ASP.NET Core 2 app with Org Authentication works outside but not inside Docker

[MichaelSimons]

Copied from https://github.com/dotnet/dotnet-docker-samples/issues/73 by @garysu

Create a new ASP.NET core 2.0 webapp and change authentication to Org / Microsoft account and also include Docker support. Set Project as the startup project (instead of IIS Express because we want to use Kestrel) and run it and it will go to the Consent dialog and it redirects successfully to the assigned port (so say https://localhost:44399).

Now change the Dockerfile to expose port 44399, and in the docker compose file, map "44399:44399" to map the host port to the same port within the container.

Container comes up with the expected ports exposed, but browsing to https://localhost:44399 on the host again and the site isn't found.

I am sure I am missing something incredibly simple but I have banged my head on this one for 3 days now. I am thinking about reverting to use 1.1 instead :-(

BTW: Here is how Kestrel is configured

public static IWebHost BuildWebHost(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup<Startup>() .UseKestrel(options => { options.Listen(IPAddress.Loopback, 44399, listenOptions => { listenOptions.UseHttps("127.0.0.1.pfx", "Password!1"); }); }).Build(); `

Thanks for any help, Gary.

Copied from https://github.com/dotnet/dotnet-docker-samples/issues/73#issuecomment-327382262 by @StefH

Hello @garysu ,

Just some questions from my side, which may or may not help you.

• Do you use a linux based container or a windows-nano based ?
• Does the application work when you just do dotnet run ?
• Is it even possible to load a pfx file from the file-system inside the container ?
• Can you post the full docker file and the command you use to start the instance ?

Copied from https://github.com/dotnet/dotnet-docker-samples/issues/73#issuecomment-327622057 by @garysu

Hi @StefH,

I have been trying to go through a process of elimination by stripping as much out of a sample as possible. I have attached a sample program that just uses port 80, so not even dealing with the added complexity of SSL.

public static IWebHost BuildWebHost(string[] args) { return WebHost.CreateDefaultBuilder(args) .UseStartup<Startup>() //.UseKestrel(options => //{ // options.Listen(IPAddress.Loopback, 80); //}) .Build(); }

Just run this in docker and the container comes up. When I run curl http://localhost the container responds with the html i expect. Now just uncomment the lines above where I explicitly set the listening port to 80. Rebuild and run in docker and the container comes up again. But you run the curl command again and you get an error curl: (52) Empty reply from server

I tested both these same flows using Windows containers (image: xxx) as well and in that configuration both curl requests fail with the same error - curl: (7) Failed to connect to localhost port 80: Connection refused

My environment is Windows 10 version 1703 (OS Build 15063.540) using the latest Docker for Windows Edge release (Version 17.07.0-ce-win26 (13125)).

WebApplication2.zip

Copied from https://github.com/dotnet/dotnet-docker-samples/issues/73#issuecomment-327660839 by @garysu

I have made some progress on this by replacing IPAddress.Loopback with IPAddress.Any...there were some old bugs (like 2yr old) that the Windows network driver had trouble forwarding ports from the loopback adapter but that it had been fixed. Will post any other information I find.

Copied from https://github.com/dotnet/dotnet-docker-samples/issues/73#issuecomment-327699845 by @StefH

What I experienced is that when running a microsoft/nanoserver Docker image in Windows 10, the internal forwarded ports are not accessible. I need to use a helper tool DockerProxy to fix this.

In my project WireMock.Net I also startup a Kestrel selfhosted server, but I use this code:

IWebHost host = new WebHostBuilder()
    .Configure(appBuilder =>
    {
        appBuilder.UseMiddleware<WireMockMiddleware>(_options);
    })
    .UseKestrel()
    .UseUrls(_uriPrefixes)
.Build();

Where the _uriPrefixes is a string array which is defined like : http://*:80.

For some more details see: https://github.com/WireMock-Net/WireMock.Net/blob/master/src/WireMock.Net/Owin/AspNetCoreSelfHost.cs#L48-L56

I hope this helps.

[natemcmaster]

Closing as it sounds like the issue was resolved. As @garysu mentioned, you need to use IPAddress.Any when running in Docker. Binding to loopback means the operating system won't expose your app to external network traffic. When running inside Docker, "external" means anything not running inside the container - that includes the Docker host.

FYI - this is why the aspnetcore images set the default value for ASPNETCORE_URLS in our Dockerfile.

https://github.com/aspnet/aspnet-docker/blob/311b68fe9ee3054de00024dded957d14591404ad/2.0/stretch/runtime/Dockerfile#L4