Bad Gateway 502.3 error when using ARR in IIS

Mooh

2/1/24, 8:41 PM

We are experiencing issues with ARR configuration when trying to proxy requests to an external web site. Our server configuration is as follows:

Web server with IIS 7.5 that we control. It runs a few web sites, all via HTTPS only

Our customer's web site, which we cannot control and whose configuration we cannot change. Their domain name, for the sake of this discussion, being https://www.parashka.com

We need our server to accept requests to a specific subdomain that we control, namely https://gateway.muciacio.net, and forward them to the customer's web site https://www.parashka.com. It is also available via HTTPS only.

For this I created new web site node in IIS, bound it to gateway.muciacio.net via HTTPS, and adjusted ARR/URL Rewrite rule as follows:

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="ReverseProxyInboundRule1" stopProcessing="true">
          <match url="(.*)" />
          <action type="Rewrite" url="https://www.parashka.com/{R:1}" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>   
</configuration>

And now I am getting HTTP 502.3 Bad Gateway error. Failed request tracing shows also it's caused by the error with code 2147954575 (0x80072F8F), which I believe is ERROR_WINHTTP_SECURE_FAILURE.

Interestingly, if I configure ARR to forward requests to the site on our own server, e.g. replace action entry with this one:

<action type="Rewrite" url="https://customerX.muciacio.net/{R:1}" />

then the error is gone and all works as expected.

On the other hand, if I retarget ARR to some well-known site, say stackoverflow:

<action type="Rewrite" url="https://stackoverflow.com/{R:1}" />

then the same error 2147954575 appears again, which makes me think that the customer's web site is not to blame and that is something wrong at our end.

On the Internet I found a few vague comments pointing to the requirement of having the same SSL certificate on both web servers. However it makes no sense at all in our context since the servers are different domains and controlled by different organizations.

Also please note that our server is Windows Server 2008 R2 (no chance to upgrade soon, can't do much with it)

529

0 + 3

iis-7.5

arr

502-error

Jaromanda X

2/1/24, 9:36 PM

I've seen a lot of references to "self signed certificates" with that error - or some other issue with your certificate

Mooh

2/1/24, 9:42 PM

neither our nor our customer's certificate is self-signed, both are coming from a reputable CA (godaddy, digicert)

Lex Li

2/2/24, 12:04 AM

You might have to tools like Wireshark to analyze the failed TLS handshakes and see what might be the cause. End-of-life Windows releases might experience all kinds of issues, so even if you find the culprit you might not be able to fix that on your own.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Bad Gateway 502.3 error when using ARR in IIS

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.