A reverse proxy server is a computer that is deployed within a perimeter network (also known as a demilitarized zone [DMZ] or screened subnet) that handles requests from the Internet and forwards them to the machines in your internal network. By forwarding requests, the reverse proxy server masks the identity of the machines behind your organization's firewall, thus protecting internal machines from being attacked directly by Internet users. Additional security functions can be implemented in the reverse proxy server to further protect your internal network from outside users.
If your reverse proxy server supports a health check function, you can use the ArcGIS Server health check endpoint to determine if the site is available to receive requests. This is useful to quickly determine if there's a software or hardware failure in the site. For more information, see Health Check in the ArcGIS REST API.
Adding ArcGIS Server to your reverse proxy server
Your organization's reverse proxy server can be configured to communicate either directly with ArcGIS Server or via the ArcGIS Web Adaptor by adding the corresponding URLs to the proxy directives.
For example, if you're using Apache as a reverse proxy server, you need to add the ArcGIS Server URL or the ArcGIS Web Adaptor URL to the ProxyPass directives in the Apache web server configuration file httpd.conf:
If communicating through ArcGIS Web Adaptor
ProxyPass /server https://gisserver.domain.com/server
ProxyPassReverse /server https://gisserver.domain.com/server
If directly communicating with ArcGIS Server
ProxyPass /arcgis https://gisserver.domain.com:6443/arcgis
ProxyPassReverse /arcgis https://gisserver.domain.com:6443/arcgis
If you're using a reverse proxy server and the URL to your site does not end with the default string /arcgis (all lowercase), you should also set the ArcGIS Server WebContextURL property. This helps ArcGIS Server construct the correct URLs on all resources it sends to the end user.
Note:
If you have configured ArcGIS Web Adaptor with your site, use the WebContextURL property to set the ArcGIS Server URL to match that of its ArcGIS Web Adaptor (such as /mygis). If there is no Web Adaptor configured, the site URL should end in /arcgis to avoid potential URL redirect issues.
- Log in to the ArcGIS Server Administrator Directory at https://gisserver.domain.com:6443/arcgis/admin as a user with administrator privileges.
- Click system > properties > update.
- In the Properties text box, insert the following JSON, substituting your own ArcGIS Server URL as seen by users outside your organization's firewall.
{ "WebContextURL": "https://gisserver.domain.com/mygis" }
- Click Update.
- Restart ArcGIS Server on each GIS server in the site. On Linux, this can be accomplished by executing the stopserver and startserver scripts located in the installation folder on each machine.
Reverse proxy headers and ArcGIS Server
When integrating your reverse proxy with ArcGIS Server or ArcGIS Web Adaptor, be aware that both of these components expect to see the following property set in the header sent by the reverse proxy server:
X-Forwarded-Host=<FQDN of reverse proxy server>
If this property is set in the header, ArcGIS Server and ArcGIS Web Adaptor will return requests to the reverse proxy server that match the reverse proxy server's URL. For example, a request to the ArcGIS Server Services Directory (https://reverseproxy.domain.com/arcgis/rest/services) will be returned to the client as the same URL.
If the X-Forwarded-Host header property is not set, ArcGIS Server and ArcGIS Web Adaptor may return the URL of the internal machine where the request was directed, for example, https://gisserver.domain.com/arcgis/rest/services instead of https://reverseproxy.domain.com/arcgis/rest/services. This is problematic, as clients will not be able to access this URL (commonly noted as a browser 404 error). Also, the client will have some knowledge about the internal machine.
When troubleshooting communication between clients and ArcGIS Server or ArcGIS Web Adaptor, Esri recommends you set the X-Forwarded-Host header property in the reverse proxy server, as this is a common cause of communication failures. The way you set this header varies depending on your reverse proxy server implementation. For example, Apache accomplishes this with the ProxyPreserveHost On directive within its configuration:
...
ProxyPreserveHost On
ProxyPass /server https://gisserver.domain.com/server
ProxyPassReverse /server https://gisserver.domain.com/server
...
For guidance on how to pass the original host header, see the product documentation for your reverse proxy server.