This forum has been moved here:
Helicon Tech Community Forum

  Active TopicsActive Topics  Display List of Forum MembersMemberlist  HelpHelp   RegisterRegister  LoginLogin
ISAPI_Rewrite 2.x (Forum Locked Forum Locked)
 Helicon Tech : ISAPI_Rewrite 2.x
Subject Topic: handling redirects with authentication
Author
Message |
user12661221
Newbie


Joined: 01 June 2010
Posts: 3
Posted: 01 June 2010 at 3:54pm

We have a portal based web application on an internal
webserver (IIS 6, .NET based application). We're using
ISAPI Rewrite 2.8.0060 on a different Internet facing web
server to reverse proxy to the internal web server so our
main rule for the entire site is something like:

RewriteCond Host: www\.example\.com
RewriteProxy (.*) https\://www.example.com$1 [I,U]

www.example.com is Internet resolvable to the proxy
server and on the proxy, www.example.com resolves to the
internal web server.

We find though that without the "F" flag on the
RewriteProxy rule (as written above), ISAPI Rewrite
rewrites our web server's returned "Location: " header,
replacing it with the proxy's internal host name (which
is not Internet resolvable). Is there any way to avoid
this? We can use the "F" flag on the RewriteProxy rule
but then ISAPI Rewrite attempts to handle the redirect
internally and clobbers our authentication cookies when a
user logs in to the site. This latter potential behavior
is warned about in the documentation.

Back to Top
 
user12661221
Newbie


Joined: 01 June 2010
Posts: 3
Posted: 02 June 2010 at 2:55pm

I believe we have solved this by changing the
w3svc/UseHostName setting to False on the proxy server.
We had this set to true and for some reason that caused
ISAPI Rewrite to use the proxy server's internal host
name in the Location: header on the response. Set to
false it seems to simply pass on the Location: header
received by the web server it's proxying which is correct
and Internet resolvable.

I can't explain why ISAPI Rewrite is affected by this
setting. There are no IP addresses being used in that
header by the proxy nor our web server only hostnames.
As far as I can tell the w3svc/UseHostName is only used
to avoid leaking internal IP addresses.

If anyone has any ideas please let me know. It could be
an ISAPI Rewrite bug. Perhaps it's making assumptions
about that setting.
Back to Top
 
Lexey
Moderator Group


Joined: 15 August 2002
Location: Russian Federation
Posts: 8119
Posted: 09 June 2010 at 1:42am

ISAPI_Rewrite even does not know an internal name of your web server. So, it simply can not do the mentioned rewrite. Most probably you have seen an unmodified Location header returned by your web server.
Back to Top
 
user12661221
Newbie


Joined: 01 June 2010
Posts: 3
Posted: 11 June 2010 at 7:07am

Well, it sure could know since it's running on the same server.  It's the proxy server.  The Location header certainly does change depending on either the F flag or the w3svc/UseHostName setting.  I'm just not sure why w3svc/UseHostName is required to be the default setting of False to operate correctly with ISAPI rewrite.
Back to Top
 
Lexey
Moderator Group


Joined: 15 August 2002
Location: Russian Federation
Posts: 8119
Posted: 28 June 2010 at 4:44am

Well, I have found the root of this. Current ISAPI_Rewrite version uses SERVER_NAME and SERVER_PORT variables to build a redirect location. And the 2nd one may return either the Host name or the server's NetBIOS name depending on IIS settings.
I will modify the proxy to use HTTP_HOST variable in the next build.
Back to Top
 
ixquisite
Newbie


Joined: 13 August 2010
Location: United States
Posts: 2
Posted: 13 August 2010 at 4:43am

user12661221 wrote:
Well, it sure could know since it's running on the same server.  It's the proxy server.  The Location header certainly does change depending on either the F flag or the w3svc/UseHostName setting.  I'm just not sure why w3svc/UseHostName is required to be the default setting of False to operate correctly with ISAPI rewrite.

user12661221,

It seems to me as if you are one of the few who got authentication to work correctly using reverse proxy, am I correct?

I have been trying to get Rewrite 3 to work using reverse proxy from IIS 6 to Apache2 using basic authentication and I am failing miserably. Everything that I see so far is working but authentication.

My question for you is if you have tried Rewrite 3 as well, or did you simply use Rewrite 2 from the beginning to make reverse proxy and authentication work?

Thank you,
Wolfgang

Back to Top
 

Sorry, you can NOT post a reply.
This forum has been locked by a forum administrator.

Printable version Printable version
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum