Closed jkotalik closed 6 years ago
No, this fails every reverse proxy scenario.
For reverse proxy scenarios, we may need people to explicitly set the port (443 for instance).
A security feature like this can't silently turn itself off. It's ok to have an off switch, but it can't turn itself off.
@blowdart
What @Tratcher said, except with more "Dear god no" screaming
cc/ @DamianEdwards @davidfowl @javiercn
Note the no-https template is the primary mitigation for this issue. If you build an HTTPs app and deploy it to a non-https environment it's supposed to fail.
Also should log at Debug/Trace if the HTTPS redirect middleware ran but did not redirect.
And by did not redirect, you mean because it was already an https request? Or because it was turned off for some reason?
No logging if it's already HTTPS. We thought it ought to log if it couldn't redirect because it couldn't find the "desired" port in the configuration (or wherever).
No, that's a fatal configuration error that should be crashing the app. Edit: unless this is for the default 443 fallback where it redirects anyways?
Nah, don't agree.
Not doing this in RC1.
Current behavior has some usability issues that can be discovered pretty quickly by our users.
Current behavior has some usability issues that can be discovered pretty quickly by our users.
@muratg What does this mean?
Indeed, why is this punted?
Yeah per our mtg the other day we need to do this in 2.1.0.
Perhaps this warrants an announcement? Applications upgrading from preview2 to RC1 suddenly don't redirect to HTTPS anymore with the default settings.
Agreed. Justin or Chris, could you post an announcement of this change in the RC1 milestone please.
I'll go ahead and post one.
Thanks Justin!
Fundamental issue is that apps will break if deployed to production that have not configured HTTPS (other than antares). At the last step of the middleware port checking, we currently set the HTTPS port to redirect to 443 if no port is found. Instead of that behavior, if no port is found to redirect to, we simply do not redirect the HttpRequest.