Using IIS or Apache web frontend?

[ivoidwarranties 15]

Hi,

 

I have multiple http servers running on my Windows Server 2012 Essentials server.  I am using IIS as the web frontend -- using IIS's Application Request Routing to route traffic based on the fqdn.

 

So example, I have:

http://mediabrowser.mydomain.com/mediabrowser --> http://localhost:8080/mediabrowser/

http://essentials.mydomain.com/ --> http://localhost:8081/

 

That way, I can configure multiple http servers so that they accessible over the standard HTTP port (80).

 

This was working on a previous version, unfortunately, I didn't take note of which version of Media Browser server.  I am on the latest version now.  

 

Now, when I try to access http://mediabrowser.mydomain.com/mediabrowser I am getting an error: 'jQuery' is undefined.

 

If I access Media Browser over the port it's configured for, I can connect just fine.

 

 

[ivoidwarranties 15]

Sorry... not following.  I'm trying to using a browser from my Win 8.1 to the Media Browser server that's installed on Windows Server 2012 (IE / Chrome / Firefox... they all behave the same way).

 

Interestingly... using IE on the server itself works fine.

 

--------------------

 

Edit:

Found a post that mentions disabling IE Enhanced Security -- which was one of the first things I did after the initial Server 2012 Essentials install.  Still having issues mentioned in the second post when trying to remotely connect using any web browser.

Edited May 2, 2014 by ivoidwarranties

[Della Dog 19]

I downloaded the Android Media Browser app and it can connect to the IIS frontend... but the webpage is still have issue.  

 

Any help would be appreciated.  Let me know what other info is needed....

 

 

This is telling you that the page (server) can not find the base jquery-some version-.js file. Either it's not in the sub directory the file specifies, or if it's being loaded from a CDN then your server cannot reach the destination server to load up the jquery file. Any JavaScript extension / file that requires the core jquery engine will throw this error if it can't load the core jquery .js file.

[ivoidwarranties 15]

I downloaded the Android Media Browser app and it can connect to the IIS frontend... but the webpage is still have issue.  

 

Any help would be appreciated.  Let me know what other info is needed....

 

 

[Luke 37022]

Some people have mentioned the need to tinker with security settings on IE within windows server. Apart from that the web interface should be fine.

[ivoidwarranties 15]

So... I finally got IIS to work as a frontend to MediaBrowser.... using the Application Request Routing (ARR) / URL Rewrite plugins.  Specifically, IIS 8.5 with Windows Server 2012 R2 Essentials.

 

Here are my settings if anyone else is interested.

 

• Install the ARR plugins and all dependencies.  Make sure you are installing ARR v3 as you will need support for WebSocket.
  Follow instructions from Microsoft: http://blogs.technet.com/b/erezs_iis_blog/archive/2013/11/27/installing-arr-manually-without-webpi.aspx

 

• Install WebSocket support for IIS.
  Follow instructions from Microsoft: http://www.iis.net/configreference/system.webserver/websocket

 

• Open the IIS management console.  Click on your server name in the left panel.  In the right panel, double click on "Application Request Routing".
  

 

• Configure "Application Request Routing" with the settings below.
  

 

• Under the "Sites" folder, click on the web site you want to use.  In the right panel, double  click on "URL Rewrite".
  

 

• Under the "Actions" panel, click on "View Server Variables".  Add a server variable and name it "HTTP_ACCEPT_ENCODING".
   --- 

 

• After adding the server variable, click "Back to Rules".  

 

• In the "Actions" panel, click on "Add Rule(s)".  Add a blank inbound rule and configure it with the settings below.
  • Give it whatever name you want
  • At the bottom under the "Rewrite URL" textbox, replace <xxx.xxx.xxx.xxx> with the IP address of your MediaBrowser server and <yyyyy> with the internal port number of your MediaBrowser server
  • Example: http://192.168.1.10:8096/{R:0}

 

• Click "Apply" and then "Back to Rules".

