Setting up IIS as Reverse Proxy for QPR UI

From Mea Wiki
Revision as of 11:04, 11 September 2018 by Ollvihe (talk | contribs)
Jump to navigation Jump to search

Follow these instructions to route QPR UI http/https traffic though IIS. It has the following advantages:

  • Access QPR UI using more standard ports (usually 80 or 443) instead of GlassFish ports (usually 8080 or 8181).
  • QPR UI can use HTTPS connection that is configured in IIS, and then there is not need to configure https in GlassFish.
  • External presentation objects and embedded QPR Portal works better as the browser considers they are from the same site because same origin policy won't cause restrictions (more information: https://en.wikipedia.org/wiki/Same-origin_policy)

Instructions:

  1. Download and run Microsoft Web Platform Installer (available in http://www.microsoft.com/web/downloads/platform.aspx). Use it to install URL Rewrite 2.1 (or newer) and Application Request Routing 3.0 (or newer) modules. Use the search box to find these components. If you had the IIS Manager open while installing the components, restart the IIS Manager.
  2. Create file C:\inetpub\wwwroot\EnticeServices\web.config with following contents (also create the EnticeServices folder):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
  <rewrite>
    <rules>
      <rule name="Reverse Proxy to EnticeServices" stopProcessing="true">
        <match url="(.*)" />
        <action type="Rewrite" url="http://localhost:8080/EnticeServices/{R:1}" />
	<serverVariables>
          <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
          <set name="HTTP_ACCEPT_ENCODING" value="" />
        </serverVariables>
      </rule>
    </rules>
    <outboundRules>
      <rule name="Change port">
        <match filterByTags="A, Form, Img" pattern="^http://localhost:8080/(.*)" />
        <action type="Rewrite" value="http://localhost/{R:1}" />
      </rule>
    </outboundRules>
  </rewrite>
  </system.webServer>
</configuration>
  1. Create file C:\inetpub\wwwroot\ui\web.config with following contents (also create the ui folder):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
  <rewrite>
    <rules>
      <rule name="Reverse Proxy to QPR UI" stopProcessing="true">
        <match url="(.*)" />
        <action type="Rewrite" url="http://localhost:8080/ui/{R:1}" />
	<serverVariables>
          <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
          <set name="HTTP_ACCEPT_ENCODING" value="" />
        </serverVariables>
      </rule>
    </rules>
    <outboundRules>
      <rule name="Change port">
        <match filterByTags="A, Form, Img" pattern="^http://localhost:8080/(.*)" />
        <action type="Rewrite" value="http://localhost/{R:1}" />
      </rule>
    </outboundRules>
  </rewrite>
  </system.webServer>
</configuration>
  1. Open Internet Information Services (IIS) Console, click the top level in the left side hierarchy, doubleclick Application Requests Routing Cache, click Server Proxy settins on the right pane, click Enable Proxy and click Apply.
  2. In Internet Information Services (IIS) Console, click EnticeServices folder in the left side hierarchy, double-click URL Rewrite, View Server Variables... variables, and add HTTP_X_ORIGINAL_ACCEPT_ENCODING and HTTP_ACCEPT_ENCODING using the Add button. Do the same for the ui folder.
  3. In Internet Information Services (IIS) Console, click ui folder in the left side hierarchy, double-click HTTP Response Headers, click Add... on the right side pane, and define the following: (more information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
    • Name: X-XSS-Protection
    • Value: 1; mode=block
  4. Similarly, add the following HTTP Response Header: (more information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
    • Name: X-Frame-Options
    • Value: deny
  5. Optional advanced: To harden the security, in GlassFish allow incoming requests only from localhost.
  6. QPR UI can now be accessed using url http(s)://SERVER/ui/ where SERVER is the hostname of the server.


Offline installers:

URL Rewrite module:

http://download.microsoft.com/download/D/D/E/DDE57C26-C62C-4C59-A1BB-31D58B36ADA2/rewrite_amd64_en-US.msi

Application Request Routing:

https://www.microsoft.com/en-us/download/confirmation.aspx?id=47333