Tuesday, September 9, 2008

URL Forwarding Via Reverse Proxy

For security reasons, many internet sites only allow access via certain ports, such as port 80 for ordinary HTTP and 443 for secure HTTPS.

For the official list of port number see www.iana.org/assignments/port-numbers.
That causes a problem when you want to have two or more web servers on the same IP address. For example, suppose you want all HTTP traffic addressed to your domain name xyz.com to go to your main web server, EXCEPT for traffic addressed to xyz.com/special which should be sent to a different web server.

That was exactly my problem; here are the details:
  • All traffic addressed to risingroad.com, regardless of port number, is sent to the IP address 64.7.134.118.

  • A Linksys router listens to all the traffic on 64.7.134.118.

  • The router forwards all traffic on port 80 to the local IP address 192.168.1.51. In this context, the router is acting like a firewall, and that firewall has port 80 "opened up" for access to a computer running inside the firewall. Some other port numbers are open as well (email, etc) but there are no other open ports available for HTTP traffic.

  • A Microsoft IIS web server is running on a Windows 2003 server at local IP address 192.168.1.51. Its purpose it to process regular HTTP traffic sent to risingroad.com.

  • A SQL Anywhere web server is running on a Windows Vista 64-bit computer at local IP address 192.168.1.52. Its purpose is to process HTTP traffic sent to the specific address risingroad.com/enwiki_search.
The following simple approach comes to mind: Open up a different port, say port 81, and have the router send port 80 traffic to 192.168.1.51 and port 81 traffic to 192.168.1.52. Other companies might not be willing to do that, but I am; why won't that work?

It won't work because other companies don't just block incoming HTTP traffic on any port other than 80, they also block outbound traffic. That means anyone using a browser inside those other companies can't get out to sites that are running HTTP servers on port 81... or even 8080 which is listed as an "HTTP Alternate".

The solution is to use a "reverse proxy" program to forward or redirect incoming HTTP traffic to the appropriate destination. I chose the IQ Reverse Proxy from Fastream Technologies.
If you find the term "reverse proxy" confusing, you're not alone. The word "proxy" might apply since the program is "acting for" HTTP servers at other locations. However, the word "reverse" just serves to obfuscate, especially since the term "port forwarding" applies to traffic going in the same direction as reverse proxy traffic. It may be simpler to think of "reverse proxy" as an "URL forwarder" or "IP redirector".
Here's how the URL forwarding works:

1. The Linksys router forwards port 80 to 192.168.1.51; ports 8080 and 81 are not open to the outside world:



2. The Fastream IQ reverse proxy program runs on 192.168.1.51 and listens to port 80:



3. The Microsoft IIS HTTP server also runs on 192.168.1.51, but it now listens to port 8080:



4. The SQL Anywhere HTTP server running on 192.168.1.52 is configured to listen to port 81:



5. The two target HTTP servers (IIS and SQL Anywhere) are defined to the Fastream IQ reverse proxy program in terms of their IP addresses and port numbers:
192.168.1.51   8080  - IIS
192.168.1.52 81 - SQL Anywhere


6. Special URL forwarding rules are defined to the Fastream IQ reverse proxy program as follows: one particular URL goes to SQL Anywhere and everything else goes to IIS:
*.//risingroad.com/enwiki_search  - goes to 192.168.1.52:81
*.//Default - goes to 192.168.1.51:8080


Tip: It may be possible to have Fastream handle URLs with GET-style parameters properly, but I couldn't figure it out; I had to use strict POST method processing for all web service parameters. That means no visible "http:\\x.y.com?a=...&b=..." parameters on the URLs, just the hidden POST parameters.

5 comments:

Anonymous said...

Hi Breck,

thanks for this topic. Though it maybe off-topic w.r.t. SQL Anywhere, it is really worth reading.

However, at the moment, I get the following error if I try to follow the link to http://risingroad.com/enwiki_search


"Target Server Not Found
The server(s) responsible for the requested URL "http://risingroad.com:80/enwiki_search" was not available. This could be because no servers were assigned for the URL or servers are down or unhealthy. You may want to contact the server administrator here: No webmaster email specified."

Any ideas?

Best regards
Volker

Breck Carter said...

That's the funky (and misleading) message out of the reverse proxy software when the target server is off the air. The misleading part is the port number 80. Anyway, try it now: http://risingroad.com/enwiki_search

FWIW it is the 32-bit dbsrv11 running right now, Sybase Central defaults to that when setting up a service. I will investigate later.

Anonymous said...

Thanks, Breck, it works now.

(Just to find I'm still not listed in the english wikipedia:).

Regards
Volker

Anonymous said...

I am a newbie to ISA.

I have the following Setting.
ISA 2004 installed in the same machine (Windows 2003) where IIS 6.0 is running.

I would like to config the Reverse proxy setting in ISA which should forward HTTPS web requests (only for specific path) to a third party server and get the response to the client.

In otherwords,
if my client access https://mysite.com/spclpath/ it should go to https://thirdprtysite.com/spclpath/ (3rd party server) and fetch the webpages under it and return the response via ISA to the client.

All other requests apart from the special path should normally go to IIS server.

Could someone teach me how to achieve this in ISA?
How do I set rule for this?

I have been breaking my head for past 3 weeks.

Breck Carter said...

Contact Microsoft for ISA support.