CORS/CORB problems between servers on same domain over SSL

We have two servers:

Server I: 10.0.1.3 (Debian 10 / Apache 2.4)

fqdn: music.domain.com (LAN access only)

Server II: 10.0.1.5 (Windows Server 2012 R2 / IIS 8)

Fqdn: gateway.domain.com (LAN and WAN access)

Both servers have the wildcard SSL certificate from DigiCert installed and properly configured for ssl connection over https (*.domain.com)

On server I we have a media application (Airsonic – json based )

https://music.domain.com/airsonic

From the LAN everything works flawlessly, all browsers can load Images, Frames, Scripts, Audio/Video files…

On Server II we have IIS working as a reverse proxy rule to access the Server I as follow:

<rule name="Airsonic" enabled="true" stopProcessing="true"><match url="airsonic(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="https://music.domain.com/{R:0}" /></rule>

When we try to access the https://gateway.mydomain.com/airsonic from any browser then we have the following issues:

Failed to load resource: net::ERR_FAILED
Uncaught (in promise) DOMException: Failed to load because no supported source was found.
Uncaught (in promise) DOMException: The element has no supported sources.
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://music.domain.com/airsonic/login with MIME type text/html

Although we can access the application from the gateway, some frames would not load correctly, and audio and video files won't play at all!

this is our web.conf file

<?xml version="1.0" encoding="UTF-8"?><configuration><system.web><httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" /></system.web><system.webServer><httpRedirect enabled="false" destination="" childOnly="true" /><httpProtocol><customHeaders><add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" /><add name="Strict-Transport-Security" value="max-age=31536000; includeSubdomains" />				<add name="X-Frame-Options" value="SAMEORIGIN" /><add name="X-Xss-Protection" value="1;mode=block" /><remove name="X-Content-Type-Options" /><add name="X-Content-Type-Options" value="nosniff" /><add name="Access-Control-Allow-Origin" value="*" /><add name="Access-Control-Allow-Headers" value="Content-Type" /><add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" /><add name="Access-Control-Allow-Credentials" value="true" /></customHeaders></httpProtocol><httpErrors errorMode="Custom"><remove statusCode="403" /><error statusCode="403" path="https://www.domain.com/errorDocs/403" responseMode="ExecuteURL" /><remove statusCode="404" /><error statusCode="404" path="https://www.domain.com/errorDocs/404" responseMode="ExecuteURL" /><remove statusCode="500" /><error statusCode="500" path="https://www.domain.com/errorDocs/500" responseMode="ExecuteURL" /></httpErrors><rewrite><rules><clear /><rule name="https Redirect" stopProcessing="true"><match url="(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false"><add input="{HTTPS}" pattern="^OFF$" /></conditions><action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="SeeOther" /></rule><rule name="Pi-Hole" enabled="true" stopProcessing="true"><match url="admin(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="http://10.0.1.3:85/{R:0}" appendQueryString="true" /></rule><rule name="Monitorix" enabled="true" stopProcessing="true"><match url="monitorix(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="http://10.0.1.3:8181/{R:0}" appendQueryString="true" /></rule><rule name="QBTorrent" enabled="true" stopProcessing="true"><match url="qbweb/(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><serverVariables><set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:{SERVER_PORT}" /><set name="HTTP_REFERER" value="" /><set name="HTTP_ORIGIN" value="" /></serverVariables><action type="Rewrite" url="https://10.0.1.3:8888/{R:1}" /></rule><rule name="Airsonic" enabled="true" stopProcessing="true"><match url="airsonic(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="https://music.domain.com/{R:0}" /></rule><rule name="Serviio" enabled="true" stopProcessing="true"><match url="(mediabrowser|cds)(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="http://10.0.1.7:23424/{R:0}" /></rule><rule name="WOWNAS DSI" enabled="true" stopProcessing="true"><match url="dsi/(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="http://10.0.1.8:5000/{R:1}" appendQueryString="true" /></rule></rules>  <outboundRules><rule name="Remove Server Response Header"><match serverVariable="RESPONSE_SERVER" pattern=".*" /><action type="Rewrite" value="Ups!" /></rule><rule name="Remove X-Powered-By Header"><match serverVariable="RESPONSE_X-POWERED-BY" pattern=".*" /><action type="Rewrite" value="hhhmmmm" /></rule></outboundRules></rewrite><directoryBrowse enabled="false" /></system.webServer></configuration>

We can only assume it's something to do with the configuration of IIS (reverse proxy rule), since if we bypass the gateway we have no issues playing audio/video... Our ultimate goal is to access the Airsonic Application from the WAN without connecting directly to the server I as we already configured the firewall to forward the proper ports to Server II!

How to establish trust between the content sent to and requested from between Server I and Server II that won’t fail with CORS/CORB and remain secure?

Thank you in advance for helping with this matter, and if there is a change to the rules (adding variables, adding outbound) please give us an example since we are not tech savvy around WebServer configuration wink

Latest Images

Trending Articles

Latest Images