A reverse proxy server is a computer that is deployed in a perimeter network (also known as a demilitarized zone [DMZ] or screened subnet) that handles requests from the internet and forwards them to the machines in your internal network. By forwarding requests, the reverse proxy server masks the identity of the machines behind your organization's firewall, thus protecting internal machines from being attacked directly by internet users. Additional security functions can be implemented in the reverse proxy server to further protect your internal network from outside users.
If your reverse proxy server supports a health check function, you can use the ArcGIS Server health check endpoint to determine whether the site is available to receive requests. This is useful to quickly determine whether there's a software or hardware failure in the site. For more information, see Health Check in the ArcGIS REST API.
Note:
ArcGIS Server does not support SSL offloading through a reverse proxy/load balancer. If your configuration uses a reverse proxy, it must redirect to either the ArcGIS Web Adaptor or directly to ArcGIS Server over HTTPS.
Adding ArcGIS Server to your reverse proxy server
Your organization's reverse proxy server can be configured to communicate either directly with ArcGIS Server or through the ArcGIS Web Adaptor by adding the corresponding URLs to the proxy directives.
Note:
You must ensure that the reverse proxy server's context name only goes one URL level deep. For example, you can have a reverse proxy URL such as https://proxy.domain.com/enterprise, but you cannot have a reverse proxy URL such as https://proxy.domain.com/myorg/enterprise.
For example, if you're using Apache as a reverse proxy server, you need to add the ArcGIS Server URL or the ArcGIS Web Adaptor URL to the ProxyPass directives in the Apache web server configuration file httpd.conf:
If communicating through ArcGIS Web Adaptor
ProxyPass /server https://gisserver.domain.com/server
ProxyPassReverse /server https://gisserver.domain.com/server
If directly communicating with ArcGIS Server
ProxyPass /arcgis https://gisserver.domain.com:6443/arcgis
ProxyPassReverse /arcgis https://gisserver.domain.com:6443/arcgis
If you're using a reverse proxy server and the URL to your site does not end with the default string /arcgis (all lowercase), you should also set the ArcGIS Server WebContextURL property. This helps ArcGIS Server construct the correct URLs on all resources it sends to the end user.
Note:
If you have configured ArcGIS Web Adaptor with your site, use the WebContextURL property to set the ArcGIS Server URL to match that of its ArcGIS Web Adaptor (such as /mygis). If there is no Web Adaptor configured, the site URL should end in /arcgis to avoid potential URL redirect issues.
- Log in to the ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin as a user with administrator privileges.
- Click system > properties > update.
- In the Properties text box, insert the following JSON, substituting your own ArcGIS Server URL as seen by users outside your organization's firewall.
{ "WebContextURL": "https://gisserver.domain.com/mygis" }
- Click Update.
- Restart ArcGIS Server on each GIS server in the site. On Windows, this can be accomplished by restarting the ArcGIS Server Windows service on each machine.
Reverse proxy headers and ArcGIS Server
Before deploying your reverse proxy server for use with ArcGIS Server or ArcGIS Web Adaptor, it is recommended that you configure some of the reverse proxy's headers to ensure proper communication.
Your reverse proxy server must be able to detect redirects (HTTP codes 301 or 302). Update its Location header to ensure that the fully qualified domain name (FQDN) and context of the response match the server's WebContextURL value.
X-Forwarded-Host
When integrating your reverse proxy with ArcGIS Server or ArcGIS Web Adaptor, be aware that both of these components expect to see the following property set in the header sent by the reverse proxy server:
X-Forwarded-Host=<FQDN of reverse proxy server>
If this property is set in the header, ArcGIS Server and ArcGIS Web Adaptor return requests to the reverse proxy server that match the reverse proxy server's URL. For example, a request to the ArcGIS Server Services Directory (https://reverseproxy.domain.com/arcgis/rest/services) is returned to the client as the same URL.
If the X-Forwarded-Host header property is not set, ArcGIS Server and ArcGIS Web Adaptor may return the URL of the internal machine where the request was directed, for example, https://gisserver.domain.com/arcgis/rest/services instead of https://reverseproxy.domain.com/arcgis/rest/services. This is problematic, as clients will not be able to access this URL (commonly noted as a browser 404 error). Also, the client will have some knowledge about the internal machine.
When troubleshooting communication between clients and ArcGIS Server or ArcGIS Web Adaptor, it is recommended that you set the X-Forwarded-Host header property in the reverse proxy server, as this is a common cause of communication failures. The way you set this header varies depending on your reverse proxy server implementation. For example, Apache accomplishes this with the ProxyPreserveHost On directive in its configuration:
...
ProxyPreserveHost On
ProxyPass /server https://gisserver.domain.com/server
ProxyPassReverse /server https://gisserver.domain.com/server
...
For guidance on how to pass the original host header, see the product documentation for your reverse proxy server.