堆棧內存溢出
  簡體   English   中英

ASP.NET 核心紅隼 windows 身份驗證在 docker 中識別錯誤用戶

[英]ASP.NET Core kestrel windows authentication in docker identifies wrong user

 原文  2020-04-22 19:01:14       c#/ docker/ asp.net-core/ windows-authentication/ traefik

問題描述

我正在使用 docker(windows nanoserver)、traefik、asp.net core 3.1 和 windows 身份驗證/協商。 如果用戶連接到容器,他或她登錄並且他們的用戶被綁定到 httpcontext。 如果之后有另一個用戶連接,第一個用戶仍然綁定到上下文。

這是我在代碼中的設置:

docker-compose.yml

version: "3.7"
services:
  webapplication:
    image: <repository>/webapplication:8-1
    networks:
      webapplication-network:
        aliases:
          - webapplication
      traefik:      
        aliases:
          - traefik-webapplication
    credential_spec:  
      file: webapp({GMSA_ACCOUNT})_credential.json
    secrets:
      - source: config_secrets
        target: C:/app/appsettings.json
    deploy:
      mode: replicated
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 10
        window: 30s
      labels: 
        - applicationname=({APPLICATIONNAME})
        - "traefik.enable=true"
        - "traefik.http.routers.({APPLICATIONNAME})-webapplication.rule=Host(`({APPLICATIONNAME})-webapplication.({DOMAIN})`)"
        - "traefik.http.routers.({APPLICATIONNAME})-webapplication.service=({APPLICATIONNAME})-webapplication"
        - "traefik.http.routers.({APPLICATIONNAME})-webapplication.entrypoints=https"
        - "traefik.http.routers.({APPLICATIONNAME})-webapplication.tls=true"
        - "traefik.http.services.({APPLICATIONNAME})-webapplication.loadbalancer.server.scheme=http"
        - "traefik.http.services.({APPLICATIONNAME})-webapplication.loadbalancer.server.port=80"

        # redirect http to https
        - traefik.http.middlewares.({APPLICATIONNAME})-webapplication-unsecure-redirect-secure.redirectscheme.scheme=https
        - traefik.http.routers.({APPLICATIONNAME})-webapplication-unsecure.middlewares=({APPLICATIONNAME})-webapplication-unsecure-redirect-secure
        - traefik.http.routers.({APPLICATIONNAME})-webapplication-unsecure.rule=Host(`({APPLICATIONNAME})-webapplication.({DOMAIN})`)
        - traefik.http.routers.({APPLICATIONNAME})-webapplication-unsecure.entrypoints=http

        # Attempt to make Windows authentication work through TCP
        - "traefik.tcp.routers.({APPLICATIONNAME})-webapplication.rule=HostSNI(`({APPLICATIONNAME})-webapplication.({DOMAIN})`)"
        - "traefik.tcp.routers.({APPLICATIONNAME})-webapplication.service=({APPLICATIONNAME})-webapplication"
        - "traefik.tcp.routers.({APPLICATIONNAME})-webapplication.tls=true"
        - "traefik.tcp.services.({APPLICATIONNAME})-webapplication.loadbalancer.server.port=80"         
        - "traefik.http.services.({APPLICATIONNAME})-webapplication.loadbalancer.sticky=true"

Dockerfile webapplication-windows-netcore-base

# escape=`
FROM mcr.microsoft.com/windows/servercore:ltsc2019 AS installer
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

