Skip to content

Latest commit

 

History

History
132 lines (97 loc) · 3.42 KB

production-windows.md

File metadata and controls

132 lines (97 loc) · 3.42 KB
Raw

Node server behind a IIS reverse proxy

In this example, we discuss how to setup a production system using a reverse proxy with SSL offloading.

Purpose is to expose the website http://kiki or http://kiki.jlg.local that will be in fact http://musette:3000.

Infrastructure

You need to have many hosts:

  • reverse-proxy-host: A Windows Server OS running the following features:
    • AD DS (Active Directory Domain Controller)
    • DNS
    • IIS
  • server-host: A Windows 10 OS running:
    • nodejs and npm
    • a server running node-expose-sspi
  • client-host: A Windows 10 OS running
    • Chrome, or Firefox, or Edge

For this example, let say the domain name is:

  • jlg.local (NETBIOS: JLG)

Suppose we have two Windows domain accounts:

For this example, let say that all host have a name:

  • reverse-proxy-host: jlgdc01 (192.168.1.216)
  • server-host: musette
  • client-host: chouchou

Configuring server-host

Connect with [email protected] user account.

mkdir myserver
cd myserver
npm init -y
npm i node-expose-sspi express

create a server.js file in the myserver directory:

const express = require('express');
const { sso } = require('node-expose-sspi');

const app = express();

app.use(sso.auth());

app.use((req, res) => {
  res.json({
    method: req.sso.method,
    displayName: req.sso.user.displayName,
  });
});

app.listen(3000, () =>
  console.log('Server started on port 3000')
);

You need to be connected as the Window Domain user [email protected].

Start the server:

node server.js

Test the server locally:

start chrome http://musette:3000

You should see something like this:

{
  "method": "NTLM",
  "displayName": "<your-account-name>"
}

Configuring reverse-proxy-host

You need to configure the DNS via an app called DNS Manager:

  • under the domain zone, add a Host(A) rule: kiki -> 192.168.1.216

It means that jlgdc01 and kiki means the same machine: the reverse-proxy-host.

You need to configure IIS as a reverse proxy via IIS Manager:

  • look at this microsoft documentation
  • install URL Rewrite
  • add a reverse proxy rule to redirect http://kiki to http://musette:3000.

It is better to use Kerberos, so you need to add a Service Principal Name to the [email protected] user. Open Active Directory Users and Computers:

  • make sure you have the Advanced Features view.
  • open the [email protected] user.
  • open the Attribute Editor tab. and edit the Service Principal Name:
    • add HTTP/kiki and HTTP/kiki.jlg.local SPN.

Testing from client-host

Login to the Window machine as [email protected].

Both below commands should work:

start chrome http://kiki.jlg.local
start chrome http://kiki

You should see something like this:

{
  "method": "Kerberos",
  "displayName": "marcel"
}

If Kerberos is not well configured, then the browser will try to connect using NTLM. In this case, you will probably have a dialog box asking for credentials, which is bad user experience...

Author

Jean-Louis GUENEGO [email protected]