CORS/CORB issues

We have two servers:

Server I: 10.0.1.3 (Debian 10 / Apache 2.4)

fqdn: music.domain.com (LAN access only)

Server II: 10.0.1.5 (Windows Server 2012 R2 / IIS 8)

Fqdn: gateway.domain.com (LAN and WAN access)

Both servers have the wildcard SSL certificate from DigiCert installed and properly configured for ssl connection over https (*.domain.com)

On server I we have a media application (Airsonic – json based )

https://music.domain.com/airsonic

From the LAN everything works flawlessly, all browsers can load Images, Frames, Scripts, Audio/Video files…

On Server II we have IIS working as a reverse proxy rule to access the Server I as follow:

<rule name="Airsonic" enabled="true" stopProcessing="true"><match url="airsonic(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="https://music.domain.com/{R:0}" /></rule>

When we try to access the https://gateway.mydomain.com/airsonic from any browser then we have the following issues:

• Failed to load resource: net::ERR_FAILED
• Uncaught (in promise) DOMException: Failed to load because no supported source was found.
• Uncaught (in promise) DOMException: The element has no supported sources.
• Cross-Origin Read Blocking (CORB) blocked cross-origin response https://music.domain.com/airsonic/login with MIME type text/html

Although we can access the application from the gateway, some frames would not load correctly, and audio and video files won't play at all!

this is our web.conf file

<?xml version="1.0" encoding="UTF-8"?><configuration><system.web><httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" /></system.web><system.webServer><httpRedirect enabled="false" destination="" childOnly="true" /><httpProtocol><customHeaders><add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" /><add name="Strict-Transport-Security" value="max-age=31536000; includeSubdomains" />				<add name="X-Frame-Options" value="SAMEORIGIN" /><add name="X-Xss-Protection" value="1;mode=block" /><remove name="X-Content-Type-Options" /><add name="X-Content-Type-Options" value="nosniff" /><add name="Access-Control-Allow-Origin" value="*" /><add name="Access-Control-Allow-Headers" value="Content-Type" /><add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" /><add name="Access-Control-Allow-Credentials" value="true" /></customHeaders></httpProtocol><httpErrors errorMode="Custom"><remove statusCode="403" /><error statusCode="403" path="https://www.domain.com/errorDocs/403" responseMode="ExecuteURL" /><remove statusCode="404" /><error statusCode="404" path="https://www.domain.com/errorDocs/404" responseMode="ExecuteURL" /><remove statusCode="500" /><error statusCode="500" path="https://www.domain.com/errorDocs/500" responseMode="ExecuteURL" /></httpErrors><rewrite><rules><clear /><rule name="https Redirect" stopProcessing="true"><match url="(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false"><add input="{HTTPS}" pattern="^OFF$" /></conditions><action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="SeeOther" /></rule><rule name="Pi-Hole" enabled="true" stopProcessing="true"><match url="admin(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="http://10.0.1.3:85/{R:0}" appendQueryString="true" /></rule><rule name="Monitorix" enabled="true" stopProcessing="true"><match url="monitorix(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="http://10.0.1.3:8181/{R:0}" appendQueryString="true" /></rule><rule name="QBTorrent" enabled="true" stopProcessing="true"><match url="qbweb/(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><serverVariables><set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:{SERVER_PORT}" /><set name="HTTP_REFERER" value="" /><set name="HTTP_ORIGIN" value="" /></serverVariables><action type="Rewrite" url="https://10.0.1.3:8888/{R:1}" /></rule><rule name="Airsonic" enabled="true" stopProcessing="true"><match url="airsonic(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="https://music.domain.com/{R:0}" /></rule><rule name="Serviio" enabled="true" stopProcessing="true"><match url="(mediabrowser|cds)(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="http://10.0.1.7:23424/{R:0}" /></rule><rule name="WOWNAS DSI" enabled="true" stopProcessing="true"><match url="dsi/(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="Rewrite" url="http://10.0.1.8:5000/{R:1}" appendQueryString="true" /></rule></rules>  <outboundRules><rule name="Remove Server Response Header"><match serverVariable="RESPONSE_SERVER" pattern=".*" /><action type="Rewrite" value="Ups!" /></rule><rule name="Remove X-Powered-By Header"><match serverVariable="RESPONSE_X-POWERED-BY" pattern=".*" /><action type="Rewrite" value="hhhmmmm" /></rule></outboundRules></rewrite><directoryBrowse enabled="false" /></system.webServer></configuration>

We can only assume it's something to do with the configuration of IIS (reverse proxy rule), since if we bypass the gateway we have no issues playing audio/video... Our ultimate goal is to access the Airsonic Application from the WAN without connecting directly to the server I as we already configured the firewall to forward the proper ports to Server II!

How to establish trust between the content sent to and requested from between Server I and Server II that won’t fail with CORS/CORB and remain secure?

PS: We are NOT savvy in web.conf, so please give an example of how to make the rule rather than just mentioning what is supposed to be done...

Thank you in advance for helping with this matter,