You need the Forward Proxy correctly. A good analogy for this is your browser proxy settings for outgoing requests. In your case, the web application behaves like a desktop browser and can be configured to request a resource through a proxy.
Often you can manage this for individual requests at the application level. Example of this with C #: C # Connecting through a proxy
Regarding the real proxy server: No, it does not need to start Windows or IIS. Yes, you can use a proxy service. The vast majority of proxy services are consumer-oriented and are used for personal privacy or to limit network restrictions. Therefore, I have no direct recommendations.
Cloudflare really has recommendations regarding this: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/ .
Features such as “download from URLs” that allow the user to download a photo from a given URL must be configured so that the server performing the download is not the origin server of the website.
This may be a more convenient means of reducing risk, since it will not depend on a third-party proxy service. A download request can be processed as a web service call to a dedicated file downloader server. Keep in mind that if you have a queue for another server to do the work, and this server is located in the same infrastructure, both can be affected by DDoS, depending on the type of DDoS.
Your question implies that it may be convenient for you to use a non-Windows server. There are many software products that can act as proxies (most web servers), but suffer from the same problem as ARR - lack of support for the HTTP "CONNECT" message, which is used by modern browsers to start an HTTPS connection before issuing " GET ". SQUID is very popular, open source and supports everything you need to connect to anything. This is not trivial to configure. Apache also supports this in "mod_proxy_connect", but I have no experience with this, and the online documentation is not very reliable. However, this is Apache, so it may be worth the extra investigation.