Reverse proxy to Vitual Directories on IIS Default Site

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

Reverse proxy to Vitual Directories on IIS Default Site

Postby traxtech » Aug 13 21 6:47 pm

I am currently evaluating Wingate to switch from ISA 2006 (Proxy) and Proxy Server 2.0 (Reverse Proxy) on 2 separate IP addresses. Right now, we are hosting 1 site that can be accessed through 24 different domains. All domains run the same code, but display different content based upon the header used to reach the site. Each site is setup as a virtual directory in IIS, and accessed by the "application name" in the virtual directory setup, with the physical directory being the same for all of the sites. There are other sites on the same server, also created in virtual directories, but they have unique physical directories of their own. Can a request be routed to an internal server with the IP and an "application name" as assigned in IIS for the virtual directories?

1.) Can Reverse Proxy be setup to route the request using the internal server IP plus the "application name" (i.e. - 10.0.0.76/tls), as we did in Proxy Server 2.0. Is a virtual directory reachable in that manner? We could just route all of the sites to the same virtual directory and use the startup code to read the incoming host request to determine which site to display (which is pretty much what we do now, but routing to the virtual directory plus the application name works just fine in Proxy Server 2.0. I just don't know how to do it in Wingate.

2.) Now to interfaces. There are currently 4 NICS in the test server (two with private internal IP's and two with fixed public IP's opened in the route)r. May I use bindings to a different external/internal adapter combination for Proxy and for Reverse Proxy? Would the Reverse Proxy have to be bound to the NIC that was NOT being used by the Web Proxy? Is it possible to use 1 server for both services? If so, is the use of 2 sets of NICs needed or required? I've been experimenting with the trial and have not yet come up with a combination. Web Proxy works just fine, but I need to address the internal server by IP and path if possible.

I was expecting to use at least 1 Enterprise license, depending upon the user limits of external internet requests. there will never be more than 3 - 4 simultaneous users using the Web Proxy Service. There might be multiple users to any one of the sites, however, at any given time. do those connections count toward the user count?

Maybe it will require two separate machines as we now have, but the pressing need is whether Wingate can be used with scenario 1 above. Some of these sites are for pro bono organizations (food banks and C.O.P.S. groups), so we would like to keep the costs as low as possible in order to maintain some backup systems for redundancy. Since we own a bunch of ISA and Proxy 2.0 machines, the main problem with them is finding hardware old enough to run them or drivers for new hardware with the old software.

I've asked a lot of questions. Any suggestions or guidance as to my options would be greatly appreciated. If I must go ahead and purchase an Enterprise license to test all of this, then so be it. I just want to know if I'm wasting my time trying to make this work.

Sigh, and Thanks for your time.....
traxtech
 
Posts: 13
Joined: Aug 04 21 4:43 pm

Re: Reverse proxy to Vitual Directories on IIS Default Site

Postby adrien » Aug 18 21 11:15 am

Hi

I'm not sure I completely understand your setup for the hosted sites, but some things to remember.

1. The host header received by the reverse proxy will be sent through to the back end server, unless you change it (there is a setting for this). So the back end server will still have the information required to choose which site to serve.

2. There is a way to alter the path information in requests, e.g. for a virtual directory, but it's problematic. Firstly you need to use flow-chart policy (which is proxy service specific, so would need to have logic to only apply to particular sites going through the reverse proxy), and secondly it doesn't inspect or provide a way to alter links that are sent back by the web application, so unless these are all relative links you can end up with broken links.

What do you do for https? Are all the domains related (e.g. can use a wildcard cert), or do you have a cert with a bunch of alternate subject names, or just not publish your sites with https at all?

Hopefully I answered your question about NICs in your other post.

As for license count, since WinGate started as a forward (internal LAN users) proxy, it doesn't distinguish between whether the users are internal to your site or external. So reverse proxy users use a license count. Also please note that reverse proxy (if you are using multiple sites, e.g. more than just default setting) requires an enterprise license.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Reverse proxy to Vitual Directories on IIS Default Site

Postby traxtech » Aug 18 21 1:10 pm

I appreciate your comments. I haven't moved to SSL/TLS yet, because I wasn't sure about being able to use Wingate.

I've just been through your reply to the NIC post, but have not gotten the results from the procedures suggested yet. I just tried again....

Wingate is obviously using only one external NIC. This NIC is the one paired for Reverse Proxy and has a gateway specified in Windows Network setup. Without that gateway, Reverse Proxy DOES NOT function. I do not have to bind it in Wingate, but it MUST BE THERE.

