Google Tag Manager - Bypass AdBlock Plus

I managed to find a way to bypass AdBlock Plus so that Google Tag Manager loads on my IIS 10 Website, i use Google Tag Manager to manage the cookies, and display the cookie bar on several websites.

If you would like to find out how to use Google Tag Manager in this way, please read my EU Cookie Consent With Google Tag Manager post.

Install URL Rewrite

The first step is to install the add-on module for URL Rewrite. With Windows Server 2019, you can use the Microsoft Web Platform Installer (WebPI) to download and install the URL Rewrite Module. Just search for 'URL Rewrite' in the search options and click 'Add'. You can also download the extension from IIS.net - http://www.iis.net/downloads/microsoft/url-rewrite.

Once the module is installed in IIS, you will see a new Icon in the IIS Administration Console, called URL Rewrite. This icon is present at the level or each site and web-application you have in the server, and will allow you to configure re-write rules that will apply from that level downwards.


Configure HTTP Headers

We now need to allow the processing of compressed files, we do that by removal and reinstatement of the HTTP header. To do this, we will first need to create two HTTP Variables in URL Rewrite. After selecting the URL Rewrite Icon and double clicking it in the IIS Manager Console, you will have a 'View Server Variables' action button on the right hand side pane. Click this button to be able to add new server variables.

Click the 'Add' button on the right hand side pane to add a new server variable. We will need to add two variables named HTTP_ACCEPT_ENCODING and HTTP_X_ORIGINAL_ACCEPT_ENCODING as shown here:

 

Configure Web.Config 

Next we need to add the following lines to the Web.Config, being sure to replace YOURDOMAIN.COM.

        <rewrite>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="Frame, Script" pattern="^http(s)?://www.googletagmanager.com/(.*)" />
<action type="Rewrite" value="http://YOURDOMAIN.COM/{R:2}" />
</rule>
<rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
<match serverVariable="HTTP_ACCEPT_ENCODING" pattern="(.+)" />
<action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
</preCondition>
<preCondition name="NeedsRestoringAcceptEncoding">
<add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="^proxy\/(.*)" />
<conditions>
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<action type="Rewrite" url="https://www.googletagmanager.com/{R:1}" />
<serverVariables>
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_ACCEPT_ENCODING" value=""/>
</serverVariables>
</rule>
</rules>
</rewrite>

Then in your HTML replace the Google Tag Manager header code with the following, being sure to replace YOURCONTAINERID:

    <!-- Google Tag Manager -->
<script>
(function (w, d, s, l, i) {
w[l] = w[l] || []; w[l].push({
'gtm.start':
new Date().getTime(), event: 'gtm.js'
}); var f = d.getElementsByTagName(s)[0],
j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = false; j.src =
'/proxy/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'YOURCONTAINERID');</script>
<!-- End Google Tag Manager -->

And replace the Google Tag Manager body code with the following, being sure to replace YOURCONTAINERID:

    <!-- Google Tag Manager (noscript) -->
<noscript>
<iframe src="/proxy/ns.html?id=YOURCONTAINERID"
height="0" width="0" style="display:none;visibility:hidden"></iframe>
</noscript>
<!-- End Google Tag Manager (noscript) -->

Using Let’s Encrypt certificates with Windows Admin Center

Certificates from Let’s Encrypt have a very short lifetime and therefore needs to be renewed quite often and that process needs to be automated. This little guide will show how to acquire certificates and automate the renewal for use with Windows Admin Center. I will use Posh-ACME to get the certificates from Let’s Encrypt.

First of all we will need to install the Powershell module Posh-ACME from Powershell Gallery

Install-Module -Name Posh-ACME

In order to use Posh-ACME you need to figure out how to let the script make changes to your public DNS-server. This is beyond the scope of this guide as that procedure varies depending on your provider. You will have to look in the documentation for Posh-ACME. List-of-Supported-DNS-Providers

Download Windows Admin Center if you haven’t done so already. https://aka.ms/WindowsAdminCenter

Make sure to move your downloaded file to C:\Temp and make a note of the filename.

In a production environment the following steps should be performed as a separate (batch/script) account. Posh-ACME saves the settings in the user profile and you need to schedule a task to update the certificates. You do not want to schedule a task with your regular user.

# Specify the environment to acquire certificates from (LE_PROD is Let's Encrypt production environment and LE_STAGE is the test environment).
Set-PAServer LE_PROD

$pArgs = @{ CFAuthEmail='xxx.domain.tlc'; CFAuthKey='xxx' }

# Acquire the certificate:
$newCert = New-PACertificate 'HOSTNAME' -AcceptTOS -Install -Contact [email protected] -DnsPlugin Cloudflare -PluginArgs $pArgs

# Specify the path to Windows Admin Center installer:
$msiFile = "C:\Temp\WindowsAdminCenter1904.msi"

# Install:
Start-Process msiexec.exe -Wait -ArgumentList "/i $msiFile /qn /L*v c:\temp\log.txt SME_PORT=1080 SME_THUMBPRINT=$($newCert.Thumbprint) SSL_CERTIFICATE_OPTION=installed"

Once installed you should be able to access Windows Admin Center at the following url: https://HOSTNAME:1080

If you want to do a manual install you can specify the thumbprint to the certificate. You will find it in the variable $newCert.Thumbprint after you have acquired the certificate.

This short script will check, then renew the certificate if needed, it will then configure Windows Admin Center with the new certificate and then remove the old certificate.

# Update existing certificate
# This task should be scheduled to run every day (or something similar)

# Specify the domainname to update:
$wacDomain = "HOSTNAME"

# Get the current certificate:
$currentCert = Get-Item Cert:\LocalMachine\My\* | Where Subject -like "CN=$wacDomain"

# Specify the environment (Production or Test)
Set-PAServer LE_PROD

# Specify what certificate to renew
Set-PAOrder -MainDomain $wacDomain

# Submit the renewal
$newCert = Submit-Renewal
if ($newCert -ne $null)
{
    # If atleast one new certificate is returned:
    foreach ($c in $newCert)
    {
        # Check if the returned certificate matches the domainname specified:
        if ($c.AllSANs -contains $wacDomain)
        {
            # Find MSI package for Windows Admin Center
            $wac = get-wmiobject Win32_Product | select IdentifyingNumber, Name, LocalPackage | Where Name -eq "Windows Admin Center"

            if ($wac -ne $null)
            {
                # Bind new certificate to the service
                Start-Process msiexec.exe -Wait -ArgumentList "/i $($wac.LocalPackage) /qn /L*v c:\script\log.txt SME_PORT=1080 SME_THUMBPRINT=$($c.Thumbprint) SSL_CERTIFICATE_OPTION=installed"

                # When upgrading WAC, the firewall rule may be deleted. If so create a new rule after upgrade.
                New-NetFirewallRule -DisplayName "SmeInboundOpenException" -Description "Windows Admin Center inbound port exception" -LocalPort 1080 -RemoteAddress Any -Protocol TCP

                # Restart Windows Admin Center
                Restart-Service ServerManagementGateway -Force
            }            

            # Remove the old certificate from the certificate store
            Remove-Item $currentCert.PSPath
        }
    }
}

If you install it to the 443 port, be aware this will stop anything using port 443 from working, including any websites running on IIS.
If this happens use the 2 lines below to remove the SSL binding for port 443

netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete urlacl url=https://+:443/

Be sure to check any websites in IIS have the correct certificate bindings in place.