Closed getsunil closed 3 years ago
The recommendation is to check the x-forwarded-proto header in middleware and update the Request.Scheme field. That way not every component needs to be aware of these headers.
Katana doesn't have a built in middleware for this, but the samples from aspnetcore can be instructive: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-5.0#when-it-isnt-possible-to-add-forwarded-headers-and-all-requests-are-secure
app.Use((context, next) =>
{
context.Request.Scheme = "https";
return next();
});
@Tratcher : could there be side effects of mutating the request scheme context.Request.Scheme = "https"
?
I'm not aware of any negative ones.
This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.
See our Issue Management Policies for more information.
I have been running my Asp.Net MVC application on Aws. Setup uses virtual machines running behind a load balancer. SSL/TLS connection is terminated at the load balancer and load balancer to IIS traffic is over http. Since IIS is not using SSL certificate,
Request.Scheme
will always be http but the actual request originated over https.documentation from Aws : https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
I am using below configuration:
app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, CookieSecure = CookieSecureOption.SameAsRequest, CookieHttpOnly = true, LoginPath = new PathString("/login"), ExpireTimeSpan = TimeSpan.FromHours(10) })
If unauthenticated, client gets redirected to http://mydomain.com/login although header
X-Forwarded-Proto: https
clearly mentions the request originated over httpsExpected redirect url : https://mydomain.com/login
It seems the issue is originating from here: https://github.com/aspnet/AspNetKatana/blob/81aa05345cb680c6095242a60e673a24868e192b/src/Microsoft.Owin.Security.Cookies/CookieAuthenticationHandler.cs#L350