堆栈内存溢出
  繁体   English   中英

ASP.NET 核心红隼 windows 身份验证在 docker 中识别错误用户

[英]ASP.NET Core kestrel windows authentication in docker identifies wrong user

 原文  2020-04-22 19:01:14       c#/ docker/ asp.net-core/ windows-authentication/ traefik

问题描述

我正在使用 docker(windows nanoserver)、traefik、asp.net core 3.1 和 windows 身份验证/协商。 如果用户连接到容器,他或她登录并且他们的用户被绑定到 httpcontext。 如果之后有另一个用户连接,第一个用户仍然绑定到上下文。

这是我在代码中的设置:

docker-compose.yml

version: "3.7"
services:
  webapplication:
    image: <repository>/webapplication:8-1
    networks:
      webapplication-network:
        aliases:
          - webapplication
      traefik:      
        aliases:
          - traefik-webapplication
    credential_spec:  
      file: webapp({GMSA_ACCOUNT})_credential.json
    secrets:
      - source: config_secrets
        target: C:/app/appsettings.json
    deploy:
      mode: replicated
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 10
        window: 30s
      labels: 
        - applicationname=({APPLICATIONNAME})
        - "traefik.enable=true"
        - "traefik.http.routers.({APPLICATIONNAME})-webapplication.rule=Host(`({APPLICATIONNAME})-webapplication.({DOMAIN})`)"
        - "traefik.http.routers.({APPLICATIONNAME})-webapplication.service=({APPLICATIONNAME})-webapplication"
        - "traefik.http.routers.({APPLICATIONNAME})-webapplication.entrypoints=https"
        - "traefik.http.routers.({APPLICATIONNAME})-webapplication.tls=true"
        - "traefik.http.services.({APPLICATIONNAME})-webapplication.loadbalancer.server.scheme=http"
        - "traefik.http.services.({APPLICATIONNAME})-webapplication.loadbalancer.server.port=80"

        # redirect http to https
        - traefik.http.middlewares.({APPLICATIONNAME})-webapplication-unsecure-redirect-secure.redirectscheme.scheme=https
        - traefik.http.routers.({APPLICATIONNAME})-webapplication-unsecure.middlewares=({APPLICATIONNAME})-webapplication-unsecure-redirect-secure
        - traefik.http.routers.({APPLICATIONNAME})-webapplication-unsecure.rule=Host(`({APPLICATIONNAME})-webapplication.({DOMAIN})`)
        - traefik.http.routers.({APPLICATIONNAME})-webapplication-unsecure.entrypoints=http

        # Attempt to make Windows authentication work through TCP
        - "traefik.tcp.routers.({APPLICATIONNAME})-webapplication.rule=HostSNI(`({APPLICATIONNAME})-webapplication.({DOMAIN})`)"
        - "traefik.tcp.routers.({APPLICATIONNAME})-webapplication.service=({APPLICATIONNAME})-webapplication"
        - "traefik.tcp.routers.({APPLICATIONNAME})-webapplication.tls=true"
        - "traefik.tcp.services.({APPLICATIONNAME})-webapplication.loadbalancer.server.port=80"         
        - "traefik.http.services.({APPLICATIONNAME})-webapplication.loadbalancer.sticky=true"

Dockerfile webapplication-windows-netcore-base

# escape=`
FROM mcr.microsoft.com/windows/servercore:ltsc2019 AS installer
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

