Host FireStart behind a Reverse Proxy

Prerequisites 

  • The FireStart server and Process Portal are hosted on the same machine (eg.: sho-dev-pc.prologics.at:8443)
  • The IdentityServer is hosted with the reverse proxy (eg.: bld-agent.firestart.com:443)

Setup 

Install the FireStart server 

Configure the public and internal names/ports:

installation_reverseProxy_1

 

Make sure that the server name/port in the init.json for the Process Portal points to the reverse proxy. You may also check the PROLOGICS/Urls Key in the registry. The screenshot below shows an example of what the entries in the registry look like. 

installation_reverseProxy_2

Caution: Do not start the FireStart server before authentication has been successfully configured.

Deploy the IdentityServer to the reverse proxy 

The reverse proxy configuration needs to rewrite URLs to the internal FireStart server but not the authentication requests. A valid regular expression for the IIS UrlRewrite is ^(?!auth).*$ . Below is an example of what the action looks like when using the mentioned regular expression. 

installation_reverseProxy_3

 

XML
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxy RewriteURL-LKE" enabled="false" stopProcessing="true">
<match url="^(?!auth).*amp;quot; />
<action type="Rewrite" url="https://lke-dev-pc.firestart.com:8443/{R:0}" logRewrittenUrl="true" />
</rule>
<rule name="ReverseProxy RewriteURL-SHO" enabled="true" stopProcessing="true">
<match url="^(?!auth).*amp;quot; />
<action type="Rewrite" url="https://sho-dev-pc.prologics.at:8443/{R:0}" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>

 

Then copy the PROLOGICS FireStart IdentityServer from the installed server to the folder on the reverse proxy server. Make sure that the .NET Core hosting bundle is installed. 

Create the authentication subsite in IIS

The physical path is the PROLOGICS FireStart IdentityServer folder you copied. There you have to enable Windows authentication for the subsite. Make sure the IS app pool has access to the physical path.

Configure the IdentityServer via app settings

The following tasks have to be performed:

  • adapt the "path:" for the log file in the Serilog section to contain an existing folder, where the app pool has full control to create log files installation_revereseProxy_4
  • settings: Adapt the BaseUrl to contain the address of the IdentityServer (e.g. https://bld-agent.firestart.com:443/auth) 
  • adapt the name to the public server (e.g. bld-agent.firestart.com)
  • adapt the port to the public reachable port (e.g. 443)
  • adapt the DB path to contain an existing folder where the app pool has full control to create SQLite databases
  • make sure the selected certificate for JWT signing is available and the app pool has permissions to read the key installation_reverseProxy_5
  • perform an IIS reset
  • try accessing the authentication site from the browser and logging in, which should work now (on the reverse proxy and the FireStart server)
JSON
{
"Serilog": {
"MinimumLevel": {
"Default": "Debug",
"Override": {
"Microsoft": "Warning",
"System": "Warning",
"Microsoft.AspNetCore.Authentication": "Information",
"ComponentSApace.SAML2": "Debug"
}
},
"Enrich": [
"FromLogContext"
],
"WriteTo": [
{
"Name": "Console",
"Args": {
"outputTemplate": "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message:lj}{NewLine}{Exception}{NewLine}"
}
},
{
"Name": "File",
"Args": {
"path": "C:\\FireStart InstallFolder\\PROLOGICS Resources\\Logs\\IdentityServer.txt",
"rollOnFileSizeLimit": true,
"fileSizeLimitBytes": "10485760",
"shared": true
}
}
]
},
"Settings": {
"AllowedHosts": "*",
"BaseUrl": "https://bld-agent.firestart.com:443/auth",
"Name": [
"bld-agent.firestart.com",
"sho-dev-pc.prologics.at"
],
"Port": "443",
"DbPath": "C:\\FireStart InstallFolder\\PROLOGICS Resources\\Database",
"JWTCert": "4BD8AEFDCA43E9C3C0CE2992D924958D27D702BE"
},
"Provider": {
"Saml": {
"Enabled": false,
"DisplayName": "SAML",
"Scheme": "external",
"EntityId": "",
"SamlCert": "",
"PartnerIdentityProviderMetadataEndpoint": ""
},
"Azure": {
"Enabled": false,
"DisplayName": "Azure AD",
"Scheme": "aad",
"TenantId": "",
"AppId": "",
"AppSecret": ""
},
"Windows": {
"Enabled": true,
"DisplayName": "Windows Authentication",
"Scheme": "Windows"
}
},
"SearchProvider": {
"External": {
"Enabled": false,
"DisplayName": "External Search",!
"Scheme": "external",
"BaseUrl": "https://sho-upgrade.firestart-dev.local:7443"
},
"ActiveDirectory": {
"Enabled": true,
"DisplayName": "Active Directory Search",
"Scheme": "Windows",
"SearchUserWithinOU": false,
"Domains": [
{
"Domain": "firestart.com",
"FQDN": "",
"Username": "",
"Password": ""
}
]
},
"Graph": {
"Enabled": false,
"DisplayName": "Microsoft Graph",
"Scheme": "aad",
"TenantId": "",
"AppId": "",
"AppSecret": "",
"RedirectUri": ""
}
}
}