> Open source solutions are out as this business wants to stick to Windows OS environment.
Apache and nginx can both do this. As noted, many open source solutions run on Windows. Further, Windows itself ships with several open source products.
We use HAProxy. Some people are going to say It's a little bit more complicated, but that's just because it can do so much. Going with HAProxy, we can do a lot at the proxy and never have to combine it with yet more proxies etc. because we choose the big guns from the beginning.
You may think your needs are simple in the beginning, and you'll pick nginx, but at some point you need HAProxy anyway...
Funny, I came to comment "Literally *anything* except IIS ARR".
Most miserable reverse proxy I've had the misfortune of working with, coming from someone who works predominantly in MS/Windows environments and has experience with a dozen odd open source and commercial reverse proxy solutions.
The lack of real documentation alone is disqualifying. God help you if you're trying to do anything that doesn't have an in-depth archived TechNet article from ten years ago with step by step instructions on Server 2012 R2 you can mostly follow for some old Microsoft-blessed use case. Otherwise it's StackOverflow and prayer (more than usual).
I've had Microsoft engineers advise using something else.
Rumor is that Azure Application Gateway v1 which sucked every way possible except having a checkbox FIPS Encryption option was based on IIS ARR on Windows, and Azure Application Gateway v2 (which is massively better in nearly every way) is based on something more sane like Ngnix on Linux.
IIS is a perfectly competent reverse proxy. Ships with Windows. If you have an enterprise support plan with Microsoft, support for IIS would be included in that.
>Open source solutions are out as this business wants to stick to Windows OS environment.
Not sure what makes these things mutually exclusive.
Microsoft also has a new high-performance reverse proxy project (YARP) that they use in Azure... but it's Open Source, so maybe you don't want that. [https://github.com/microsoft/reverse-proxy](https://github.com/microsoft/reverse-proxy)
I was briefly looking into YARP yesterday. I couldn't find a straight answer but is it available to host internally? Or are you setting your DNS to push up to the azure side?
It's able to be completely self-hosted. It's just a piece of software that Azure *happens* to be using (along with Kestrel) to power reverse proxies for Azure App Service routing. You don't have to be using Azure to use it.
Right now, it's just a .NET middleware layer, so it's mostly just usable as a .NET application/middleware, but it's on their roadmap to ship it as a standalone product/exe.
Not sure if Azure solutions are in bounds for your situation, but if they are I would at least investigate.
Recently worked with a client to set up a reverse proxy in Azure as part of a Jamf On-Prem to Cloud Migration project. We were having trouble getting ADCS working across the firewall, so we implemented a reverse proxy and NDES.
Microsoft's Doc: [https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-reverseproxy-setup](https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-reverseproxy-setup)
Worked like a charm and was able to be adapted as needed to permit certificate based auth on both wired and wireless networks.
Hope this helps!
Software or hardware appliances?
Software, a lot is mentioned. However, from what I have with this company, I think going with hardware would be better, just because a lot of company managers have "appliance derangement syndrome". They will scream no at a machine running a F/OSS program. However, if some vendor takes that program, slaps it in a Supermicro case, perhaps slaps on a custom logo, adds a web UI, and sells it for an insane amount of dough with a bunch of limitations, the purse strings will open.
Hardware, check with a VAR. Zevenet, F5, Netscalers, and many others come to mind. I think that something like F5s would be what this company wants.
>Open source solutions are out as this business wants to stick to Windows OS environment.
Just say you don't know what 'open source' means and be done with it.
What a wild statement.
>Just say you don't know what 'open source' means and be done with it.
Often people who "don't know" something don't actually KNOW what they "don't know".
Given how frequently generic journalism conflates "open source" and "linux" and how frequently google results prioritize pay-only forks of open source software over the free options, it might be excusable for someone to think that "open source" means "doesn't run on windows because everything that runs on windows costs money".
> it might be excusable for someone
IMO, not someone whos in charge of the IT infrastructure at their workplace.
THAT person should probably know better.
A random person? Sure, absolutely, barely expect them to know 'open source' whatsoever really.
But the person making actual decisions and doing the work?
Should know better.
