DEV Community

Bruce Axtens
Bruce Axtens

Posted on

Reverse Proxying Facebook

Every time I figure out how to do something new, my manager comes along and starts "kicking out the tent walls a bit further." That happened today with me demonstrating a reverse proxying technique using IIS. No sooner had I demonstrated it working with one client, and almost working with another, that he asked, "Can we reverse proxy a Facebook site?"

So we wound up another subdomain on our server and pointed it at using the following web.config. (Redacted slightly for security's sake.):

<?xml version="1.0" encoding="UTF-8"?>
        <rule name="ReverseProxyInboundRule1" stopProcessing="true">
          <match url="(.*)" />
          <action type="Rewrite" url="{R:1}" />
            <set name="HTTP_ACCEPT_ENCODING" value="" />
        <rule name="Capture Http Origin Header">
          <match url=".*" />
            <add input="{HTTP_ORIGIN}" pattern=".+" />
            <set name="HTTP_X_HTTP_ORIGIN" value="{C:0}" />
          <action type="None" />
        <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
          <match filterByTags="A, Form, Img" pattern="^http(s)?://*)" />
          <action type="Rewrite" value="http{R:1}://{R:2}" />
        <rule name="Rewrite X-Frame-Options" enabled="true" patternSyntax="Wildcard">
          <match serverVariable="RESPONSE_X-Frame-Options" pattern="*" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
          <action type="Rewrite" />
        <rule name="Set-Access-Control-Allow-Origin for known origins" enabled="true">
          <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern=".+" negate="true" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
          <action type="Rewrite" value="{HTTP_X_HTTP_ORIGIN}" />
        <rule name="Restore Accept Encoding" preCondition="Needs to Restore Original Accept Encoding" enabled="true">
          <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
          <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
          <preCondition name="ResponseIsHtml1">
            <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
          <preCondition name="Needs to Restore Original Accept Encoding">
            <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".*" />
Enter fullscreen mode Exit fullscreen mode

Now I can have an html file with an iframe in it with an src of "" and have Facebook at that site appear in the iframe without the usual CORS-related notifications.

It's certainly not perfect and the manager, after an initial whoop of delight, is now not so happy. And why? Because the site in the iframe doesn't pick up the Facebook login details from any of the other browser windows.

So now I have to figure out if that is even possible.

Clues anyone?

Top comments (1)

fraybabak profile image

for practice you should try modlishka reverse proxy .