# Retrieve .NET Core Runtime
RUN $dotnet_version = '3.1.3'; `
    Invoke-WebRequest -OutFile dotnet.zip https://dotnetcli.azureedge.net/dotnet/Runtime/$dotnet_version/dotnet-runtime-$dotnet_version-win-x64.zip; `
    $dotnet_sha512 = '62a18838664afd6f08cdb9a90a96a67626743aab1f0de0065eadfd7d1df31681c90f96744ccb5b7e40834c9e3c4952125c8c83625867c500692050cdd113ff50'; `
    if ((Get-FileHash dotnet.zip -Algorithm sha512).Hash -ne $dotnet_sha512) { `
        Write-Host 'CHECKSUM VERIFICATION FAILED!'; `
        exit 1; `
    }; `
    `
    Expand-Archive dotnet.zip -DestinationPath dotnet; `
    Remove-Item -Force dotnet.zip; `
# Install ASP.NET Core Runtime
    $aspnetcore_version = '3.1.3'; `
    Invoke-WebRequest -OutFile aspnetcore.zip https://dotnetcli.azureedge.net/dotnet/aspnetcore/Runtime/$aspnetcore_version/aspnetcore-runtime-$aspnetcore_version-win-x64.zip; `
    $aspnetcore_sha512 = '6d8a21a7420db9091fc05613ef0a923c7b86cc995360c9f0133d632020e042db0efac0343ee6516a28feb2c1dd004b33b74bfdcc1a687efdefa9db1a486c1ca2'; `
    if ((Get-FileHash aspnetcore.zip -Algorithm sha512).Hash -ne $aspnetcore_sha512) { `
        Write-Host 'CHECKSUM VERIFICATION FAILED!'; `
        exit 1; `
    }; `
    `
    Expand-Archive aspnetcore.zip -DestinationPath dotnet -Force; `
    Remove-Item -Force aspnetcore.zip
# Runtime image
FROM mcr.microsoft.com/windows/servercore:ltsc2019

ENV `
    # Configure web servers to bind to port 80 when present
    ASPNETCORE_URLS=http://+:80 `
    # Enable detection of running in a container
    DOTNET_RUNNING_IN_CONTAINER=true

WORKDIR C:\app
USER ContainerAdministrator
RUN setx /M PATH "%PATH%;C:\Program Files\dotnet" && `
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 -f
COPY --from=installer ["/dotnet", "/Program Files/dotnet"]

Dockerfile 網絡應用程序

# escape=`
##### Runtime #####
ARG baseImageVersie
ARG buildNumber
ARG release
FROM <repository>/webapplication-build:$release-$buildNumber AS buildtools
FROM webapplication-windows-netcore-base:$baseImageVersie 
ENV DOTNET_RUNNING_IN_CONTAINER=true
ENTRYPOINT ["dotnet", "webapplication.dll"]
COPY --from=buildtools C:/publish .

Startup.cs 看起來像這樣

public class Startup
{
    private readonly IConfiguration configuration;

    public Startup(IConfiguration configuration)
    {
        this.configuration = configuration;
    }

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers(o =>
        {
            o.Filters.Add(typeof(GlobalExceptionFilter));
        });
        services
            .AddAuthentication(NegotiateDefaults.AuthenticationScheme)
            .AddNegotiate(o => o.Validate());

        var appsettings = configuration.Get<Appsettings>();

        services.AddCors(options =>
        {
            options.AddPolicy("cors",
            builder =>
            {
                builder.WithOrigins(appsettings.Origins)
                    .SetIsOriginAllowedToAllowWildcardSubdomains()
                    .AllowAnyHeader()
                    .AllowAnyMethod()
                    .AllowCredentials();
            });
        });

        services.AddSwaggerGen(c =>
        {
            c.SwaggerDoc("v1", new OpenApiInfo { 
                Title = "Webapplication", 
                Version = "v1" ,
            });
            c.ExampleFilters();

            var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
            var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
            c.IncludeXmlComments(xmlPath); 
            c.OperationFilter<AppendAuthorizeToSummaryOperationFilter>(); 
        });

        services.AddSwaggerExamplesFromAssemblyOf<AuthorizeModelExample>();

    }

    // ReSharper disable once UnusedMember.Global
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseRouting();

        app.UseCors("cors");
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints
                .MapControllers()
                .RequireAuthorization()
                .RequireCors("cors");
        });
        app.UseSwagger();
        app.UseSwaggerUI(c =>
        {
            c.SwaggerEndpoint("/swagger/v1/swagger.json", "Webapplication V1");
        });
    }
}

用戶控制器

[Produces("application/json")]
[ApiController]
[Route("api/connect/[controller]")]
public class UserController : ControllerBase
{
    [HttpGet]
    public ActionResult Get()
    {
        return Ok(User?.Identity?.Name)
    }
}

會發生什么- 用戶 1 通過填寫他的憑據登錄(使用隱身模式) - 用戶 1 調用 /api/connect/user 並返回“用戶 1” - 用戶 2 打開 Web 應用程序並且不必提供任何憑據 - 用戶 2調用 /api/connect/user仍然返回“user 1”

問題:如何防止我的 asp.net 核心應用程序返回錯誤的 windows 身份驗證用戶?

