Windows – Publishing multiple web servers with reverse proxy on localhost, retaining original client IP and hostname

isa-servermicrosoft-ftmg-2010reverse-proxywindows

I have been using ISA on Windows Server 2003 to publish multiple web servers hosted on the same machine. Setup as follows:

  • ISA HTTP/S listener bound to 127.0.0.1 + external IP
  • IIS bound to 127.0.0.2
  • Apache bound to 127.0.0.3
  • Python web application bound to 127.0.0.4
  • Custom applications bound to 127.0.0.x

I could route requests depending on the hostname to the specific server by setting up publishing rules in ISA. ISA allowed me to retain the original client IP and the requested hostname, and had a lot of other features like request validation, URL mapping and rewriting and caching.

Now I'm on Windows Server 2008 R2, ISA doesn't work here, TMG is a huge PITA (and doesn't even work with my IP setup at all – default gw 10.255.255.1, subnet mask 255.255.255.255), and ISA generally proved to be difficult when it came to RPC and other internal network traffic. So I'm looking for a way to do the same, especially when it comes to retaining the original client IP. I tried Faststream IQ Proxy, which looked promising, especially because it installed it's own NDIS driver, and server publishing worked fine, but the client IP is always lost. Delegate and Squid may be candidates. but they don't install any network layer drivers, so it seems impossible for them to retain the originator IP.

I'm currently running IIS on the external IP and 127.0.0.1 and using ARP with Reverse Proxy to publish other servers, however it doesn't work too well, and the client IP is still lost for the proxied servers. To be honest, it's shit, and I am truly sorry that IIS 7.5 still does not include a viable reverse proxy solution like ISA did years ago.

Does anyone know a software that archives the same web server publishing effects like in ISA, preferably with a decent GUI (I could also live with configuration files though), that reverse proxies requests to local webservers, without loosing hostname information and the original client IP? Or am I doomed to get TMG to work in my setup?

Best Answer

You probably don't need to retain the original IP in the actual TCP header. Many reverse proxy setups will allow passing the original IP address the request was made from as an HTTP header. (See for example: Squid configuration directive forwarded_for.)

Apache with mod_proxy would also do the trick, and will also add X-Forwarded-For headers for reverse-proxied traffic. This might be convenient since you already have Apache running on the machine.

Related Topic