0

I've been working on this for about two weeks now - I feel like I'm missing something :) Here's a diagram of what I'm working on: enter image description here

I'm using IIS to do a Reverse Proxy to provide SSL for ShinyProxy. I can't directly host ShinyProxy on Server 1 because docker won't work on it (it's older Windows server and can't run Linux containers). I'm using Auth0 for authentication using ShinyProxy's OpenID method. If I connect from within the firewall directly to the Server 2 IP address, everything works fine (login, role retrieval, etc.)

I have run into issues attempting to connect from outside the firewall. I know the method works because I have other websites hosted on VMs that are run through the reverse proxy just fine. However, with ShinyProxy I initially had the following problem:

First, connecting to ShinyProxy would result in an infinite connection loop. Upon inspecting in Google Chrome, I realized that my reverse proxy was renaming my Auth0 domain to my ShinyProxy domain, resulting in it returning to itself for authorization rather than getting it from Auth0. I tried adding

server:
  forward-headers-strategy: native

to the config, but it didn't change anything. In IIS ARR I found the setting circled below, and turned it off, which solved the loop.

enter image description here

After this was done, it worked but only if I was within the firewall. Basically, I would connect to my domain name, and it would redirect to the IP. I attempted to solve this issue by using am outbound rule in the IIS URL Rewrite to rewrite the IP to my intended domain name. This worked, and I was able to connect to ShinyProxy, be redirected to Auth0 where I could log in, but when I was redirected from Auth0 back to the application I got the following ShinyProxy error:

ERROR 7044 --- [  XNIO-1 task-3] e.o.c.a.i.OpenIDAuthenticationBackend    : org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 403 Forbidden: "{"error":"unauthorized_client","error_description":"The redirect URI is wrong. You sent http://[IP_Address], and we expected http://[Domain_Name]"}"

I tried several ways of overriding my ShinyProxy redirect URI, but have not been able to get it work. Any suggestions would be appreciated, either a way to get this working, or a different approach that is simpler.

Adrian Cottam
  • 64
  • 5

1 Answers1

1

So I found how to get this working thanks to this post. I just needed to run %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost and everything worked, even without the outbound rule. Hopefully this helps someone in a similar situation!

Adrian Cottam
  • 64
  • 5
  • That's actual hinted by the error message. "You sent http://[IP_Address], and we expected http://[Domain_Name]" indicates that it wants the correct Host header to be passed by ARR, and `preserveHostHeader` is just the setting for that. Next time you might learn how to capture HTTP requests/responses using a tool like Wireshark and that should give you more insights into the packets. – Lex Li Jun 29 '22 at 04:52
  • Thanks @LexLi, I'll try Wireshark next time, some how I totally forgot about it :) part of the problem is I'm still learning IIS - I tried to make it preserve the host header through the GUI but I always got an error 500. – Adrian Cottam Jun 30 '22 at 05:47