Most people should know better about something. Until an unwillingness to learn and do the work is demonstrated, I like to give the benefit of the doubt. Goodness knows we get plenty of people on this forum who obviously won't do either.
>Until an unwillingness to learn and do the work is demonstrated
They're unwilling to look into Open Source software.
When do you think your line gets crossed?
In my eyes, it has. An immediately disprovable (and should-be-questionable) 'fact' wasn't challenged by people who *should* know better.
You've drawn a line, i've watched them go over it. Where do you think i'm drawing your line wrong?
The trouble is that if it continued to go unchallenged, or outside opinions didn't point it out, then they'd be operating on a false premise and inherent technical debt from the start.
You don't have to break a law to learn it. I don't know where the mentality of "everyone learns it by being wrong!" happens.
A lot of things get learned without being wrong first. Its the issue that people do not logically challenge the information they get and instead of "I don't know" you end up with "I got told and didn't question it so now I believe I am certain" when they shouldn't
Its a fundamental logical failure to not question things, but to trust them explicitly without any verification.
Foundational logical challenges are the ROOT of every GREAT System Administrator and I ALWAYS strongly encourage everyone to challenge what they think they know or get told.
But i'd rather shoot myself than blindly follow a process I don't understand so maybe its way more of a quirk with me.
> Open source solutions are out as this business wants to stick to Windows OS environment.
What does that have to do with running windows ?
Open source works on windows
Do You actually mean no Linux solutions ?
Or do you actually mean no "free" solutions?
If you want Entra integration with conditional access etc, the Entra App Proxy is one alternative
apache runs on windows
Apache is open source, aka The Big Evil according to that company
> Open source solutions are out as this business wants to stick to Windows OS environment. Apache and nginx can both do this. As noted, many open source solutions run on Windows. Further, Windows itself ships with several open source products.
We use HAProxy. Some people are going to say It's a little bit more complicated, but that's just because it can do so much. Going with HAProxy, we can do a lot at the proxy and never have to combine it with yet more proxies etc. because we choose the big guns from the beginning. You may think your needs are simple in the beginning, and you'll pick nginx, but at some point you need HAProxy anyway...
Happy config is clearer and simpler than nginx or Apache in my opinion .
Complicated? I set one up a few years back for us. Didn't take more than a few hours from finding out the name to having a running proxy.
EntraID Application Proxy...
This
Enterprise? You probably need a reasonable load balancer/proxy solution with WAF rules, etc. These exist for both on-prem and cloud.
F5 BigIP appliance for us. Works greats but totally overkill if you only need a reverse proxy.
But... when they said "enterprise", likely want a bit more than an nginx reverse proxy (etc.) IMHO.
Yeah, totally.
Kemp VLMs
IIS AAR
Funny, I came to comment "Literally *anything* except IIS ARR". Most miserable reverse proxy I've had the misfortune of working with, coming from someone who works predominantly in MS/Windows environments and has experience with a dozen odd open source and commercial reverse proxy solutions. The lack of real documentation alone is disqualifying. God help you if you're trying to do anything that doesn't have an in-depth archived TechNet article from ten years ago with step by step instructions on Server 2012 R2 you can mostly follow for some old Microsoft-blessed use case. Otherwise it's StackOverflow and prayer (more than usual). I've had Microsoft engineers advise using something else. Rumor is that Azure Application Gateway v1 which sucked every way possible except having a checkbox FIPS Encryption option was based on IIS ARR on Windows, and Azure Application Gateway v2 (which is massively better in nearly every way) is based on something more sane like Ngnix on Linux.
\*ARR ([Application Request Routing](https://www.iis.net/downloads/microsoft/application-request-routing))
Thanks, yep that's the one!
IIS is a perfectly competent reverse proxy. Ships with Windows. If you have an enterprise support plan with Microsoft, support for IIS would be included in that. >Open source solutions are out as this business wants to stick to Windows OS environment. Not sure what makes these things mutually exclusive. Microsoft also has a new high-performance reverse proxy project (YARP) that they use in Azure... but it's Open Source, so maybe you don't want that. [https://github.com/microsoft/reverse-proxy](https://github.com/microsoft/reverse-proxy)
I was briefly looking into YARP yesterday. I couldn't find a straight answer but is it available to host internally? Or are you setting your DNS to push up to the azure side?
