Master Data Services with Reverse Proxy

Question

I am having an issue with accessing MDS via a reverse proxy. Below is the simplified network diagram of my infra setup.

So, basically I have 2 app servers for ssrs and mds respectively and one web server. Plus there is a load balancer which serves requests to web server. I am using Basic Authentication everywhere.

I have reverse proxy setup at web server which rewrite the url to mds or ssrs server based on /mds or /reports.

Inbound Rule -

<rules>
                <rule name="SSRS Reverse Proxy" stopProcessing="true">
                    <match url="^reports/(.*)" />
                    <action type="Rewrite" url="http://App1_IP/{R:0}" logRewrittenUrl="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                </rule>
                <rule name="SSRS Report Server Reverse Proxy" stopProcessing="true">
                    <match url="^reportserver/(.*)" />
                    <action type="Rewrite" url="http://App1_IP/{R:0}" logRewrittenUrl="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                </rule>
                <rule name="MDS Reverse Proxy" stopProcessing="true">
                    <match url="^mds/(.*)" />
                    <action type="Rewrite" url="http://App2_IP/{R:0}" logRewrittenUrl="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                </rule>
            </rules>

Outbound Rule -

<outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://App1_IP/(.*)" />
                    <action type="Rewrite" value="http{R:1}://WebServer_IP/{R:2}" />
                </rule>
                <rule name="ReverseProxyOutboundRule2" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://App2_IP/(.*)" />
                    <action type="Rewrite" value="http{R:1}://WebServer_IP/{R:2}" />
                </rule>
                <rule name="ResponseAcceptEncoding" preCondition="NeedRestoringAcceptEncoding">
                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                    <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="NeedRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".*|" />
                    </preCondition>
                </preConditions>
            </outboundRules>

SSRS rule is working fine. But when user access to MDS, page is not getting displayed properly and It keeps on prompting for username and password. When I look at network traffic, it seems calls to few javascript files and to /MDS/api/ is unauthorized.

I am not sure what is going wrong and why ssrs is ok but mds is not. Appreciate any pointers.

Thanks.

Update (20191008) -

Console panel was showing errors related to "Access-Control-Allow-Origin" so I have added the custom headers in MDS website. But the issue remains.

Update (20191009) -

I think I have pin point the issue. I compared the request headers when calling app server directly and then through reverse proxy. I realized that when calling through proxy, "Authorization" header is missing. Seems like proxy drops the authorization header.

Is it a usual behaviour? How do I enforce the authorization header when calling through proxy?

And why is it working with SSRS and not with MDS?

What error message did you see in console panel? Besides, what's the sub-status code of 401 error? — Jokies Ding, Oct 04 '19 at 08:16
Hi Did you enable windows authentication for these static files on 10.93.xx.xx.? Besides, did you set CORS header on server10.93.xx.xx instead of your front end server? — Jokies Ding, Oct 08 '19 at 08:02
I am using Basic Authentication. Also CORS header is set on the app server. — Prateek Singh, Oct 09 '19 at 02:34
Have you enabled failed request tracing to monitor why the outbound rule is not working? — Jokies Ding, Oct 10 '19 at 09:47
Hi, Can post SSRS/PBIRS Config ..struggling to get 'Basic Authentication' to work. https://pastebin.com/a6aUxnTU — z2z, May 05 '20 at 03:43

score 0 · Answer 1 · answered Oct 14 '19 at 22:19

You really should replace WebServer_IP in Your outbound rewrie rules with {HTTP_HOST} (I assume that is the correct notation for IIS, it should resolve to the host requested by client). This should avoid CORS mechanism to kick in (and possibly problems with SSL certificates, NATting, local hosts- or dns-entries needed to access the service).

Also if CORS is in place You would need some special CORS configuration to allow the browser sending credentials.

In addition You could post more detailes the error messages from console (related to "Access-Control-Allow-Origin" is quite vague).

Master Data Services with Reverse Proxy

1 Answers1