This article describes the steps that need to be followed so that the Runtime in IIS runs behind a reverse proxy where the X-Forwarded headers are set.
X-Forwarded Headers
It is not uncommon when installing Blueriq on a virtual machine in the cloud to not expose the machine directly to the internet, but to configure it behind a reverse proxy. This is done to limit direct access to virtual machine and to only allow traffic over ports 80 and 443. When this is done you will need to configure the X-Forwarded headers for the Runtime to work as intended. The Blueriq Runtime uses HATEOAS to construct urls to where resources can be found, HATEOAS itself uses the X-FORWARDED headers to determine the original request url which was used to reach the Blueriq Runtime. Without configuring the X-Forwarded headers, the Runtime would return build resource urls based on the request it got from the reserve proxy.
For example:
- The internet facing request coming in on the dns name test.example.com.
- The requests from test.example.com go to the proxy on 10.0.12.1.
- The proxy will send the request to the Blueriq server.
Without configuring the X-Forwarded headers on the proxy the following will happen when sending a request to test.example.com/Runtime.
- A request is made to test.example.com/Runtime → request is https://test.example.com/Runtime
- The request is proxied through 10.0.12.1 → new request is http://10.0.12.1/Runtime
- The Runtime will return a resource links for → http://10.0.12.1
When the X-Forwarded headers are configured in the proxy to take over the original request details, the Runtime will be able to determine the correct resource urls.
Blueriq Installer
Out of the box the Blueriq installer will already configure two X-Forwarded headers; X-Forwarded-Proto, and X-Forwarded-Host. This is done due to that Blueriq uses IIS to proxy requests to internal addresses for the Runtime and Studio applications. Without the X-Forwarded headers the local address of the machine would be used to create resource urls, instead of the incoming request url.
Reconfiguring the X-Forwarded headers
Due to that Blueriq already configures the X-Forwarded headers out of the box we need to adjust them to work behind a proxy itself, as we do not want to reconfigure X-Forwarded headers of the proxied request. When doing so you will build resource urls based upon the proxied request url instead of the original request url.
In case when Runtime is served via IIS which is configured to proxy request to actual Runtime url, just like it done when using the Blueriq Installer to setup a Blueriq environment.
- Go to Internet Information Services (IIS) Manager.
- Select the Runtime folder in Blueriq site and from the Features view, open the "URL Rewrite" feature.
- In the URL Rewrite feature view select "ReverseProxyInboundRule", and from the Inbound Rules click the "Edit..." action.
- In the Edit Inbound Rule scroll down to the Server Variables and select the "HTTP_X_FORWARDED_PROTO" variable, click on "Edit..."
- In the Set Server Variable window check off the "Replace the existing value" checkbox, and click on "OK" to save setting. This is done to keep the existing X_FORWARDED_PROTO header from the proxy.
- In the Actions menu select "Apply", to save the Inbound Rule settings.