search

davidfowl / AspireYarp

Yarp resource for Aspire.Hosting
64 stars 3 forks source link

My experience configuring this resource #3

Open marinasundstrom opened 4 months ago

marinasundstrom commented 4 months ago

Here are some of my experiences configuring this resource.

I copied the code and modified it to work with SSL/HTTPS.

The first problem was that the SlimBuilder didn't configure SSL. So had to add that:

I tried this but it didn't work:

var builder = WebApplication.CreateSlimBuilder();
builder.WebHost.UseKestrelHttpsConfiguration(); //Added

I guess that I missed something here.

Instead:

var builder = WebApplication.CreateBuilder();

I also had to change the scheme for the routes since my apps use https (which might not be necessary to run as):

builder.Resource.ClusterConfigs[target.Resource.Name] = new()
{
    ClusterId = target.Resource.Name,
    Destinations = new Dictionary<string, DestinationConfig>
    {
        [target.Resource.Name] = new() { Address = $"http://{target.Resource.Name}" }
    }
};

Change part of the string literal to `https:

[target.Resource.Name] = new() { Address = $"https://{target.Resource.Name}" }

For the dev certificate to work you need to set the environment variable:

.WithEnvironment("ASPNETCORE_ENVIRONMENT", "Development")

In some cases perhaps UseHttpsRedirection would be necessary too.

Full config:

builder.AddYarp("ingress")
       .WithEndpoint(port: 5174, scheme: "https")
       .WithEnvironment("ASPNETCORE_ENVIRONMENT", "Development")
       .Route("portal", path: "/", target: portal)
       .Route("appservice", path: "/api", target: appservice)
       .Route("identityservice", path: "/api/identityservice", target: identityManagement)
       .Route("notifications", path: "/api/notifications", target: notifications);
bjornstensberg commented 4 months ago

Thanks, this saved me some time.

I had an issue where the certificates alt name has to be the hostname of the app(?). For instance: builder.AddProject<Projects.Api>("api");

Yarp tries to resolve https://api/endpoint, and when your dev cert is only signed for localhost you will get a RemoteCertificateNameMismatch error.

Guessing the best way is to buypass ssl check on local development?

marinasundstrom commented 4 months ago

@bjornstensberg I've had that problem too, I would like to get those ServiceDiscovery URLs with SSL to work too.

I have to bypass it by specifying the localhost address with the actual port, in the YARP config.

But then, I guess that non-SSL is acceptable within a cloud. It is just that the public endpoint is protected.

StevenTCramer commented 5 days ago

@davidfowl Is there a working example of YARP in Aspire using SSL? I end up on this issue but I can't figure out a solution.