 

• In the "Actions" panel, click on "Add Rule(s)".  Add a blank outbound rule and configure it with the settings below.
  • Give it whatever name you want
  • In the "Match the content within" drop down, I selected all of them for now (haven't had time to test which ones are actually needed)
  • Same thing here... in the middle under the "Pattern" textbox, replace <xxx.xxx.xxx.xxx> with the IP address of your MediaBrowser server and <yyyyy> with the internal port number of your MediaBrowser server
  • Example: ^http://192.168.1.10:8096/(.*)$

​

 

• Click "Apply" and then "Back to Rules".  Open a command prompt (with admin privileges) and enter the command "IISReset".  At this point, you should be able to access MediaBrowser over IIS.  Open a browser and enter the URL of your IIS server.
  • Example: http://your.fqdn.com/mediabrowser

 

• If you have an SSL certificate installed and configured in IIS, you can also configure it to redirect everything over SSL.  Go back to the "URL Rewrite" and add a new blank inbound rule.  Configure it with the settings below.
  

 

• Click "Apply" and then "Back to Rules".  Make sure that the SSL redirect rule is above the MediaBrowser rewrite rule.  You can reorder the rules under the "Actions" panel.
  

 

• You probably don't have to reset IIS again, but if it doesn't redirect to SSL, execute the IISReset command.

 

 

 

That's all she wrote folks.  Let me know if that works or if you have any questions....

Edited November 18, 2014 by ivoidwarranties

[anks 36]

Great detailed post, are you using ARR 2.5 or 3? Only 3 supports Web Sockets which really needed to get the full MB experience. Have you tried remote control through the proxy and do you get realtime info?

 

I've been using ARR for a few years, if you need and help, let me know. You can definitely streamline your setup.

[ivoidwarranties 15]

@@anks -- That's actually a very good point!

 

I am using ARR v3.  WebSocket is not installed by default, so you would to install that feature.  I will update my post to include that step.

 

I do not use the remote control feature, but I did spend 5 minutes playing around with it yesterday.  I appears to be working through the proxy.  I'll play around with it some more over the weekend.

 

I am definitely interested if you have any suggestions on how to streamline or improve the configs.

[anks 36]

@@ivoidwarranties,  I'm on Windows 7 so no WebSocket support for me.

 

This is an overview of how I set-up ARR,  the end result is the ability to access any services using a friendly name such as mediabrowser.mydomain.com as opposed to ip address and port xxx.xxx.xxx.xxx:8096 for example.  This gives a few advantages especially if you have numerous services running:

 

Advantages

 

-  More secure, as the host name must match to use the service.  (Prior to authentication of course).

-  Single port to open on your router.

-  Easy to remember as opposed to an IP address, use the same name internally and externally. Granted MB Connect gets around this but it isn't much use if you access more than one service.

-  Access services when connected to a work network or somewhere which uses a proxy server.  These tend to only permit port 80 and often block urls containing IP Addresses.

 

​Prerequisites

 

- Firstly it makes things much easier if each service has it's own externally resolvable host name.  This can be achieved if you have your own domain or via a Dynamic DNS Service which supports wildcards.  Wildcards mean that the address {anything}.yourhost.dyndns.org will resolve to your machine.  If you have your own domain name, you can use a wild card or create a single A record pointing to your server, such as server.mydomain.com and then create CNAME records for your endpoints, then should you change IP you only need to update one record.

- Port forwarding rule on your router which directs traffic on port 80 to your ARR/IIS machine.

- IIS installed with ARR plus one web site that is running and bound to all address on the machine on the port you are going to use, probably 80.  This site can be used to host content, but HTTP.SYS needs to be listening for ARR/Reverse Proxy to work.  Also if you want to host multiple sites on IIS, you can either use host headers for this put them on a different port. It's a simpler configuration if all services pass through the proxy.

- Know the ports of all your services you wish to expose and the names you wish to access them by.

 

Setup

 

This is an outline logical set-up, and to make everything as easy as possible, configure URL Rewrite at the server level and not on an individual site, the config is then stored in a single place (ApplicationHost.config) and it makes things easier to diagnose if you have issues.  

 

-  First rule should be to validate the HTTP_HOST contains your domain suffix (i.e mydomain.com or yourhost.dyndns.org), if not abort the request.

