Odd reverse proxy behaviour

[grester]

I've setup reverse proxies before without much trouble, however with IPC is only working partially.
Basically I've managed to login and reach ASF UI dashboard. I can load and see the command page console.
I can also load directly the /API. I was having 401 errors, but I shortcut it to avoid the need for the password query param, and I add it internally in the proxy rule whenever /api/* is accessed.
But acessing ASF config, or a bot config, it fails to load the form, is just a en empty page/form. If I try to download the raw config, it just downloads an empty file so the request for the configs isn't working I guess.
What does possibly differ in these specific requests? F12 isn't catching them very well but I get several alleged 404 in certain api/type/ArchiSteamFarm.Steam.Storage.BotConfig+ requests.
I've noticed in the apache example you have a rule for a ws: and not just a http: , could it be it? I've tested adding a ws: but it just makes it worse tbh.
I'm using IIS but the logic should be understandable:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpRedirect enabled="false" destination="" exactDestination="true" httpResponseStatus="Permanent" />
        <rewrite>
            <rules>
                <clear />
				<rule name="ReverseProxyInboundRule3" stopProcessing="true">
                    <match url="api/(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                        <set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />
                    </serverVariables>
                    <action type="Rewrite" url="ws://127.0.0.1:1242/api/{R:1}?password=abc123" />
                </rule>
                <rule name="ReverseProxyInboundRule2" stopProcessing="true">
                    <match url="api/(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                        <set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />
                    </serverVariables>
                    <action type="Rewrite" url="http://127.0.0.1:1242/api/{R:1}?password=abc123" />
                </rule>
                <rule name="ReverseProxyInboundRule" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                        <set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />
                    </serverVariables>
                    <action type="Rewrite" url="http://127.0.0.1:1242/{R:1}" />
                </rule>
            </rules>
            <outboundRules>
                <clear />
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
				<rule name="ReverseProxyOutboundRule3" preCondition="ResponseIsHtml" patternSyntax="Wildcard" stopProcessing="true">
                    <match serverVariable="RESPONSE_LOCATION" pattern="^ws://127.0.0.1:1242/api/(.*)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <action type="Rewrite" value="ws://my.domain.com/api/{R:1}" />
                </rule>
                <rule name="ReverseProxyOutboundRule2" preCondition="ResponseIsHtml" patternSyntax="Wildcard" stopProcessing="true">
                    <match serverVariable="RESPONSE_LOCATION" pattern="^http://127.0.0.1:1242/api/(.*)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <action type="Rewrite" value="https://my.domain.com/api/{R:1}" />
                </rule>
                <rule name="ReverseProxyOutboundRule" preCondition="ResponseIsHtml" patternSyntax="Wildcard" stopProcessing="true">
                    <match serverVariable="RESPONSE_LOCATION" pattern="^http://127.0.0.1:1242/(.*)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <action type="Rewrite" value="https://my.domain.com/{R:1}" />
                </rule>
                <preConditions>
					<remove name="ResponseIsHtml" />
                    <preCondition name="ResponseIsHtml">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
					<remove name="NeedsRestoringAcceptEncoding" />
					<preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

[JustArchi]

ws rule is only for /Api/NLog. I have reverse proxy with nginx myself and it works properly, which means your config is most likely incorrect, or it's some IIS-specific issue. I'm not using IIS myself so there is very little help I can provide here.

Most likely your reverse proxy has problem forwarding + character in the query params, you can try to google whether there is any help in regards to that. It's definitely not working properly since ASF-ui can't load the definition for global/bot config and the necessary types - 404 suggests that your proxy is trying to load something else than in reality.

There is an opion for you to use Debug: true in order to make Kestrel more verbose, then you might find what request exactly the IPC is receiving and why it's 404, you can compare it with proxyless setup. Refer to ASF global config for more info.

[grester]

Found a solution and it ended up being rather simple. IIS has a security feature regarding "double escaping", the quickest workaround is to open configuration editor and change to True the property system.webServer/security/requestFiltering@allowDoubleEscaping.
Ideally I think the matching pattern and server variables used could be improved but it works this way.

If you want you can add my following example to the documentation. It already includes the allowDoubleEscape config. The only warning you need to give is that IIS users need to make sure the website has the server variables configured, otherwise the web.config in itself is useless. In my example are: HTTP_X_ORIGINAL_ACCEPT_ENCODING, HTTP_ACCEPT_ENCODING, HTTP_X_FORWARDED_FOR, RESPONSE_LOCATION.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpRedirect enabled="false" destination="" exactDestination="true" httpResponseStatus="Permanent" />
        <rewrite>
            <rules>
                <clear />
                <rule name="ReverseProxyInboundRule2" stopProcessing="true">
                    <match url="api/(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                        <set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />
                    </serverVariables>
                    <action type="Rewrite" url="http://127.0.0.1:1242/api/{R:1}" />
                </rule>
                <rule name="ReverseProxyInboundRule" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                        <set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />
                    </serverVariables>
                    <action type="Rewrite" url="http://127.0.0.1:1242/{R:1}" />
                </rule>
            </rules>
            <outboundRules>
                <clear />
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <rule name="ReverseProxyOutboundRule2" preCondition="ResponseIsHtml" patternSyntax="Wildcard" stopProcessing="true">
                    <match serverVariable="RESPONSE_LOCATION" pattern="^http://127.0.0.1:1242/api/(.*)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <action type="Rewrite" value="https://asf.mydomain.com/api/{R:1}" />
                </rule>
                <rule name="ReverseProxyOutboundRule" preCondition="ResponseIsHtml" patternSyntax="Wildcard" stopProcessing="true">
                    <match serverVariable="RESPONSE_LOCATION" pattern="^http://127.0.0.1:1242/(.*)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <action type="Rewrite" value="https://asf.mydomain.com/{R:1}" />
                </rule>
                <preConditions>
					<remove name="ResponseIsHtml" />
                    <preCondition name="ResponseIsHtml">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
					<remove name="NeedsRestoringAcceptEncoding" />
					<preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
        <security>
            <requestFiltering allowDoubleEscaping="true" />
        </security>
    </system.webServer>
</configuration>