Reverse proxy
It is recommended to place both the FoxIDs site and the FoxIDs Control site behind a reverse proxy.
Reverse proxies
FoxIDs generally support all reverse proxies, the following reverse proxies has been tested.
Azure Front Door
Azure Front Door can be configured as a reverse proxy. Azure Front Door rewrite domains by default.
Do NOT enable caching. The
Accept-Language
header is not forwarded if caching is enabled. The header is required by FoxIDs to support cultures.
Add a Azure Front Door endpoint for both the FoxIDs site and the FoxIDs Control site. Restrict access by requiring the X-FoxIDs-Secret
HTTP header.
Disable Session affinity and optionally configure WAF policies.
Cloudflare
Cloudflare can be configured as a reverse proxy. But Cloudflare require a Enterprise plan to rewrite domains (host headers). Restrict access by requiring the X-FoxIDs-Secret
HTTP header.
Azure Application Gateway
Azure Application Gateway can rewrite all domains if configured.
The X-FoxIDs-Secret
HTTP header can optionally be added to restrict access (recommended depended on the infrastructure).
Optionally configure a rewrite rule to both requiring a secret and sending a secret in a X-FoxIDs-Secret
HTTP header. You could require a X-FoxIDs-Secret
HTTP header if you have a reverse proxy in front of the Azure Application Gateway.
If requiring a secret, add a custom HTTPS health probe with the X-FoxIDs-Secret
query parameter /?x-foxids-secret=xxx
and the secret.
IIS ARR Proxy
Internet Information Services (IIS) Application Request Routing (ARR) Proxy require a Windows server. ARR Proxy rewrite domains with a rewrite rule.
The X-FoxIDs-Secret
HTTP header can optionally be added to restrict access (recommended depended on the infrastructure).
An accept all external domains rule can be configured. This example is a global rule, rules can also be added to websites.
Optionally both requiring (secret1
) and sending (secret2
) in a X-FoxIDs-Secret
HTTP header. You could require a X-FoxIDs-Secret
HTTP header if you have a reverse proxy in front of the ARR Proxy.
<globalRules>
<rule name="my-rule-name" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{HTTP_X-FoxIDs-Secret}" pattern="... secret1 ..." ignoreCase="false" />
</conditions>
<action type="Rewrite" url="https://my-foxids-installation.com/{R:1}" />
<serverVariables>
<set name="HTTP_X-ORIGINAL-HOST" value="{HTTP_HOST}" />
<set name="HTTP_X-FoxIDs-Secret" value="... secret2 ..." />
</serverVariables>
</rule>
</globalRules>
Read HTTP headers
The FoxIDs site support reading the client IP address in the following HTTP headers in order of priority:
CF-Connecting-IP
X-Azure-ClientIP
X-Forwarded-For
The FoxIDs site support reading the custom domain (host name) from the revers proxy in the following HTTP headers in order of priority:
X-ORIGINAL-HOST
X-Forwarded-Host
The host header is only read if access is restricted by the
X-FoxIDs-Secret
HTTP header or theSettings__TrustProxyHeaders
setting is set totrue
.
The FoxIDs site and FoxIDs Control site support to read the HTTP/HTTPS scheme if the Settings__TrustProxySchemeHeader
setting is set to true
. In the following HTTP headers in order of priority:
X-Forwarded-Scheme
X-Forwarded-Proto
Restrict access
Both the FoxIDs site and FoxIDs Control sites can restrict access based on the X-FoxIDs-Secret
HTTP header.
The access restriction is activated by adding the Settings__ProxySecret
setting with the secret.