WCF behind a public reverse proxy which is used for traffic encryption

Question

I have a Silverlight application that connects to a WCF service. Under the basic configuration I am used to, there's no problem connecting this application to its corresponding WCF service.

However, recently, one of my clients started using an Apache reverse proxy. This proxy is the public server and it's only used to encrypt HTTP traffic via SSL (HTTPS) going between the client and it. This proxy passes all traffic from it to the actual web server that hosts my application. The traffic between the public proxy and the IIS server is just plain HTTP.

So the traffic flows like this: End-User Browser ---HTTPS----> Public Reverse Proxy -----HTTP----> IIS server that hosts the WCF service.

The reverse proxy and IIS are on two separate servers.

I cannot get the Silverlight application to function properly. I am not sure how to configure the endpoints? I get problems whenever I use the public proxy's address as my endpoint address.

The Silverlight application usually has this configuration:

<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="BasicHttpBinding_IPOTemplateEditorSrv" maxBufferSize="2147483647"
                    maxReceivedMessageSize="2147483647">
                    <security mode="TransportWithMessageCredential" />
                </binding>
            </basicHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://public-reverse-proxy-url/POTemplateEditorSrv.svc"
                binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IPOTemplateEditorSrv"
                contract="POEditorSrvRef.IPOTemplateEditorSrv" name="BasicHttpBinding_IPOTemplateEditorSrv" />
        </client>
    </system.serviceModel>
</configuration>

Note that I am using and I have my endpoint address pointing to the public HTTPS address of the reverse proxy.

Am I missing anything? Is there any additional information to configure the proxy perhaps? Any workarounds that would get my Silverlight client connect to the service?

Answer 1

Perhaps this answer is a little too obvious, but it simply sounds like the WSDL is advertising an internal host-name as the WCF address - when that address is not the actual public one. Because IIS is generating the WSDL, it will simply use it's host name in the endpoint addresses - which is not what you want, you want the proxy's address.

Try creating a static copy of your WSDL file, and publish that on your web server. Make sure you replace ALL REFERENCES to the internal host name, with the public proxy host name. Then modify your WCF client config to point to the static WSDL. You can find a short explanation here: Supply a different endpoint address in the WSDL of a WCF web service

If that doesnt work - try using a sniffer (wireshark) to capture what is being sent back and forth - disabling HTTPS might be a piece you need to remove from the equation. Your web service request appears to be SENT to the proxy, but the proxy is not able to handle the request properly - the perfect scenario to try our your sniffing tools.

When you make a direct request to your SVC using a web browser, the request will look something like this

GET /POTemplateEditorSrv.svc HTTP/1.1
Host: public-reverse-proxy-url

But when sent via Silverlight, it may look like this

GET /POTemplateEditorSrv.svc HTTP/1.1
Host: private-server-address

This could be a subtle enough difference to upset the proxy.