Tratcher
commented
3 years ago The recommendation is to check the x-forwarded-proto header in middleware and update the Request.Scheme field. That way not every component needs to be aware of these headers.
Katana doesn't have a built in middleware for this, but the samples from aspnetcore can be instructive: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-5.0#when-it-isnt-possible-to-add-forwarded-headers-and-all-requests-are-secure
app.Use((context, next) =>
{
context.Request.Scheme = "https";
return next();
});
getsunil
ghost
I have been running my Asp.Net MVC application on Aws. Setup uses virtual machines running behind a load balancer. SSL/TLS connection is terminated at the load balancer and load balancer to IIS traffic is over http. Since IIS is not using SSL certificate,
Request.Schemewill always be http but the actual request originated over https.documentation from Aws : https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
I am using below configuration:
app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, CookieSecure = CookieSecureOption.SameAsRequest, CookieHttpOnly = true, LoginPath = new PathString("/login"), ExpireTimeSpan = TimeSpan.FromHours(10) })If unauthenticated, client gets redirected to http://mydomain.com/login although header
X-Forwarded-Proto: httpsclearly mentions the request originated over httpsExpected redirect url : https://mydomain.com/login
It seems the issue is originating from here: https://github.com/aspnet/AspNetKatana/blob/81aa05345cb680c6095242a60e673a24868e192b/src/Microsoft.Owin.Security.Cookies/CookieAuthenticationHandler.cs#L350