-  If you want to ensure SSL, next rule should check for that, again if not abort the request. (I don't use SSL but you can get free certs from StartSSL.com)

-  Next configure rules for your services.  Setup matches a pattern as (.*) condition as {HTTP_HOST} matches mediabrowser. (we do not want to add the suffix as we already know this is valid from rule 1) rewrite to http://internalserver:8096/{R:1} check append querystring and stop processing further rules.

-  Repeat for all other services.

-  For IIS hosted servers using host headers, create one rule which matches these names, for example if HTTP_HOST does not contain iissite1. or iissite2. then abort the request.  If you have no IIS sites serving content or are reverse proxying them, this rule should be a catch all (no conditions) to abort the request as it does not map to services.

-  Outbound rules are not needed, but I created one to add an X-Robots-Tag to all responses.  You can see there are several Media Browser servers in Google, this will stop that.

 

I also create redirect rules to make accessing services easier, i.e. Media Browser is on /mediabrowser, however if only the root is requested, I have a redirect rule to take me to the right place.

 

Why bother?

 

It does add real world security (albeit through obscurity),  ease of access plus there are quite a few services that have their own web service that you may want to use whilst away from home such as:

 

- NZBMatrix

- Sickbeard

- CouchPotato

- RemotePotato

- Filevista

- WebCamXP

- XBMC

- uTorrent.

- Free Download Manager

- Your home router's web interface.

 

I'm sure there are a few more also that other people use?

Edited November 18, 2014 by anks

[anks 36]

A picture paints a thousand words so here is my setup.  All the software needed is free and available if you're already running Windows 7 or later.

 

Inbound rules & anti-robots Outbound rule, configured at server level

 

 

 

How to configure a rewrite rule for a local server.

 

 

If Media Browser server is on the same machine DO NOT USE 127.0.0.1 or localhost since in the current release, any user will be able to log on without a password (this will change soon), instead use the host name or IP address.

[swhitmore 781]

Thanks for the post @@anks. I'm interested in setting up something like this. Would I need a dedicated machine for it? Or could I run it on my file server running WHS2011?

[anks 36]

@@swhitmore, you certainly can use your existing WHS2011, the simplest way to get it setup is using the Web Platform Installer from Microsoft link here:  http://www.microsoft.com/web/gallery/install.aspx?appid=ARRv3_0

[swhitmore 781]

Thanks mate. I started to play with IIS7 but didn't really know what I was doing. Need to read up more

[coldacid 6]

Just a note for people who get stumped looking for "Application Request Routing" but can only find "Application Request Routing Cache": Open up ARRC and click the "Server Proxy Settings..." link in the actions sidebar. And enjoy the annoying little UI changes that can happen between the same versions of something on different versions of Windows.

[denethor 90]

So... I finally got IIS to work as a frontend to MediaBrowser.... using the Application Request Routing (ARR) / URL Rewrite plugins.  Specifically, IIS 8.5 with Windows Server 2012 R2 Essentials.

....

That's all she wrote folks.  Let me know if that works or if you have any questions....

 

Great post thank you! I have a simple question since I always failed with Regex

 

I want to reach my server with /player sub dir. what ise correct regex for inbound and outbound?

 

http://www.host.com/player  needs to access http://192.168.1.10:8096/mediabrowser

[ivoidwarranties 15]

I played around with this... but it did weird things.  I don't know if it was due to a configuration, but I can play around with the settings some more now that I kinda figured out how IIS and ARR works.

 

Although, I think the apps (Android, Roku, etc) require mediabrowser as the context... I did not see an option to change it in the Android app.  

 

 

 

Great post thank you! I have a simple question since I always failed with Regex

 

I want to reach my server with /player sub dir. what ise correct regex for inbound and outbound?

 

http://www.host.com/player  needs to access http://192.168.1.10:8096/mediabrowser

[swhitmore 781]

Hey guys. I'm trying to follow your guides (thanks btw), and I'm getting stuck here:

 

Any thoughts? Thanks.

 

 

Edit: Nevermind, I had to take ownership of the file before I would write to it. Working now.

