Problem redirecting HTTPS site in iis8.5 / url rewrite 3

Posted on 2016-10-15
Last Modified: 2016-11-17
Hi all,

I really could use some help from the experts out there...

We use a reverse proxy to publish several http sites to the outside world, all are running fine.

Now I need to give access to an internal HTPPS site.

- internal HTTPS site (https://tobadata.internal.lan)  is accessible from the reverse proxyserver running urlrewrite 3.0, all certifcates are OK, no errors
- certificate for the external url ( is installed on the rproxy server
- certificate is bound to the specific webserver running on the rproxy server.

I have copied the simple basic rule I normally use for my HTTP sites

                <rule name="ReverseProxyInboundRule1" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                        <add input="{HTTPS}" pattern="On" />
                    <action type="Rewrite" url="https://tobadata.internal.lan/{R:0}" />

When using this setup, I'm getting an error "502 - Webserver received an invalid response while acting as a gateway or proxy server"

I have enabled failed request tracing, capturing 502 errors, but this isn't helping me, since it seems that the rewrite rule works as expected?

1. GENERAL_REQUEST_START SiteId="2", AppPoolId="ess", ConnId="1610612741", RawConnId="0", RequestURL="", RequestVerb="GET" 14:36:04.272
2. GENERAL_ENDPOINT_INFORMATION RemoteAddress="", RemotePort="53751", LocalAddress="", LocalPort="443" 14:36:04.288
3. GENERAL_REQUEST_HEADERS Headers="Connection: Keep-Alive
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Encoding: gzip, deflate
Accept-Language: nl-BE
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
" 14:36:04.288
4. GENERAL_GET_URL_METADATA PhysicalPath="", AccessPerms="513" 14:36:04.288
5. HANDLER_CHANGED OldHandlerName="", NewHandlerName="StaticFile", NewHandlerModules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule", NewHandlerScriptProcessor="", NewHandlerType="" 14:36:04.288
6. URL_REWRITE_START RequestURL="/", Scope="Distributed", Type="Inbound" 14:36:04.288
7. RULE_EVALUATION_START RuleName="ReverseProxyInboundRule1", RequestURL="", QueryString="", PatternSyntax="Wildcard", StopProcessing="true", RelativePath="/" 14:36:04.288
8. PATTERN_MATCH Pattern="*", Input="", Negate="false", Matched="true" 14:36:04.288
9. CONDITIONS_EVALUATION_START LogicalGrouping="MatchAll" 14:36:04.288
10. CONDITION_EVALUATION Input="{HTTPS}", ExpandedInput="on", MatchType="Pattern", Pattern="On", Negate="false", Succeeded="true" 14:36:04.288
11. CONDITIONS_EVALUATION_END Succeeded="true" 14:36:04.288
12. REWRITE_ACTION Substitution="https://tobadata.internal.lan/{R:0}", RewriteURL="https://tobadata.internal.lan/", AppendQueryString="true", LogRewrittenURL="false" 14:36:04.288
13. RULE_EVALUATION_END RuleName="ReverseProxyInboundRule1", RequestURL="https://tobadata.internal.lan/", QueryString="", StopProcessing="true", Succeeded="true" 14:36:04.288
14. GENERAL_SET_REQUEST_HEADER HeaderName="X-Original-URL", HeaderValue="/", Replace="true" 14:36:04.288
15. URL_CHANGED OldUrl="/", NewUrl="https://tobadata.internal.lan/" 14:36:04.288
16. URL_REWRITE_END RequestURL="https://tobadata.internal.lan/" 14:36:04.288
17. USER_SET AuthType="", UserName="", SupportsIsInRole="true" 14:36:04.288
18. HANDLER_CHANGED OldHandlerName="StaticFile", NewHandlerName="ApplicationRequestRoutingHandler", NewHandlerModules="ApplicationRequestRouting", NewHandlerScriptProcessor="", NewHandlerType="" 14:36:04.288
19. GENERAL_SET_REQUEST_HEADER HeaderName="Max-Forwards", HeaderValue="10", Replace="true" 14:36:04.288
20. GENERAL_SET_REQUEST_HEADER HeaderName="Host", HeaderValue="tobadata.internal.lan", Replace="true" 14:36:04.288
21. GENERAL_SET_REQUEST_HEADER HeaderName="X-Forwarded-For", HeaderValue="", Replace="true" 14:36:04.288
22. GENERAL_SET_REQUEST_HEADER HeaderName="X-ARR-SSL", HeaderValue="4096|256|C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 2 IV Server CA|C=BE, S=OV, L=RN, SN=DM, G=T,", Replace="true" 14:36:04.288
23. GENERAL_SET_REQUEST_HEADER HeaderName="X-ARR-ClientCert", HeaderValue="", Replace="true" 14:36:04.288
24. GENERAL_SET_REQUEST_HEADER HeaderName="X-ARR-LOG-ID", HeaderValue="075dbaec-f845-4e32-985d-3761117ba9ad", Replace="true" 14:36:04.288
25. GENERAL_SET_REQUEST_HEADER HeaderName="Connection", HeaderValue="", Replace="true" 14:36:04.288
26. URL_CHANGED OldUrl="https://tobadata.internal.lan/", NewUrl="/" 14:36:04.303
27. GENERAL_SEND_CUSTOM_ERROR HttpStatus="502", HttpSubStatus="3", FileNameOrURL="502.htm" 14:36:05.366
28. GENERAL_SET_RESPONSE_HEADER HeaderName="Content-Type", HeaderValue="text/html", Replace="true" 14:36:05.381
30. GENERAL_RESPONSE_HEADERS Headers="Content-Type: text/html
Server: Microsoft-IIS/8.5
" 14:36:05.381
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>502 - Web server received an invalid response while acting as a gateway or proxy server.</title>
<style type="text/css">
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
#content{margin:0 0 0 2%;position:relative;}
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>502 - Web server received an invalid response while acting as a gateway or proxy server.</h2>
  <h3>There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.</h3>
" 14:36:05.381
32. GENERAL_FLUSH_RESPONSE_END BytesSent="1616", ErrorCode="The operation completed successfully.
 (0x0)" 14:36:05.381
33. GENERAL_REQUEST_END BytesSent="1616", BytesReceived="266", HttpStatus="502", HttpSubStatus="3" 14:36:05.381
Question by:tdemeyer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 28

Expert Comment

by:Dan McFadden
ID: 41863643
1. What are you using for a proxy?
2. Is there an SSL cert installed and configured on the destination server for the site?
3. Are there any corresponding Application Event Log entries for this error?

LVL 28

Expert Comment

by:Dan McFadden
ID: 41863719
I just noticed that you are using ARR, can you post the ARR logs from when the error occurs?


Accepted Solution

tdemeyer earned 0 total points
ID: 41884576
After some extensive trial-and-error (and searching the deep end of Google)  I was able to write a new rule that more or less seemed to work...

Author Closing Comment

ID: 41891143
Found it elsewhere

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
What You Need to Know when Searching for a Webhost Provider
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question