# Retrieve .NET Core Runtime
RUN $dotnet_version = '3.1.3'; `
    Invoke-WebRequest -OutFile dotnet.zip https://dotnetcli.azureedge.net/dotnet/Runtime/$dotnet_version/dotnet-runtime-$dotnet_version-win-x64.zip; `
    $dotnet_sha512 = '62a18838664afd6f08cdb9a90a96a67626743aab1f0de0065eadfd7d1df31681c90f96744ccb5b7e40834c9e3c4952125c8c83625867c500692050cdd113ff50'; `
    if ((Get-FileHash dotnet.zip -Algorithm sha512).Hash -ne $dotnet_sha512) { `
        Write-Host 'CHECKSUM VERIFICATION FAILED!'; `
        exit 1; `
    }; `
    `
    Expand-Archive dotnet.zip -DestinationPath dotnet; `
    Remove-Item -Force dotnet.zip; `
# Install ASP.NET Core Runtime
    $aspnetcore_version = '3.1.3'; `
    Invoke-WebRequest -OutFile aspnetcore.zip https://dotnetcli.azureedge.net/dotnet/aspnetcore/Runtime/$aspnetcore_version/aspnetcore-runtime-$aspnetcore_version-win-x64.zip; `
    $aspnetcore_sha512 = '6d8a21a7420db9091fc05613ef0a923c7b86cc995360c9f0133d632020e042db0efac0343ee6516a28feb2c1dd004b33b74bfdcc1a687efdefa9db1a486c1ca2'; `
    if ((Get-FileHash aspnetcore.zip -Algorithm sha512).Hash -ne $aspnetcore_sha512) { `
        Write-Host 'CHECKSUM VERIFICATION FAILED!'; `
        exit 1; `
    }; `
    `
    Expand-Archive aspnetcore.zip -DestinationPath dotnet -Force; `
    Remove-Item -Force aspnetcore.zip
# Runtime image
FROM mcr.microsoft.com/windows/servercore:ltsc2019

ENV `
    # Configure web servers to bind to port 80 when present
    ASPNETCORE_URLS=http://+:80 `
    # Enable detection of running in a container
    DOTNET_RUNNING_IN_CONTAINER=true

WORKDIR C:\app
USER ContainerAdministrator
RUN setx /M PATH "%PATH%;C:\Program Files\dotnet" && `
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 -f
COPY --from=installer ["/dotnet", "/Program Files/dotnet"]

Dockerfile 网络应用程序

# escape=`
##### Runtime #####
ARG baseImageVersie
ARG buildNumber
ARG release
FROM <repository>/webapplication-build:$release-$buildNumber AS buildtools
FROM webapplication-windows-netcore-base:$baseImageVersie 
ENV DOTNET_RUNNING_IN_CONTAINER=true
ENTRYPOINT ["dotnet", "webapplication.dll"]
COPY --from=buildtools C:/publish .

Startup.cs 看起来像这样

public class Startup
{
    private readonly IConfiguration configuration;

    public Startup(IConfiguration configuration)
    {
        this.configuration = configuration;
    }

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers(o =>
        {
            o.Filters.Add(typeof(GlobalExceptionFilter));
        });
        services
            .AddAuthentication(NegotiateDefaults.AuthenticationScheme)
            .AddNegotiate(o => o.Validate());

        var appsettings = configuration.Get<Appsettings>();

        services.AddCors(options =>
        {
            options.AddPolicy("cors",
            builder =>
            {
                builder.WithOrigins(appsettings.Origins)
                    .SetIsOriginAllowedToAllowWildcardSubdomains()
                    .AllowAnyHeader()
                    .AllowAnyMethod()
                    .AllowCredentials();
            });
        });

        services.AddSwaggerGen(c =>
        {
            c.SwaggerDoc("v1", new OpenApiInfo { 
                Title = "Webapplication", 
                Version = "v1" ,
            });
            c.ExampleFilters();

            var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
            var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
            c.IncludeXmlComments(xmlPath); 
            c.OperationFilter<AppendAuthorizeToSummaryOperationFilter>(); 
        });

        services.AddSwaggerExamplesFromAssemblyOf<AuthorizeModelExample>();

    }

    // ReSharper disable once UnusedMember.Global
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseRouting();

        app.UseCors("cors");
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints
                .MapControllers()
                .RequireAuthorization()
                .RequireCors("cors");
        });
        app.UseSwagger();
        app.UseSwaggerUI(c =>
        {
            c.SwaggerEndpoint("/swagger/v1/swagger.json", "Webapplication V1");
        });
    }
}

用户控制器

[Produces("application/json")]
[ApiController]
[Route("api/connect/[controller]")]
public class UserController : ControllerBase
{
    [HttpGet]
    public ActionResult Get()
    {
        return Ok(User?.Identity?.Name)
    }
}

会发生什么- 用户 1 通过填写他的凭据登录(使用隐身模式) - 用户 1 调用 /api/connect/user 并返回“用户 1” - 用户 2 打开 Web 应用程序并且不必提供任何凭据 - 用户 2调用 /api/connect/user仍然返回“user 1”

问题:如何防止我的 asp.net 核心应用程序返回错误的 windows 身份验证用户?

