获取页面已通过 HTTPS 加载,但请求了不安全的 XMLHttpRequest 端点“.well-known/openid-configuration”
[英]Getting The page was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint '.well-known/openid-configuration'
问题描述
So I have an ASP.Net Core Hosted Blazor Web Assembly project using Identity Server 4 to manage my logins and registration and when I am debugging and I try to log into my app, the endpoint '.well-known/openid-configuration' is served over HTTPS but when I run the published version of it in Docker it is served over HTTP and causing my login page not to work.
所以我有一个 ASP.Net Core Hosted Blazor Web Assembly 项目,它使用 Identity Server 4 来管理我的登录和注册,当我调试并尝试登录我的应用程序时,端点“.well-known/openid-configuration”是通过 HTTPS 提供服务,但是当我在 Docker 中运行它的已发布版本时,它通过 HTTP 提供服务并导致我的登录页面无法工作。 How can I get it to be served over HTTPS?我怎样才能让它通过 HTTPS 提供服务?
The full error is: AuthenticationService.js:1 Mixed Content: The page at 'https://musicfusion.app/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://musicfusion.app/.well-known/openid-configuration'.完整的错误是:AuthenticationService.js:1 Mixed Content: The page at 'https://musicfusion.app/' was loaded over HTTPS, but requests an insecure XMLHttpRequest endpoint 'http://musicfusion.app/.well-known /openid-配置'。 This request has been blocked;此请求已被阻止; the content must be served over HTTPS.内容必须通过 HTTPS 提供。
Edit: My Startup.cs编辑:我的 Startup.cs
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Identity.UI;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.ResponseCompression;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using System.Linq;
using Soundbox.Server.Data;
using Soundbox.Shared;
using System;
using Blazored.Toast;
using test.Server.Hubs;
using Microsoft.AspNetCore.Identity.UI.Services;
using test.Server.Services;
using Microsoft.AspNetCore.HttpOverrides;
namespace test.Server
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlite("Data Source=/data/test.db"));
services.AddBlazoredToast();
services.Configure<APIKeys>(this.Configuration.GetSection("APIKeys"));
services.Configure<AuthMessageSenderOptions>(this.Configuration.GetSection("Emails"));
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});
services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddEntityFrameworkStores<ApplicationDbContext>();
services.AddIdentityServer()
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>();
services.AddAuthentication()
.AddIdentityServerJwt();
//services.AddCors(options =>
//{
// options.AddPolicy("AllowSpecificOrigin",
// builder =>
// {
// builder
// .AllowAnyOrigin()
// .AllowAnyMethod()
// .AllowAnyHeader();
// });
//});
services.AddControllersWithViews();
// requires
// using Microsoft.AspNetCore.Identity.UI.Services;
// using WebPWrecover.Services;
services.AddTransient<IEmailSender, EmailSender>();
services.AddRazorPages();
services.AddSignalR();
services.AddResponseCompression(opts =>
{
opts.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(
new[] { "application/octet-stream" });
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseResponseCompression();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
app.UseWebAssemblyDebugging();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseBlazorFrameworkFiles();
app.UseStaticFiles();
//app.UseCors("AllowSpecificOrigin");
app.UseRouting();
app.UseIdentityServer();
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
endpoints.MapControllers();
endpoints.MapHub<PlaylistHub>("/playlisthub");
endpoints.MapFallbackToFile("index.html");
});
UpdateDatabase(app);
}
private static void UpdateDatabase(IApplicationBuilder app)
{
using (var serviceScope = app.ApplicationServices
.GetRequiredService<IServiceScopeFactory>()
.CreateScope())
{
using (var context = serviceScope.ServiceProvider.GetService<ApplicationDbContext>())
{
context.Database.Migrate();
}
}
}
}
}
5 个解决方案
解决方案1
0 2020-11-11 23:01:28
将以下行添加到服务器项目中的startup.cs似乎为我解决了这个问题:
app.Use((ctx, next) => { ctx.SetIdentityServerOrigin("https://www.my-domain-name-here.co.uk"); return next(); });
解决方案2
0 2021-01-01 05:19:04
I was struggling with this too.我也为此苦苦挣扎。 Finally came up with a solution.终于想出了一个解决办法。 In Startup.ConfigureServices, add the IdentityServer options like this:在 Startup.ConfigureServices 中,添加 IdentityServer 选项,如下所示:
services.AddIdentityServer(options =>
{
options.PublicOrigin = Configuration["PublicOrigin"];
})
Then put the public HTTPS origin in your appsettings.json (eg "PublicOrigin": "https://example.com" ).然后将公共 HTTPS 来源放入您的 appsettings.json(例如"PublicOrigin": "https://example.com" )。
解决方案3
0 已采纳 2021-01-16 07:21:21
The solution to this was to have Cloudflare force all traffic to be HTTPS.对此的解决方案是让 Cloudflare 强制所有流量为 HTTPS。
Edit: to get it right, follow this tutorial: https://blog.cloudflare.com/how-to-make-your-site-https-only/编辑:要做到这一点,请按照本教程进行操作: https : //blog.cloudflare.com/how-to-make-your-site-https-only/
解决方案4
0 2021-05-13 15:54:56
If you are using IdentityServer4 then you can put this in your startup:如果您使用的是 IdentityServer4,那么您可以将其放在您的启动中:
app.Use(async (ctx, next) =>
{
ctx.Request.Scheme = "https";
await next();
});
It will then make Identity Server use https for all links that it creates.然后它会让 Identity Server 对它创建的所有链接使用 https。 This helped a lot as I'm using a reverse proxy当我使用反向代理时,这很有帮助
解决方案5
0 2021-10-20 15:49:12
@Carl and @Jared are correct but simply forcing HTTPS won't work if you are behind a load balancer or something similar. @Carl 和 @Jared 是正确的,但如果您在负载平衡器或类似的东西后面,简单地强制 HTTPS 将不起作用。
https://leastprivilege.com/2017/10/09/new-in-identityserver4-v2-simplified-configuration-behind-load-balancers-or-reverse-proxies/ https://leastprivilege.com/2017/10/09/new-in-identityserver4-v2-simplified-configuration-behind-load-balancers-or-reverse-proxies/
Example request via https that serves endpoint links in http from app hosted in GCP Cloud Run.通过 https 提供端点链接的示例请求来自 GCP Cloud Run 中托管的应用程序中的 http 端点链接。 Exact same code served https endpoints in Azure and IIS.在 Azure 和 IIS 中为 https 端点提供完全相同的代码。
Recommended approach is using PublicOrigin in IdentityServer4 :推荐的方法是在IdentityServer4使用PublicOrigin :
app.Use(async (ctx, next) =>
{
ctx.SetIdentityServerOrigin("https://example.com");
await next();
});
or或者
app.Use(async (ctx, next) =>
{
ctx.Request.Scheme = "https";
ctx.Request.Host = new HostString("example.com");
await next();
});
https://github.com/IdentityServer/IdentityServer4/issues/4535#issuecomment-647084412 https://github.com/IdentityServer/IdentityServer4/issues/4535#issuecomment-647084412
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.