Say, you are are working on a web application that includes Web Api and a client component, such as Angular. It is time for you to deploy the app onto front facing web server in DMZ. Your friendly security guy comes over and say “You cannot reach into our database server from DMZ. Figure something out!” This is a real scenario that I encounter quite often at my work. Yes, application is a bit slower, but it is more secure in this three tier environment. Essentially what you have to do is forward HTTP requests you are getting on a server inside DMZ onto an application server behind the firewall, which will have access to the database server. Well, you can use a trick I showed a while ago, writing a forwarding Api controller. Or you can use easier route and setup IIS reverse proxy.
Let’s walk through these steps.
First of all, we have to install necessary IIS components if not already installed. I believe they are pre-installed on Azure. They are not installed by default on Window Server though. The easiest way to get them onto the servers is use Web Platform Installer. These are the two components you will need: Application Request Routing 3 and URL Rewrite 2.
Go ahead and install them. Then navigate in IIS Manager to your application. Under features you will see new button called UL Rewrite.
You may get the prompt to enable request routing. Confirm that you do.
Once configuration opens, click on Add Rule in top right corner in Actions pane. You want to pick reverse proxy rule.
You are ready update your rule. If you follow default patterns, your Web Api URLs are prefixes with “api”, such as http://localhost/api/people. If not, you are in trouble. We need to setup the rule to match the pattern.
Your pattern needs to be “api/(.*)” You can click Test pattern button to confirm. Just enter a few URLs to see if pattern matches. It should. Then you want to re-write the URL and send it to the application server behind the firewall, server2 in my case. We went to append the “api” to it plus everything that follows it, showed as {R1}. Click apply to save. To conform open your web.config. It should looks something like the following.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <rule name="ReverseProxyInboundRule2" stopProcessing="true"> <match url="api/(.*)" /> <action type="Rewrite" url="http://server2/api/{R:1}" logRewrittenUrl="true" /> <conditions> </conditions> </rule> </rules> </rewrite> </system.webServer> </configuration>
You can change the rule name if you want. Now, you just need to install your application one more time, this time on server behind DMZ. You can strip out the parts you do not need, like Angular, but they will not do any harm being there, right? This is it. You’ve setup the application as recommended.
Enjoy.
Hi Sergey, how does the firewall know that it should allow the reverse proxy traffic through to the internal network?