Skip to main content

GGCE with IIS

Internet Information Services (IIS) can be used on Windows to handle SSL encryption and relay HTTP requests to GGCE docker containers by utilizing URL Rewrite and Application Request Routing (ARR) features:

  1. Install URL Rewrite.
  2. Install Application Request Routing. ARR depends on URL Rewrite. Ensure URL Rewrite is installed prior to installing ARR.

This will add Server Farms option to IIS where you'll define two docker-powered groups: one for GGCE Web interface ggce and one for GGCE API server ggce-api:

IIS Server farms

Then you'll define routing rules that will relay website traffic to these farms based on HTTP_HOST header.

Let's start by opening the Internet Information Service (IIS) Manager by hitting the Start button and searching for "IIS".

Server Farms

info

The folowing steps assume that IIS and Docker are running on the same machine. If Docker is running on another computer then please replace 127.0.0.1 with the name or IP of that machine.

GGCE API Server

GGCE API Server in Docker is direcly accessible at http://127.0.0.1:8080 regardless of the friendly DNS name. You will register a new Server Farm in IIS with the name ggce-api with one server at 127.0.0.1 that listens on HTTP port 8080:

  1. Right click on "Server Farms" and select "Create Server Farm"
  2. In the "Specify Server Farm Name" dialog:
  • Give this farm the name ggce-api.
  • Click Next.
  1. In the "Add server" dialog:
  • Specify Server addresss 127.0.0.1 (for localhost).
  • Open Advanced Settings and specify httpPort 8080.
    Add server to farm
  • Click Add button (to add 127.0.0.1:8080 to the server list).
  • Click Finish button.
  • Click No on any following dialogs.

GGCE Web

GGCE Web in Docker is at http://127.0.0.1:3000. Add another Server Farm in IIS with the name ggce with one server at 127.0.0.1 that listens on HTTP port 3000:

  1. Right click on "Server Farms" and select "Create Server Farm"
  2. In the "Specify Server Farm Name" dialog:
  • Give this farm the name ggce.
  • Click Next.
  1. In the "Add server" dialog:
  • Specify Server addresss 127.0.0.1 (for localhost).
  • Open Advanced Settings and specify httpPort 3000.
    Same as above, but with port 3000!
  • Click Add button (to add 127.0.0.1:3000 to the server list).
  • Click Finish button.
  • Click No on any following dialogs.

At this point you should have two server farms declared in your IIS:

IIS Server farms

Routing traffic from IIS to GGCE

After setting up the backend server farms you need to declare a routing rule that will direct traffic from IIS to Docker.

Routing for GGCE API Server

  1. Select ggce-api server farm.
  2. Open "Routing rules":
    IIS Server farms
  3. Enable both Use URL rewrite... and Enable SSL offloading options and click URL Rewrite on the right, under Actions. Confirm that you want changes saved, if prompted: Enable URL Rewrite and SSL offloading
  4. Open the newly created routing rule:
    Open rule definition
  5. Use default "Match URL" configuration:
  • Requested URL: Matches the Pattern
  • Using: Wildcards
  • Pattern: *
  1. Expand "Conditions" and add:
  • Condition input: {HTTP_HOST}
  • Check if input string: Matches the Pattern
  • Pattern: Enter domain name for GGCE API (example uses ggceapi.in.croptrust.org):
    GGCE API rule condition
  1. Use default configuration in "Actions": GGCE API rule action
  2. Click Apply and go back to list of rules

Routing for GGCE Web

Repeat the steps to add routing for GGCE Web server farm:

  1. Select ggce server farm.
  2. Open "Routing rules".
  3. Enable both Use URL rewrite... and Enable SSL offloading options and click URL Rewrite on the right, under Actions. Confirm that you want changes saved.
  4. Open the newly created routing rule.
  5. Use default "Match URL" configuration:
  • Requested URL: Matches the Pattern
  • Using: Wildcards
  • Pattern: *
  1. Expand "Conditions" and add:
  • Condition input: {HTTP_HOST}
  • Check if input string: Matches the Pattern
  • Pattern: Domain name for GGCE website ggce.in.croptrust.org
  1. Use default configuration in "Actions":
  2. Click Apply and go back to list of rules

The resulting URL Rewrite configuration now has two rules for routing HTTP traffic to respective server farms:

URL Rewrite rules for GGCE

Test your configuration

Confirm that GGCE API is accessible through IIS at http://ggceapi.in.croptrust.org
and the Web at http://ggce.in.croptrust.org.

Enable HTTPS

The final step is to enable HTTPS by adding a new binding to the Default Web Site and adjusting the routing rule for https.

SSL Certificates

You can use an existing wildcard certificate or generate/import a new SSL certificate to IIS in Server Certificates.

Preparing certificate for import

In case you need to create the pfx certificate file required by IIS from .key and .pem (or .cer) files you can use:

openssl pkcs12 -export -in ggce.in.croptrust.org.pem -inkey ggce.key -out ggce.in.croptrust.org.pfx

Update Default Web Site bindings

  1. Edit bindings:
    Edit bindings
  2. Add binding for GGCE API
  • Type: https
  • IP address: All Unassigned
  • Port: 443
  • Host name: Enter domain name for GGCE API (example uses ggceapi.in.croptrust.org)
  • Enable Require Server Name Identification (SNI)
  • SSL certificate: Select the certificate to use
    HTTPS binding
  1. Repeat the steps for GGCE Web:
  • Type: https
  • IP address: All Unassigned
  • Port: 443
  • Host name: Enter domain name for GGCE Web (example uses ggce.in.croptrust.org)
  • Enable Require Server Name Identification (SNI)
  • SSL certificate: Select the certificate to use
Test your configuration

Confirm that GGCE API is accessible through IIS at https://ggceapi.in.croptrust.org
and the Web at https://ggce.in.croptrust.org.

Update routing rules

IIS needs to be configured to add X-Forwarded-Proto HTTP header to GGCE API to ensure GGCE stays on https when redirecting:

  1. Select ggce-api server farm.
  2. Open "Routing rules":
    IIS Server farms
  3. Click URL Rewrite on the right.
  4. Open the existing routing rule for ggce-api.
  5. In section "Server variables" click Add and specify:
    • Server variable name: HTTP_X_FORWARDED_PROTO
    • Value: https
    • Enable Replace existing value
    • Click "OK"

The resulting Server variables category will now add the X-Forwarded-Proto: https header and ensure redirects stay secure:

Rule to add X-Forwarded-Proto

You may add the same setting to the rules for GGCE Web, but it is not a requirement.

Update GGCE configuration

ggce.yml

While the two sites are now accessible, they will not communicate properly until ggce.yml file is updated to reflect the new URLs!

Update only the following settings in your ggce.yml:

services:
  ggce-api:
    environment:
      - BASE_URL=https://ggceapi.in.croptrust.org
      - FRONTEND_URL=https://ggce.in.croptrust.org

  ggce-ui:
    environment:
      - API_URL=https://ggceapi.in.croptrust.org
      - ORIGIN=https://ggce.in.croptrust.org

After updating ggce.yml you need to apply the changes with:

docker compose -f ggce.yml up -d

Other Server Farm settings

You may wish to update the following settings of both Server Farms:

  1. Under "Caching":
    • Query string support: Do not cache.
  2. Under "Proxy":
    • Time-out: You may wish to increase the timeout to 300s.
    • Always disable Reverse rewrite host in response headers.

Server health check

You can optionally declare a health check for each individual server farm by adding http://localhost/robots.txt as the URL Test.

IIS Server farm health check