General Overview of steps.
- Install the security certificate in IIS.
- Add a new site. The web root should be an arbitrary folder in wwwroot\reverse.
- Add two site bindings. One for HTTP and one for HTTPS. Specify a hostname. For HTTPS Require Server Name Indication. Specify the SSL certificate you imported earlier.
- Create or Ensure that the web server that is hosting the site is available through Server Farms (application request routing).
- Click on the top-level Web server tree (Sombrero) and then open on URL Rewrite.
- There should be a rule for each server farm. If there is not a rule for this server farm, add one. Rule settings are below.
- Requested URL: Matches Pattern
- Using: Wildcards
- Pattern: *
- Under Conditions, add a new condition and specify the new application or site’s domain name as the pattern. The condition input should be {HTTP_HOST}.
- Action Type: Route to Server Farm
- Scheme: https://
- Server Farm: the farm were the application/site is hosted.
Bad Gateway 502 Error
Once the reverse proxy is setup on Sombrero and the traffic forwarded to the back-end server, there have been instances where navigating to the site produces a Bad Gateway 502 error. This is usually caused by an mismatch of the principal name used in the certificate on the back-end server and the domain name used in reverse proxy rule on Sombrero.
Most recently, when setting up https://finance.heritageapps.ca I ran into this issue. The root cause was sourced to a mismatch of the domain name used in the server farm where the rule was pointed to. I was using the internal domain name of the internal server, which in this case was tripping up IIS and causing the bad gateway error. To fix this, I used split DNS (which I had already setup) for the heritageapps.ca domain. Internally I point the same domain (finance.heritageapps.ca) to the back-end server. So, I just used this same name in the server farm configuration to point to my internal server.