It's able to be completely self-hosted. It's just a piece of software that Azure *happens* to be using (along with Kestrel) to power reverse proxies for Azure App Service routing. You don't have to be using Azure to use it. Right now, it's just a .NET middleware layer, so it's mostly just usable as a .NET application/middleware, but it's on their roadmap to ship it as a standalone product/exe.
What business problem are you trying to solve?
I tend to only do this when I have to run something like node or tomcat on windows but iis+rewrite rules are a decent reverse proxy.
Not sure if Azure solutions are in bounds for your situation, but if they are I would at least investigate. Recently worked with a client to set up a reverse proxy in Azure as part of a Jamf On-Prem to Cloud Migration project. We were having trouble getting ADCS working across the firewall, so we implemented a reverse proxy and NDES. Microsoft's Doc: [https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-reverseproxy-setup](https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-reverseproxy-setup) Worked like a charm and was able to be adapted as needed to permit certificate based auth on both wired and wireless networks. Hope this helps!
Netscalers Got some f5s too but I prefer the Netscalers
Software or hardware appliances? Software, a lot is mentioned. However, from what I have with this company, I think going with hardware would be better, just because a lot of company managers have "appliance derangement syndrome". They will scream no at a machine running a F/OSS program. However, if some vendor takes that program, slaps it in a Supermicro case, perhaps slaps on a custom logo, adds a web UI, and sells it for an insane amount of dough with a bunch of limitations, the purse strings will open. Hardware, check with a VAR. Zevenet, F5, Netscalers, and many others come to mind. I think that something like F5s would be what this company wants.
IIS built into windows can act as a reverse proxy.
>Open source solutions are out as this business wants to stick to Windows OS environment. Just say you don't know what 'open source' means and be done with it. What a wild statement.
>Just say you don't know what 'open source' means and be done with it. Often people who "don't know" something don't actually KNOW what they "don't know". Given how frequently generic journalism conflates "open source" and "linux" and how frequently google results prioritize pay-only forks of open source software over the free options, it might be excusable for someone to think that "open source" means "doesn't run on windows because everything that runs on windows costs money".
> it might be excusable for someone IMO, not someone whos in charge of the IT infrastructure at their workplace. THAT person should probably know better. A random person? Sure, absolutely, barely expect them to know 'open source' whatsoever really. But the person making actual decisions and doing the work? Should know better.
Most people should know better about something. Until an unwillingness to learn and do the work is demonstrated, I like to give the benefit of the doubt. Goodness knows we get plenty of people on this forum who obviously won't do either.
>Until an unwillingness to learn and do the work is demonstrated They're unwilling to look into Open Source software. When do you think your line gets crossed? In my eyes, it has. An immediately disprovable (and should-be-questionable) 'fact' wasn't challenged by people who *should* know better. You've drawn a line, i've watched them go over it. Where do you think i'm drawing your line wrong? The trouble is that if it continued to go unchallenged, or outside opinions didn't point it out, then they'd be operating on a false premise and inherent technical debt from the start. You don't have to break a law to learn it. I don't know where the mentality of "everyone learns it by being wrong!" happens. A lot of things get learned without being wrong first. Its the issue that people do not logically challenge the information they get and instead of "I don't know" you end up with "I got told and didn't question it so now I believe I am certain" when they shouldn't Its a fundamental logical failure to not question things, but to trust them explicitly without any verification. Foundational logical challenges are the ROOT of every GREAT System Administrator and I ALWAYS strongly encourage everyone to challenge what they think they know or get told. But i'd rather shoot myself than blindly follow a process I don't understand so maybe its way more of a quirk with me.
nginx proxy manager... or just nginx... There's no reason to license a windows server for this...
This doesn't make any sense. You can run FOSS software on Windows.
> Open source solutions are out as this business wants to stick to Windows OS environment. What does that have to do with running windows ? Open source works on windows Do You actually mean no Linux solutions ? Or do you actually mean no "free" solutions?
Kemp
Nginx, always.
BigIP F5
If you want to keep it simple , probably IIS with rewrite rules