Reverse proxy

It is recommended to place both the FoxIDs site and the FoxIDs Control site behind a reverse proxy.

Reverse proxies

FoxIDs generally support all reverse proxies, the following reverse proxies has been tested.

Azure Front Door

Azure Front Door can be configured as a reverse proxy. Azure Front Door rewrite domains by default.

Do NOT enable caching. The Accept-Language header is not forwarded if caching is enabled. The header is required by FoxIDs to support cultures.

Add a Azure Front Door endpoint for both the FoxIDs site and the FoxIDs Control site. Restrict access by requiring the X-FoxIDs-Secret HTTP header.
Disable Session affinity and optionally configure WAF policies.

Cloudflare

Cloudflare can be configured as a reverse proxy. But Cloudflare require a Enterprise plan to rewrite domains (host headers). Restrict access by requiring the X-FoxIDs-Secret HTTP header.

Azure Application Gateway

Azure Application Gateway can rewrite all domains if configured. The X-FoxIDs-Secret HTTP header can optionally be added to restrict access (recommended depended on the infrastructure).

Optionally configure a rewrite rule to both requiring a secret and sending a secret in a X-FoxIDs-Secret HTTP header. You could require a X-FoxIDs-Secret HTTP header if you have a reverse proxy in front of the Azure Application Gateway.
If requiring a secret, add a custom HTTPS health probe with the X-FoxIDs-Secret query parameter /?x-foxids-secret=xxx and the secret.

IIS ARR Proxy

Internet Information Services (IIS) Application Request Routing (ARR) Proxy require a Windows server. ARR Proxy rewrite domains with a rewrite rule. The X-FoxIDs-Secret HTTP header can optionally be added to restrict access (recommended depended on the infrastructure).

An accept all external domains rule can be configured. This example is a global rule, rules can also be added to websites.
Optionally both requiring (secret1) and sending (secret2) in a X-FoxIDs-Secret HTTP header. You could require a X-FoxIDs-Secret HTTP header if you have a reverse proxy in front of the ARR Proxy.

<globalRules>
    <rule name="my-rule-name" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" />
        <conditions>
            <add input="{HTTP_X-FoxIDs-Secret}" pattern="... secret1 ..." ignoreCase="false" />
        </conditions>                                                
        <action type="Rewrite" url="https://my-foxids-installation.com/{R:1}" />
        <serverVariables>
            <set name="HTTP_X-ORIGINAL-HOST" value="{HTTP_HOST}" />
            <set name="HTTP_X-FoxIDs-Secret" value="... secret2 ..." />
        </serverVariables>
    </rule>
</globalRules>

Read HTTP headers

The FoxIDs site support reading the forwarded client IP address in the following HTTP headers in order of priority:

  1. CF-Connecting-IP
  2. X-Azure-ClientIP
  3. X-Forwarded-For

The FoxIDs site support reading the custom domain (host name) from the revers proxy in the following HTTP headers in order of priority:

  1. X-ORIGINAL-HOST
  2. X-Forwarded-Host

The host header is only read if access is restricted by the X-FoxIDs-Secret HTTP header or the Settings__TrustProxyHeaders setting is set to true.

The FoxIDs site and FoxIDs Control site support to read the HTTP/HTTPS scheme if the Settings__TrustProxySchemeHeader setting is set to true. In the following HTTP headers in order of priority:

  1. X-Forwarded-Scheme
  2. X-Forwarded-Proto

Restrict access

Both the FoxIDs site and FoxIDs Control sites can restrict access based on the X-FoxIDs-Secret HTTP header.
The access restriction is activated by adding the Settings__ProxySecret setting with the secret.

Your Privacy

We use cookies to make your experience of our websites better. Click the 'Accept all cookies' button to agree to the use of cookies. To opt out of non-essential cookies, click 'Necessary cookies only'.

Visit our Privacy Policy page for more