How to configure IIS as reverse proxy so SSO works

When IIS actions as a reverse proxy, i.e. perform HTTP (port) forwarding it requires additional configuration to correctly work with the SSO state machine.

When IIS acts as a reverse proxy, i.e. performs HTTP (port) forwarding it requires additional configuration to correctly work with the SSO state machine.

If you are running Apache - see Configuring Apache as a reverse proxy for EasySSO. If you are running NGINX - see Configuring NGINX as reverse proxy for EasySSO.

For IIS, you need to have the URL Rewrite module installed. This is a module from Microsoft available from https://www.iis.net/downloads/microsoft/url-rewrite

Once installed the setting can be configured via GUI or web.config XML file.

The purpose of configuration is to add a "jespa-connection-id" HTTP header that has a value combining the remote client's IP address and port.

Configuring IIS via GUI

In GUI (please note, all strings in quotes are meant to be string constants for you to enter, don't enter the quotation marks)

  1. Navigate to the specific site configuration for your Atlassian application
  2. Click the URL Rewrite icon
  3. Click "View Server Variables"
  4. Click "Add..." and add the variable "HTTP_JESPA_CONNECTION_ID"
  5. Click "Back to Rules"
  6. Click "Add Rule(s)..."
  7. Select "Inbound Rules"/"Blank Rule"
  8. Give the Rule some meaningful name "set Jespa-Connection-Id header for SSO" for example
  9. Select "Matches the pattern", "Regular expression", enter ".*" as the regex, check "Ignore case"
  10. Skip the "Conditions" section
  11. Open the "Server Variables" section
  12. Click "Add"
  13. Add "HTTP_JESPA_CONNECTION_ID", set value to "{REMOTE_ADDR}:{REMOTE_PORT}", check "Replace the existing value"
  14. Select "None" in "Action" 
  15. Click "Apply" to save the rule
  16. Make sure this rule is at the top of the rules chain for the site

Configuring via web.config

If you want to configure this via XML, web.config needs to be:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <allowedServerVariables>
...
                <add name="HTTP_JESPA_CONNECTION_ID"/>
...
            </allowedServerVariables>
            <rules>
...
                <rule name="set header">
                    <match url=".*" />
                    <serverVariables>
                        <set name="HTTP_JESPA_CONNECTION_ID" value="{REMOTE_ADDR}:{REMOTE_PORT}" />
                    </serverVariables>
                    <action type="None" />
                </rule>
...
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Please note that the allowed server variable list can only be altered in web.config if C:\Windows\System32\inetsrv\config\applicationHost.config has this section "unlocked" with overrideModeDefault="Allow" instead of overrideModeDefault="Deny".

<sectionGroup name="rewrite">
...
    <section name="allowedServerVariables" overrideModeDefault="Allow" />
...
</sectionGroup>

If you don't want to change the settings in the file (which will apply to all sites) - the only way is to add HTTP_JESPA_CONNECTION_ID variable to the allowed list via GUI (see above).

 

Once you reconfigured your IIS this way the telltale sign of it working will be in jespa.log at log level 4 - see *bold values*, showing the remote client's IP address and port as opposed to the proxy's one. Some values have been obscured with ****

2015-03-13 19:44:37: HttpSecurityService: C: GET /rest/mywork/latest/status/notification/count
2015-03-13 19:44:37: HttpSecurityService: Request Headers: host=********* | x-requested-with=XMLHttpRequest | accept=application/json, text/javascript, /; q=0.01 | referer=******* | accept-language=en-AU | accept-encoding=gzip, deflate | user-agent=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) | dnt=1 | cookie=confluence-sidebar.width=55; confluence.browse.space.cookie=space-blogposts; JSESSIONID=592AF09B33C01304B1D068007FA41E93 | authorization=NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== | jespa-connection-id=172.16.9.39:62624 | x-forwarded-for=172.16.9.39 | x-forwarded-host=******* | x-forwarded-server=******** | connection=Keep-Alive
2015-03-13 19:44:37: HttpSecurityService: Loading session state from session 592AF09B33C01304B1D068007FA41E93
2015-03-13 19:44:37: HttpSecurityService: Importing provider state
2015-03-13 19:44:37: HttpSecurityService: Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2015-03-13 19:44:37: HttpSecurityService: 172.16.9.39:62624: token.length=40
2015-03-13 19:44:37: HttpSecurityService: AuthContext: 172.16.9.39:62624


EasySSO articles