Reverse Proxy REQUIRES the use of a gateway specified in Windows Network setup. The other external NIC was intended to be used for Web Proxy. Any situation where a gateway is specified in Windows setup for a Windows Proxy NIC, with or without binding in Wingate, results in unwanted traffic into the system (I cannot tell which external adapter it is coming from, but stopping Proxy Service stops the traffic. So you are correct that it is not wise to bind to an external anything within Web Proxy. However, when doing that, Web Proxy USES the same external NIC as Reverse Proxy (probably because it is the only one with a gateway specified in Windows). As I said, that arrangement seems to work OK, but the fact that the other external interface is just sitting there (as of right this minute, it is disabled).

I just cannot seem to hit on the procedure to get both services working on separate combinations of internal and external cards without allowing the extraneous inbound traffic when Web Proxy is running. When Web Proxy is stopped, the traffic stops. But Web Proxy traffic will not utilize its own NIC without the gateway designations. IT appears that Wingate only wants to use the single external IP which is specified in Windows as having a gateway.

And BTW, I handled the site problem referenced in the other post by just creating a separate site for each of the virtual directories. Each site has the same root and start document, so no real difference - just the way they did it before me. I will use a multi-site certificate (I'm trying to get them to use a wildcard cert because every site is running the same 7 pages of code in the same directory - just displaying different content from a database based upon the target URL header.

thanks again!
traxtech
 
Posts: 13
Joined: Aug 04 21 4:43 pm

Re: Reverse proxy to Vitual Directories on IIS Default Site

Postby adrien » Aug 20 21 11:42 am

OK I understand.

It's a bit confusing talking about "gateway" when there's

a) default gateway setting in NIC in OS
b) gateway tab in www proxy in WinGate.

Of course you cannot use a NIC to talk to the internet if it doesn't have a default gateway set in its TCP/IP properties in the OS.

You can use a NIC in WinGate without anything set in the gateway tab in the proxy. It just defaults to the default OS behaviour.

Windows routing chooses an interface to use for outbound packets based on the destination address. This means mostly outbound packets will come out the interface with the default gateway entry that has the lowest metric in your OS route table. If you run a packet sniffer you would even see packets coming out interface A with interface B's source address. In the end this doesn't even matter as since you only have one gateway they are going to the same place anyway.

so my advice. Enter default gateway on both NICs. Leave gateway tabs empty in all WinGate proxies.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Reverse proxy to Vitual Directories on IIS Default Site

Postby traxtech » Aug 20 21 6:21 pm

I have tried your advised configuration more than once. Web Proxy then uses and reports the same IP address to the internet as the Reverse Proxy with no gateways added in Wingate. Disabling the external card I wanted to use for the Web Proxy has no effect on the operation of the system then. As I guessed in an earlier post, there does not seem to be any way (or advantage to) use a separate pair of NICs to separate services in one Wingate box.

I am trying one more thing tonight -- I enabled multiple networks on the extended tab and went ahead and added the gateway in Web Proxy. The system reports the correct card so far (about 3 hours) without any extraneous traffic. I am also searching for the procedure to create rules for using the interface as you also suggested, but am totally at the beginning of the curve. A little light reading.....

We'll know more in the morning.

I appreciate your time, Sir.

David
traxtech
 
Posts: 13
Joined: Aug 04 21 4:43 pm

Re: Reverse proxy to Vitual Directories on IIS Default Site

Postby adrien » Aug 20 21 6:42 pm

Hi

so I'm not sure what the problem is. Is it that a WG-> internet connection (for forward proxy / internal LAN users) uses a source IP that you don't want it to use?

For a forward proxy servicing internal LAN clients, if you have multiple external interfaces and you want to specify which one to use, you would use the gateway tab in the forward proxy, but use it only to bind to the desired interface before connecting out. This sets the source address used by the proxy->internet connection.

To use it like this you would just select "Any Gateway", and under "Source IP Address" select the interface you want it to use for the outbound connection.

Note that even though you may choose a particular interface in there, that really only affects the source IP address on the packets in that connection, and windows routing may still pump the packets out the other interface. Return packets should go back in the correct interface though. This shouldn't prevent the TCP connections from working.

The way Windows otherwise chooses which interface to bind to (which means which IP address to use as the source) is to consult the route table. It will choose the most specific route (usually for internet this is the default route) with the lowest metric. The interface associated with this route will determine the source IP.