1 个解决方案

解决方案1
 1  2020-04-26 12:14:11

我设法使用 traefik TLS passthrough 使其工作。 所以我不得不改变应用程序来服务 https 本身,而不是让 traefik 做 SSL 终止。 我的应用程序的撰写文件现在如下所示:

docker-compose.yml

version: "3.7"
services:
  webapplication:
    image: <repository>/webapplication:8-1
    environment:
      - ASPNETCORE_Kestrel__Certificates__Default__Path=wildcard_certificate.pfx
    networks:
      webapplication-network:
        aliases:
          - webapplication
      traefik:      
        aliases:
          - traefik-webapplication
    credential_spec:  
      file: webapp({GMSA_ACCOUNT})_credential.json
    secrets:
      - source: config_secrets
        target: C:/app/appsettings.json
      - source: wildcard_certificate_pfx
        target: c:\certificates\wildcard_certificate.pfx
    deploy:
      mode: replicated
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 10
        window: 30s
      labels: 
        - applicatienaam=({APPLICATIENAAM})
        - "traefik.enable=true"
        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.rule=Host(`({APPLICATIENAAM})-webapplication.({DOMAIN})`)"
        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.entrypoints=https"
        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.tls=true"
        - "traefik.http.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.scheme=https"
        - "traefik.http.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.port=443"

        # Windows authentication works through TCP
        # TLS passtrough, because otherwise windows authentication won't support multiple users
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls=true"
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls.options=default"
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls.passthrough=true"
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.rule=HostSNI(`({APPLICATIENAAM})-webapplication.({DOMAIN})`)"
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.entrypoints=https"
        - "traefik.tcp.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.port=443"

我认为第一个登录的用户绑定到traefik连接,所以所有下一个用户将使用第一个用户session,但我不确定。 我所知道的是,上面的解决方案可以防止混淆用户会话。

由于WindowsCryptographicException 错误,我还必须更改我的 dockerfile 以使从容器工作的 https 工作。

# escape=`
##### Runtime #####
ARG baseImageVersie
ARG buildNumber
ARG release
FROM <repository>/webapplication-build:$release-$buildNumber AS buildtools
FROM webapplication-windows-netcore-base:$baseImageVersie 
ENV DOTNET_RUNNING_IN_CONTAINER=true

# The copy is done, because wildcard_certificate.pfx is put into the container using docker secrets, which makes it a symlink. 
# Reading a certificate as a symlink is not supported at this moment: https://stackoverflow.com/q/43955181/1608705
# After doing a copy, the copied version is not a symlink anymore.
ENTRYPOINT (IF EXIST "c:\certificates\wildcard_certificate.pfx" (copy c:\certificates\wildcard_certificate.pfx c:\app\wildcard_certificate.pfx)) && dotnet webapplication.dll

COPY --from=buildtools C:/publish .

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET vNext Kestrel + Windows身份验证 在 Windows 身份验证的 ASP.Net 5 中使用 IIS Express/Kestrel 时,User.IsInRole 始终为 false Kestrel on https with asp.net core 1.0 记录asp.net core / kestrel中的异常 使用没有ASP.NET核心的Kestrel ASP.Net Core:保持Windows身份验证 使用 Windows 身份验证的 ASP.NET Core 标识 OnCertificateValidated 未运行 - 自签名证书客户端身份验证 - ASP.NET Core 和 Kestrel 在 Linux Docker 中查询 Asp.net Core/Kestrel 中的布尔属性的 Firestore 崩溃 当Kestrel收到请求时,无法停止asp.net核心Windows服务
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM