DEV Community


Reverse Proxying Facebook

bugmagnet profile image Bruce Axtens ・2 min read

Every time I figure out how to do something new, my manager comes along and starts "kicking out the tent walls a bit further." That happened today with me demonstrating a reverse proxying technique using IIS. No sooner had I demonstrated it working with one client, and almost working with another, that he asked, "Can we reverse proxy a Facebook site?"

So we wound up another subdomain on our server and pointed it at using the following web.config. (Redacted slightly for security's sake.):

<?xml version="1.0" encoding="UTF-8"?>
        <rule name="ReverseProxyInboundRule1" stopProcessing="true">
          <match url="(.*)" />
          <action type="Rewrite" url="{R:1}" />
            <set name="HTTP_ACCEPT_ENCODING" value="" />
        <rule name="Capture Http Origin Header">
          <match url=".*" />
            <add input="{HTTP_ORIGIN}" pattern=".+" />
            <set name="HTTP_X_HTTP_ORIGIN" value="{C:0}" />
          <action type="None" />
        <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
          <match filterByTags="A, Form, Img" pattern="^http(s)?://*)" />
          <action type="Rewrite" value="http{R:1}://{R:2}" />
        <rule name="Rewrite X-Frame-Options" enabled="true" patternSyntax="Wildcard">
          <match serverVariable="RESPONSE_X-Frame-Options" pattern="*" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
          <action type="Rewrite" />
        <rule name="Set-Access-Control-Allow-Origin for known origins" enabled="true">
          <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern=".+" negate="true" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
          <action type="Rewrite" value="{HTTP_X_HTTP_ORIGIN}" />
        <rule name="Restore Accept Encoding" preCondition="Needs to Restore Original Accept Encoding" enabled="true">
          <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
          <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
          <preCondition name="ResponseIsHtml1">
            <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
          <preCondition name="Needs to Restore Original Accept Encoding">
            <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".*" />

Now I can have an html file with an iframe in it with an src of "" and have Facebook at that site appear in the iframe without the usual CORS-related notifications.

It's certainly not perfect and the manager, after an initial whoop of delight, is now not so happy. And why? Because the site in the iframe doesn't pick up the Facebook login details from any of the other browser windows.

So now I have to figure out if that is even possible.

Clues anyone?


Editor guide
fraybabak profile image

for practice you should try modlishka reverse proxy .