Yes in general there's little benefit to having multiple external IP addresses or physical interfaces, since everything uses a host header you can switch based on that (or in https switch based on the client-advertised SNI).

What do you mean by extraneous traffic?

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Reverse proxy to Vitual Directories on IIS Default Site

Postby traxtech » Aug 20 21 7:51 pm

I'm pretty sure the extraneous traffic was attaching to my forward proxy and going back out. Without my T-bird I cannot check that right now, but as I said, I enabled multiple networks, and just used the gateway tab for Web Proxy. I had been more than four hours and no extra traffic was observed. Then after fully reading your last post, I created a web access rule for Web Proxy that allows access from my internal IP range (much like the old NAT tables in Proxy 2.0 and ISA). Then I created a web access rule for Reverse Proxy allowing access only to the list of my sites.

After a couple more hours, I see only the occasional crawlers (googlebots, mozilla and amazon stuff after disconnect for the timeout period, etc.) but not the steady flow of hits from outside unknown sources. I believe this is pretty close to the way it should be, or at least as good as it's going to get unless I go back to that single external NIC configuration. Running What's my IP? is very popular around here to prove we're actually behind a proxy, and seeing the same address as the target IP for the sites still draws furrowed brows, but I can take it.

Now I just need to see the total number of licensed users it will take to keep from throwing up limit errors. One of the other habits around here is using Geopeeker to view a site from several locations at once (not really that useful, but popular among those management types who like to say we are all "world-wide". That little visit uses ties up 7 licenses at once! Sigh....

I can live with the single interface if I'm sure we are not bleeding signals to the extent that it is dangerous, and right now, the current setup seems to be just fine (might have been since I enabled multiple networks - I'm not sure). As long as the system does not show the stream of unwanted activity in the morning, it will probably be a go.

Now I have to determine the number of licenses and add https. I have read and watched the videos for doing reverse proxy with and without certs, but am trying very hard to get the cert authority to let me use a wildcard-type cert for what are really very different domain names. They are, however, all the same site running the same ASP.NET code with a database driven dynamic content system base upon the URL header used to enter. Content is rotated on a schedule to provide change for the crawlers, and we monitor similar sites to see what is working for them. Of course, the food bank sites do NOT do this, but we have to pay the bills somehow by providing service to paying customers in order to finance the food bank.

It's really sort of a ministry, but it is very rewarding, especially since the pandemic began. There are a lot more people to needing help now, most of them just a time or two, and very uncomfortable about visiting the food banks in the first place. The crisis is far from over around here. More than half of the people working the food banks actually quality to be served, but deny the opportunity in order to see another family served.

I hope there are no more stupid question to bombard you with as I finalize the license and certificate issue. You have been very patient with me and just your general description sometimes "breaks the tie" when trying to decide what to do.

If I may ever serve as a beta tester, or submit changes based upon personal experience, please let me know. I am at the proxy server almost every day for something......

Continue to be safe and well, Sir.
traxtech
 
Posts: 13
Joined: Aug 04 21 4:43 pm

Re: Reverse proxy to Vitual Directories on IIS Default Site

Postby adrien » Aug 21 21 12:00 pm

Hi

IME there's a constant stream of probes going around the common ports, and people attempting to use open proxies, mainly for spam. In this case commonly the activity window would show a CONNECT request to somewhere on port 25.

It's basically just part of the landscape, since you can't block the port or else nobody can access your sites, so these people probe your server, and if you have rules set up properly, they find they can't bounce off your server for their evil purposes. In the end it just places a small load on your log files and rule hit counts, and occasional license count.

One thing to note is that from HTTP/1.1 onwards, it was designed to re-use a persistent connection. This saves the 3-way handshake to set up a new connection for a new request that was the mode with HTTP/1.0. What this means is that WinGate tries in all cases to keep a connection open with a client, even when rejecting a request. I guess we should add the option to terminate the connection as well for the web access rules, but in the interim, for your reverse proxy rules, you could instead use a flow-chart policy to check the host header in a list of allowed sites, and if not, deny and terminate the connection (the Reject result in the flow-chart policy for the web request events allows termination of the connection as well). If you want to look into this I can help. I'd only bother if you find the spammers are tying up licenses. The other thing you can do is make the proxy close dormant connections more quickly. The default is 600s. This is the time since last request was completed before the connection will be closed.
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate

Who is online

Users browsing this forum: No registered users and 35 guests