Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

X-Forwarded-Proto with Azure and AWS #851

Closed
rajendersvit opened this issue Feb 27, 2017 · 7 comments
Closed

X-Forwarded-Proto with Azure and AWS #851

rajendersvit opened this issue Feb 27, 2017 · 7 comments
Labels
question

Comments

@rajendersvit
Copy link

rajendersvit commented Feb 27, 2017
edited
Loading

Issue / Steps to reproduce the problem

AWS load balancer is will always forward/redirect the http to https with HEADER AS X-Forwarded-Proto . This is causing the issue on document discovery with /.well-known/openid-configuration Even if the url is on https it will still return the value proto as http instead of https.

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html#x-forwarded-proto

Solution
To Overcome this issue we need to change the BaseUrlMiddleware slightly
var origin = request.Scheme + "://" + request.Host.Value;
TO THE FOLLOWING

if (context.Request.IsHttps || // Handles https straight to the server
context.Request.Headers["X-Forwarded-Proto"] == "https" || // Handles an IIS or Azure/AWS passthrough
context.Request.Headers["X-Forwarded-Proto"].Contains("https"))
{
origin = "https://" + request.Host.Value;
}
else
{
origin = request.Scheme + "://" + request.Host.Value;
}
@leastprivilege
Copy link
Member

Changing our source code is never the best solution ;)

Put a middleware in front that changes the scheme based on the incoming headers.

dotnet/AspNetCore.Docs#2384

@rajendersvit
Copy link
Author

rajendersvit commented Feb 27, 2017
edited
Loading

I tried all the way that i can but no luck..

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});

services.Configure(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedProto;
});

As BaseUrlMiddleware request.Scheme is still http only as we are not considering any of the xForwadedProto.

capture

HTTPS is configured on the load balancer not on the IIS server.

@brockallen
Copy link
Member

I'd suggest getting it to work without IdentityServer and just use a plain ASP.NET Core MVC application. Once you have that working, then the same approach should work with IdentityServer. If it doesn't, then let us know.

@sbebrys
Copy link

sbebrys commented Feb 27, 2017

I use BaseUrlMiddleware too, and when I had implemented my code I made two bugs: first -UseForwardedHeaders must be before UseIdentityServer and second - by default KnownNetworks and KnownProxies in ForwardedHeadersOptions are not empty, I needed clear it. Maybe You have the same problem.

@rajendersvit
Copy link
Author

rajendersvit commented Feb 28, 2017
edited
Loading

Here is what my startup file.. No luck on HTTPS

    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<ConfigEntry>(Configuration); 
        var userPrincipalFactory = new IdentityUserPrincipalFactory();
        services.AddSingleton<IUserClaimsPrincipalFactory<User>>(userPrincipalFactory);

        ////Replace password encryption 
        ////services.AddSingleton<IPasswordHasher<User>, UserPasswordHasher<User>>();

        services.Configure<ForwardedHeadersOptions>(options =>
        {
            **options.ForwardedHeaders = ForwardedHeaders.XForwardedProto;** 
        });

        services.AddSingleton<IUserStore<User>>(provider =>
        {
            var options = provider.GetService<IOptions<ConfigEntry>>();
            var userStore = new IdentityUserStore(
            new UserLoginRepository(options),
            new UserRepository(options),
            new UserClaimRepository(options),
            new RoleRepository(options),
            new UserRoleRepository(options));
            return userStore;
        });

        services.AddIdentity<User, Role>()
            .AddDefaultTokenProviders()
            .AddIdentityServerUserClaimsPrincipalFactory();

        services.AddIdentityServer() 
            .AddTemporarySigningCredential()
            .AddConfigurationStore()
            .AddDapperIdentity<User>();


        services.AddMvc();
        services.AddAntiforgery();
          
        services.AddSingleton<ISmsSender>(provider => {
            var options = provider.GetService<IOptions<ConfigEntry>>();
            return new AuthMessageSender(options);
        });
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IServiceProvider serviceProvider)
    {

        loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();

        loggerFactory.AddSQLLogger(serviceProvider);
        loggerFactory.CreateLogger("configure");

        **app.UseForwardedHeaders(new ForwardedHeadersOptions
        {
            **ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto**
        });**
          
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseBrowserLink();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
        }

        app.UseStaticFiles();  
        app.UseIdentity();

        app.UseRequestLocalization();

        //start the identity server
         **app.UseIdentityServer();**

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        }); 
    }
}

@rajendersvit
Copy link
Author

This issue resolved .. After installing/Upgrade the package

"Microsoft.AspNetCore.HttpOverrides": "1.1.0"

@lock
Copy link

lock bot commented Jan 15, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brockallen @leastprivilege @rajendersvit @sbebrys