My backend is a NodeJS server with the following CORS configuration:
app.use(cors({
origin: ['https://example.com, 'https://destination.com'],
allowedHeaders: ['Origin','Accept','X-Requested-With','Content-Type']
}));
When the NodeJS backend sends a 302 Found response, IIS replaces the location; a redirect to destination.com/endpoint?p=v changes to example.com/endpoint?p=v. Here are the logs from IIS' Failed Request Tracing:
135. NOTIFY_MODULE_START ModuleName="ApplicationRequestRouting", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotification="false" 01:16:27.109
136. ARR_REQUEST_HEADERS_START 01:16:27.109
137. ARR_REQUEST_HEADERS_END 01:16:27.125
138. ARR_RESPONSE_HEADERS_START 01:16:27.125
139. ARR_RESPONSE_HEADERS_END 01:16:27.125
140. MODULE_SET_RESPONSE_SUCCESS_STATUS ModuleName="ApplicationRequestRouting", Notification="EXECUTE_REQUEST_HANDLER", HttpStatus="302", HttpReason="Found" 01:16:27.125
141. GENERAL_SET_RESPONSE_HEADER HeaderName="Content-Length", HeaderValue="0", Replace="true" 01:16:27.125
142. GENERAL_SET_RESPONSE_HEADER HeaderName="Location", HeaderValue="https://destination.com/foo/bar?p=v", Replace="true" 01:16:27.125
143. GENERAL_SET_RESPONSE_HEADER HeaderName="Vary", HeaderValue="Origin", Replace="true" 01:16:27.125
144. GENERAL_SET_RESPONSE_HEADER HeaderName="X-Powered-By", HeaderValue="Express", Replace="false" 01:16:27.125
145. GENERAL_SET_RESPONSE_HEADER HeaderName="Location", HeaderValue="https://example.com/foo/bar?p=v", Replace="true" 01:16:27.125
146. GENERAL_SET_RESPONSE_HEADER HeaderName="X-Powered-By", HeaderValue="ARR/3.0", Replace="false" 01:16:27.125
147. NOTIFY_MODULE_END ModuleName="ApplicationRequestRouting", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotificationEvent="false", NotificationStatus="1" 01:16:27.125
148. NOTIFY_MODULE_COMPLETION ModuleName="ApplicationRequestRouting", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotificationEvent="false", CompletionBytes="0", ErrorCode="The operation completed successfully.
(0x0)" 01:16:27.125
149. ARR_RESPONSE_ENTITY_START 01:16:27.125
150. ARR_RESPONSE_ENTITY_END Bytes="0" 01:16:27.125
151. NOTIFY_MODULE_END ModuleName="ApplicationRequestRouting", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotificationEvent="false", NotificationStatus="1" 01:16:27.125
152. NOTIFY_MODULE_COMPLETION ModuleName="ApplicationRequestRouting", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotificationEvent="false", CompletionBytes="0", ErrorCode="The operation completed successfully.
(0x0)" 01:16:27.125
153. NOTIFY_MODULE_END ModuleName="ApplicationRequestRouting", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE"
These are the existing rewrite rules:
<rules>
<clear />
<rule name="Upgrade" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{REQUEST_METHOD}" pattern="POST" negate="true" />
<add input="{REQUEST_METHOD}" pattern="FOUND" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
<rule name="Backend" stopProcessing="true">
<match url="backend/(.*)" />
<action type="Rewrite" url="http://localhost:3001/{R:1}" />
</rule>
<rule name="React Router" enabled="true" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_URI}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="index.html" />
</rule>
</rules>
There are no other ARR modules with rules in place.
Does IIS need to be configured for CORS? Thanks
Go to the IIS 'Home' page for your server and open 'Application Request Routing Cache'. There's an option in Server Proxy Settings labelled 'Reverse rewrite host in response headers'. Unchecking that option solved my problem.