.Net Core 2.0 - Azure Active Directory - NGinX反向代理 - HTTPS
[英].Net Core 2.0 - Azure Active Directory - NGinX reverse Proxy - HTTPS
问题描述
I have a .NET Core 2.0 website, running on Linux, listening on port 5000, behind an NGinX reverse proxy, which is listening on port 80 and 442. NGinX is configured to redirect HTTP traffic to HTTPS, and handle all communication over HTTPS. 
我有一个.NET Core 2.0网站,在Linux上运行,侦听端口5000,在NGinX反向代理后面,它正在侦听端口80和442.NingXX配置为将HTTP流量重定向到HTTPS,并处理通过HTTPS的所有通信。 The NGinx Reverse Proxy and Asp.Net Core app are within their own docker containers, on a shared network. NGinx反向代理和Asp.Net核心应用程序位于共享网络上的自己的docker容器中。
This setup is currently working as described. 此设置目前正如所述工作。
However, I would now like to Authenticate my users against our Azure Active Directory. 但是,我现在想要针对Azure Active Directory验证我的用户。 I have run into a problem and don't know where to go from here. 我遇到了一个问题,不知道从哪里开始。
First, let me show you how I have most of this configured, and then I'll explain my error. 首先,让我告诉你我如何配置大部分,然后我将解释我的错误。
NGinx (nginx.conf) NGinx(nginx.conf)
worker_processes 2;
events { worker_connections 1024; }
http {
sendfile on;
upstream docker-dotnet {
server mycomp_prod:5000;
}
server {
listen 80;
server_name sales.mycompany.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name sales.mycompany.com;
ssl_certificate /etc/nginx/ssl/combined.crt;
ssl_certificate_key /etc/nginx/ssl/salesmycompany.key;
location / {
proxy_pass http://docker-dotnet;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
Dotnet:Startup.cs ConfigureServices() Dotnet:Startup.cs ConfigureServices()
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddAzureAd(options => Configuration.Bind("AzureAd", options))
.AddCookie();
Dotnet:Startup.cs Configure() Dotnet:Startup.cs Configure()
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
app.UseAuthentication();
Dotnet: appsettings.json Dotnet:appsettings.json
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mycompany.com",
"TenantId": "my-tenant-id",
"ClientId": "my-client-id",
"CallbackPath": "/signin-oidc"
},
In My Azure Active Directory Tentant 在My Azure Active Directory Tentant中
I have configured 2 "Reply URLs" 我已经配置了2个“回复网址”
- https://sales.mycompany.com/signin-oidc https://sales.mycompany.com/signin-oidc
- https://sales.mycompany.com https://sales.mycompany.com
Now for the error / My Question 现在是错误/我的问题
When I hit the site, I sign in. Afterward signing in, and choosing whether or not to "Stay signed in", I'm taken to a page with an error. 当我点击该网站时,我会登录。之后登录,并选择是否“保持登录状态”,我被带到了一个有错误的页面。
You can see in the error, that the Reply Address that is attempting to be redirected to, is HTTP, not HTTPS. 您可以在错误中看到,尝试重定向到的回复地址是HTTP,而不是HTTPS。 I think this is coming from the line in appsettings.json that says: 我认为这是来自appsettings.json中的一行说:
"CallbackPath": "/signin-oidc"
And since my .NET Core Site (via Kestrel on port 5000) is not on HTTPS, it's trying to load http://example.com /signin-oidc , instead of HTTPS. 由于我的.NET核心站点(通过端口5000上的Kestrel)不在HTTPS上,因此它尝试加载http://example.com / signin-oidc而不是HTTPS。 Remember that my .NET Core Site is behind an NGinX reverse Proxy, which is configured to handle traffic on 443. 请记住,我的.NET核心站点位于NGinX反向代理之后,该代理配置为处理443上的流量。
Thank you, 谢谢,
3 个解决方案
解决方案1
3 2018-07-23 20:31:10
I saw this and was able to get it working: https://github.com/aspnet/Security/issues/1702 我看到了这个并且能够使它工作: https : //github.com/aspnet/Security/issues/1702
var fordwardedHeaderOptions = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
fordwardedHeaderOptions.KnownNetworks.Clear();
fordwardedHeaderOptions.KnownProxies.Clear();
app.UseForwardedHeaders(fordwardedHeaderOptions);
解决方案2
1 2018-03-17 20:52:57
You should check out the documentation on Hosting on Linux . 您应该查看有关Linux上托管的文档。
Make sure you use UseForwardedHeaders in the middleware pipeline before UseAuthentication : 请确保您使用UseForwardedHeaders之前中间件管道UseAuthentication :
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
app.UseAuthentication();
Nginx will assign a header for the protocol used before it forwarded the call to Kestrel (among other things). Nginx将在将呼叫转发给Kestrel之前为其分配一个标头(以及其他内容)。 This middleware will then check those headers to set the right protocol. 然后,此中间件将检查这些标头以设置正确的协议。
解决方案3
0 2018-03-19 07:30:27
In startup.cs, you can try to force hostname and schema. 在startup.cs中,您可以尝试强制使用主机名和架构。 The following code could help. 以下代码可以提供帮助。 Important: place it before setting authentication. 重要: 在设置身份验证之前放置它。
app.Use((context, next) =>
{
context.Request.Host = new HostString(hostname + (port.HasValue ? ":" + port : null));
context.Request.Scheme = protocol;
return next();
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.