1 個解決方案

解決方案1
 1  2020-04-26 12:14:11

我設法使用 traefik TLS passthrough 使其工作。 所以我不得不改變應用程序來服務 https 本身,而不是讓 traefik 做 SSL 終止。 我的應用程序的撰寫文件現在如下所示:

docker-compose.yml

version: "3.7"
services:
  webapplication:
    image: <repository>/webapplication:8-1
    environment:
      - ASPNETCORE_Kestrel__Certificates__Default__Path=wildcard_certificate.pfx
    networks:
      webapplication-network:
        aliases:
          - webapplication
      traefik:      
        aliases:
          - traefik-webapplication
    credential_spec:  
      file: webapp({GMSA_ACCOUNT})_credential.json
    secrets:
      - source: config_secrets
        target: C:/app/appsettings.json
      - source: wildcard_certificate_pfx
        target: c:\certificates\wildcard_certificate.pfx
    deploy:
      mode: replicated
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 10
        window: 30s
      labels: 
        - applicatienaam=({APPLICATIENAAM})
        - "traefik.enable=true"
        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.rule=Host(`({APPLICATIENAAM})-webapplication.({DOMAIN})`)"
        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.entrypoints=https"
        - "traefik.http.routers.({APPLICATIENAAM})-webapplication.tls=true"
        - "traefik.http.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.scheme=https"
        - "traefik.http.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.port=443"

        # Windows authentication works through TCP
        # TLS passtrough, because otherwise windows authentication won't support multiple users
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls=true"
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls.options=default"
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.tls.passthrough=true"
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.rule=HostSNI(`({APPLICATIENAAM})-webapplication.({DOMAIN})`)"
        - "traefik.tcp.routers.({APPLICATIENAAM})-webapplication.entrypoints=https"
        - "traefik.tcp.services.({APPLICATIENAAM})-webapplication.loadbalancer.server.port=443"

我認為第一個登錄的用戶綁定到traefik連接,所以所有下一個用戶將使用第一個用戶session,但我不確定。 我所知道的是,上面的解決方案可以防止混淆用戶會話。

由於WindowsCryptographicException 錯誤,我還必須更改我的 dockerfile 以使從容器工作的 https 工作。

# escape=`
##### Runtime #####
ARG baseImageVersie
ARG buildNumber
ARG release
FROM <repository>/webapplication-build:$release-$buildNumber AS buildtools
FROM webapplication-windows-netcore-base:$baseImageVersie 
ENV DOTNET_RUNNING_IN_CONTAINER=true

# The copy is done, because wildcard_certificate.pfx is put into the container using docker secrets, which makes it a symlink. 
# Reading a certificate as a symlink is not supported at this moment: https://stackoverflow.com/q/43955181/1608705
# After doing a copy, the copied version is not a symlink anymore.
ENTRYPOINT (IF EXIST "c:\certificates\wildcard_certificate.pfx" (copy c:\certificates\wildcard_certificate.pfx c:\app\wildcard_certificate.pfx)) && dotnet webapplication.dll

COPY --from=buildtools C:/publish .

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 ASP.NET vNext Kestrel + Windows身份驗證 在 Windows 身份驗證的 ASP.Net 5 中使用 IIS Express/Kestrel 時,User.IsInRole 始終為 false Kestrel on https with asp.net core 1.0 記錄asp.net core / kestrel中的異常 使用沒有ASP.NET核心的Kestrel ASP.Net Core:保持Windows身份驗證 使用 Windows 身份驗證的 ASP.NET Core 標識 OnCertificateValidated 未運行 - 自簽名證書客戶端身份驗證 - ASP.NET Core 和 Kestrel 在 Linux Docker 中查詢 Asp.net Core/Kestrel 中的布爾屬性的 Firestore 崩潰 當Kestrel收到請求時,無法停止asp.net核心Windows服務
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM