a single RewriteEngine specified as OFF within IirfGlobal.ini will set all RewriteEngines to OFF, no matter if a RewriteEngine as part of a virtual web site is set to ON or OFF. Also, RewriteEngine as part of the IirfGlobal.ini set to ON does not really make sense, because the OFF setting of an iirf.ini of a virtual web site will overwrite the global setting to off. It's just that the RewriteEngine inside IirfGlobal.ini set to OFF will overwrite all iirf.ini to OFF.

Lesson learned: RewriteEngine set to OFF as part of the IirfGlobal.ini will overwrite all RewriteEngine settings of all iirf.ini and set them all to OFF. The RewriteEngine setting of the IirfGlobal.ini will basically enable or disable RewriteEngine settings of the iirf.ini files (that’s probably the best way to describe it).

You are saying that ProxyPass can be replaced with RewriteRule with the [P] modifier. The documentation says that the options etc. work exactly the same and ProxyPass references the RewriteRule documentation. Now, I have tested RewriteRule and used the [P] modifier as I would have done with other tools. Works great!

Lesson learned: ProxyPass seems to be obsolete, redundant and confuse (at least me). Simply use RewriteRule with [P] modifier for Reverse Proxy and life is good.
Further, I got everything to work for real basic and simple web sites not requiring any authentication. Unfortunately, another

Lesson learned is that Ionics Isapi Rewrite Filter (IIRF) is not able to handle basic authentication properly from IIS 6.0 using IE v7 reverse proxy to Apache2. While the Apache2 site called directly from within IE on the Windows 2003 Server machine using IIS6 works fine, if called from externally and reverse proxy through IIS 6 to Apache2, basic authentication does not work – at least for my test environment that is.

I hope some other folks potentially new to this topic of reverse proxy on IIS6 will find this post useful.
Good luck with everything!
Wolfgang

Aug 14, 2010 at 6:26 AM
Edited Aug 14, 2010 at 7:37 AM
ixquisite wrote:
Cheeso wrote:
Hi wolfgang, I suggest you read the documentation. In it, you will find the answers to you questions, namely , that ProxyPass is the se as RewriteRule with the [P] modifier, and all config is read from Iirf.ini, never from web.config. Good luck.

 

Hi Cheeso,

I could probably rewrite your documentation now in case you were to lose the last backup file of that. Bottom line, I am not having much success with basic authentication that is requested by Trac running on my internal Apache2 server behind the IIS6 server. I have installed iirf 2.1 beta and am wondering if I need to give it one last try with a different version. Before I do that, I wanted to check with you, if basic authentication has been tested and confirmed to be working using reverse proxy from IIS6 to Apache2. Do you have that info by any chance?

For illustration purpose, I came up with a simple graphic that outlines what I am trying to accomplish.
Graphic of the two servers inside of the firewall but having issues passing authentication information correctly from the IIS6 server to Apache 2
(Important note: I just want to make clear that that I have tried everything from "userid", "userid@sub", "userid@authname", "sub\userid", but none of these options would work.)

I have no idea of how to trace of what info gets sent from one logon window versus the other to the Apache2 server when using reverse proxy. My last resort would be to use WireShark and figure that out.

If you have some idea, please let me know. Thank You!
Wolfgang