Protect Passbolt CE with IIS Reverse Proxy

API & Customization issues
1

I am trying to secure the CE version of Passbolt with an IIS reverse proxy. Despite having the correct rewrite rules, I am getting this error:
404 The route /auth/login is not permitted with JWT authentication.

I tried disabling JWT authentication, and everything works correctly.
Is there anything specific that needs to be set in the IIS headers?

2

Hi Apirelli83!

Welcome to the forum. I’m thinking that the Authorization Header is not being passed along to the passbolt server. That’s a core requirement for JWT (links at bottom of post).

I hope this helps and we get to hear good news from you soon!

cheers
gareth
:koala:

Warning: LLM did all my IIS homework!

The JWT Bearer token info is web server independent though so you can blame me for that :smiley:

How It Works in Passbolt

refer to: passbolt api docs

  1. A user logs in to Passbolt.
  2. The server responds with a JWT token.
  3. Subsequent API requests must include:
Authorization: Bearer <JWT_TOKEN>
  1. Passbolt verifies the JWT and grants access.

IIS Configuration for JWT with HTTPS

Key Considerations for JWT with HTTPS in IIS Reverse Proxy

  1. IIS Cannot Rewrite to HTTPS → You must use Application Request Routing (ARR) to proxy to an HTTPS backend.
  2. Ensure Authorization Header is Forwarded → IIS strips Authorization by default, so you need to explicitly allow it.
  3. Preserve Host Header → Passbolt relies on App.fullBaseUrl to match the request’s host.

Enable IIS Application Request Routing (ARR)

  1. Open IIS Manager.
  2. Click the server name (not the site).
  3. Open “Application Request Routing Cache”.
  4. Click “Server Proxy Settings” (on the right panel).
  5. Check “Enable Proxy”.
  6. Check “Preserve Host Header” (Important for Passbolt).
  7. Click Apply and restart IIS.

Example web.config for a reverse proxy

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxy" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="https://passbolt-server.com/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X_FORWARDED_PROTO" value="https" />
                    </serverVariables>
                </rule>
            </rules>
        </rewrite>
        <security>
            <requestFiltering removeServerHeader="true">
                <filteringRules>
                    <filteringRule name="Allow Authorization Header" scanHeaders="true">
                        <scanHeaders enabled="true">
                            <header name="Authorization" allow="true" />
                        </scanHeaders>
                    </filteringRule>
                </filteringRules>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Why This Matters for IIS

IIS blocks the Authorization header by default, which prevents Passbolt from receiving the JWT token, causing authentication errors.

Passbolt Documentation

Passbolt requires the Authorization: Bearer <JWT_TOKEN> header for API authentication. You can find details in the API documentation:

RFC 6750 - OAuth 2.0 Bearer Token Usage

JWT-based authentication follows the OAuth 2.0 Bearer Token standard, which is documented in RFC 6750: