Portal and Reverse Proxy: Too Many Redirect Errors

IrfanClemson · ‎01-21-2019

Hello,

I have not been able to find step by step directions for ArcGIS for Portal and Reverse Proxy which uses IIS as a server. I have a setup in place which mostly work but fails at one critical point. Here's the setup:

1) Reverse Proxy Server (Windows) with static IP address accessible from the outside (only ports 80/443 allowed in).

2) An internal machine ('GIS') which has ArcGIS for Portal and Server installed along with their respective Web Adaptors ('portal' and 'arcgis' respectively).

3) The Portal also has WebContextURL of like 'https://gis.mydomain.com/portal'

4) The RP server has a couple of URL Rewrite entries--basically, direct to Server Farm which has the 'GIS' machine.

5) A proper SSL certificate is install as gis.mydomain.com in the IIS of both the RP server and the 'GIS' server.

So far this setup works great: I am able to access all content from the outside, such as https://gis.mydomain.com/portal/home and Gallery etc. But clicking on the Signup link in the Portal home page generates a browser error: Too Many Redirects (Header of 302). So the header being passed backed from the internal machine is 302 instead of 200.

I don't know what's happening. Maybe some extra security comes in picture when the signup.html page is called?

Any idea?

Thanks!

Irfan

*** Update: Reverse Proxy Rules Screen Cap Added in this Question***

JonathanQuinn · ‎01-24-2019

Are you using ARR and the URL Rewrite module? Are you adding the X-Forwarded-For header?

What exact URL is it redirecting to? I understand it's not https://gis.mydomain.com/portal, but is it the internal machine name for Portal?

I agree that we should update the documentation to cater to the most likely scenario: Apache for Linux and IIS for Windows. We don't provide step by steps instructions for any of the load balancers/reverse proxies as we rely on the load balancer or reverse proxy documentation instead. We provide information on what our software expects, (such as an HTTPS binding and X-Forwarded-For header).

In this particular case, if there is a setting that would help resolve the redirect, we'll look into if it's appropriate to add to the documentation.

IrfanClemson · ‎01-24-2019

Thank you.

Yes,we have the ARR module also installed but no Proxy is set there and so I am not sure if ARR is even doing anything. The URL Rewrite module has a few rules, as in my Question above.

I am not sure how to set the X-Forwarded-Headers in IIS?

Yes, the https://gis.mydomain.com/signin.html does get directed properly to the internal server's IIS--I can see that in the internal server's IIS logs with a bunch of entries like https://gis.mydomain.com/signin.html with code of 302; I believe the same response is seen in the browser.

I think I am close: Except for the signin.html (and the PortalAdmin page) every part of the Portal is accessible which doesn't require a login.

Yes, please look into it. It should not be hard to duplicate the environment for ESRI and come up with instructions. We have no other issues setting up other Reverse Proxy rules for ArcGIS Servers using IIS and URL Rewrite.

Thanks!

EricMoody · ‎01-27-2019

Count me in as well. We are using a load balancer and everything works on the internal addresses. However when trying to hit the site externally Portal Home comes up fine but as soon as you hit Sign In we get the dreaded ERR_TOO_MANY_REDIRECTS. Not sure what could be wrong, we have the WebContextURL set in portaladmin, we have tried multiple configuration settings in portaladmin for the WA URL. I agree it would be nice if Esri could provide some more context as to exactly what the software needs configured on a Load Balancer to work properly.

JonathanQuinn · ‎01-28-2019

What load balancer are you using?

IslamSaeed1 · ‎03-05-2019

Hi,

i am having the same when trying to sign in to portal it gives me the same message "too Many redirects" , so is there any resolution for this issue . my environment is a "HA" ArcGIS Enterprise with two web adaptor machines behind a load balancer deployed on Azure

JonathanQuinn · ‎01-28-2019

If you reach the Portal home page over https and then click sign in, does that help at all?

I set up ARR with URL Rewrite and I find that if I reach a URL that Portal will redirect to HTTPS, ARR will redirect indefinitely. For example, the sign in page requires HTTPS. If I reach the Portal home page over http and then click Sign In, I'm redirected indefinitely. If i reach the Portal home page over HTTPS, then I don't see a problem.

IrfanClemson · ‎01-28-2019

Thank you. My Portal is set to only allow HTTPS and, yes, I reach the portal homepage via https://gis.mydomain.com/portal and then click on the Signin page, upon which I see the redirects. I hope I understood your question correctly.

IrfanClemson · ‎02-01-2019

Also, if I go to the http version of the Portal home page and click on Signin link then the same error happens: ArcGIS Portal insists on redirecting to the httpS page, this is despite me turning off SSL required in the Security page of the Portal (via the Portal's public interface). FYI.

Thanks

JonathanQuinn · ‎02-01-2019

Portal requires you to sign in over HTTPS. There's no avoiding that, unfortunately. Configuring Portal to not require SSL only means that most other pages can be accessed via HTTP or HTTPS.

I see the redirect you're talking about only in the situation where I reach the home page over HTTP and then click Sign In. I don't see any issues if I reach the home page over HTTPS and then click Sign In. I'm still investigating.

JonathanQuinn · ‎02-06-2019

Well, I had to rebuild the environment and don't see a redirect anymore. Not sure what's changed. Below are my settings:

Rewrite rules:

I disabled the default rule created.

Proxy settings:

Note that X-Forwarded-For is equivalent to X-Forwarded-Host:

Portal re-write rule:

Server re-write rule:

The Web Context URL is set to https://pub.acme.com/portal for Portal and https://pub.acme.com/server for Server:

Do any of your settings seem different?