Edited December 3, 2014 by swhitmore

[swhitmore 781]

@@anks is there a way to do the same thing but using paths instead of wildcards? Also, I'm getting stuck with services that don't have a root path to use. i.e. my router, or sickbeard (this can be changed in the sickbeard config, but I want to get it working without doing that)

Edited December 3, 2014 by swhitmore

[anks 36]

@@swhitmore.  If I understand correctly, you have a host such as sickbeard.mydomain.com and you want this to resolve to sickbeard.mydomain.com/sickbeard.  Two ways that this could be achieved easily, I favour the first though.

 

1.  All requests to the root of sickbeard.mydomain.com redirect to sickbeard.mydomain.com/sickbeard -  This is what I do, there is an example above for MediaBrowser redirect to /mediabrowser.  This is not a rewrite rule, just a redirect, pattern match is ^$

 

2.  Rewrite all requests to sickbeard.mydomain.com to http://localsickbeads:8081/sickbeard/{R:0}

 

With the second example you need to ensure that the web app is not hard coding /sickbeard into any of the tags/images/css etc.  If so, you'd need to start creating outbound rules which unless you capture everything and understand how the app was put together, you'll break things.

 

@@denethor  -  It is possible to rewrite the URLs so for example /player could map to /mediabrowser, but you're going to be in for a world of pain since you will need to create outbound rules which inspect all the content return and amend the links.  It's just adding complexity.  Why not use player.yourdomain.com?

[swhitmore 781]

Thanks @@anks. I've been playing a bit more, and this is where I'm at. The issue I'm having is with the CSS and image resources not resolving.
 
The example I'll use is uTorrent WebUI. Locally it's 192.168.1.10:8086/gui
I want to replace this with mydns.no-ip.org/utorrent
 
This is what I get:

If I rewrite with mydns.no-ip.org/gui instead, it works.

Alternatively, with SABnzdb, locally it's 192.168.1.10:8085 and I want to rewrite from mydns.no-ip.org/sabnzdb. if i do, the images and css fail also. With sickbeard it was the same issue, but when I added the webroot /sickbeard in the config, it worked.

Edited December 3, 2014 by swhitmore

[swhitmore 781]

I'm also not sure how to rewrite a url to link me to my routers webui. Locally it's just the ip addres of the router 192.168.1.1. How would I rewrite mydns.no-ip.org/router to 192.168.1.1?

[anks 36]

@@swhitmore -  I very nearly put an example about uTorrent in my last reply since it's an example of what doesn't work too well when redirecting paths and you are now living in the world of pain I mentioned before.    As well as /gui I recall that it uses others paths as well for the api etc.

 

Since you have no control over the development of these web interfaces, you don't know ultimately how resources are being accessed, so for example a request for an image in a page /images/sickbeard.png will not work with your configuration since the actual path would be /sickbeard/images/sickbeard.png.  (Sickbeard is a bad example here as it does allow you to specify the root!).  The only option here would be to create outbound mappings which change the content of the page.  This will get you so far, it'll take time and it'll only work with simple apps, however what happens when the paths are dynamically created via Javascript or an XHR for example?  It's gonna break.

 

Reverse Proxying apps to different paths will work in a corporate environment where you have control over the development and ensure everything is truly relative but with these sort of apps, you're might be fighting a losing battle.

 

Any reason at all why you can't have subdomains, instead of mydomain.com/sickbeard go for sickbeard.mydomain.com?  This will work everytime and is very easy to configure.

 

This just needs a single wildcard DNS entry.  no-ip for example allow this, plus if you have your own domain it's also very easy to do.

[swhitmore 781]

Thanks for that. It makes a lot more sense now. When I looked at no-ip wildcards, it said I had to pay for them. I might just buy a cheap domain.

[anks 36]

@@swhitmore I don't know why I thought they were free, sorry...

 

It's easier if you do register a domain, one option to consider is to keep your no-ip domain and create a wildcard CNAME (Alias) pointing to that if you don't have a static IP does from your ISP.  i.e.  In yourdomain.com zone create

 

* CNAME mydomain.no-ip.org

 

Since the likes of GoDaddy do not apparently support dynamic dns.  Zonomi.com supports wildcards and dynamic DNS for free but don't appear to offer domain name registration.

[swhitmore 781]

Hmm, starting to be more trouble than it's worth I'll have a look at that though. If I just register a domain, can I use wildcards easily? Or does the provider need to support it? e.g. does it cost more?