search

microsoft / service-fabric-aspnetcore

This repo contains ASP.NET Core integration for Service Fabric Reliable Services.
Other
152 stars 49 forks source link

Getting 502 when using kestrel with HTTPS #92

Open aykalder opened 3 years ago

aykalder commented 3 years ago

Describe the bug I have a SF stateless web application, using kesterl, running on Azure (but the bug is also reproduced over the local cluster) With http configuration, I can reach the app's controllers and everything is working fine. But, when I'm adding a small piece of code that enable SSL configuration i.e HTTPS, I'm getting 502. The requests dont reach the application layer so I have no logs for debugging. Also, I couldn't find any SF logs. I see that it successfully found the SSL certificate (that is installed on the cluster).

Can you please help me out? Please let me know if you need more details.

To Reproduce The code that works fine: protected override IEnumerable CreateServiceInstanceListeners() { //this.Init(); ///_keyVaultManager = new KeyVaultManager();

        return new[]
        {
            new ServiceInstanceListener(serviceContext =>
                new KestrelCommunicationListener(serviceContext, "SchedulerWebWithKestrelEndpointSecured", (url, listener) =>
                {
                    TracerFactory tracerFactory = new TracerFactory(aiInstrumentationKey: "9a9e811e-afb5-41fa-b7c7-1e12cab0428c");
                    var tracer = tracerFactory.Create(null);

                     tracer.LogTrace($"Starting Kestrel on {url}");

                    ServiceEventSource.Current.ServiceMessage(serviceContext, $"Starting Kestrel on {url}");

                    return new WebHostBuilder()
                        .ConfigureServices(
                            services =>
                            {
                                services.AddSingleton(serviceContext);

                            })
                        .UseKestrel(opt =>
                        {
                            IConfiguration configuration = opt.ApplicationServices.GetRequiredService<IConfiguration>();

                            ConfigurationPackage config = this.Context.CodePackageActivationContext.GetConfigurationPackageObject("Config");
                            KeyedCollection<string, ConfigurationProperty> settings = config.Settings.Sections["Settings"].Parameters;
                            int port = int.Parse(settings["Port"].Value);
                            string sslCertificateSubjectName = settings["SSLCertificateSubjectName"].Value;

                            tracer.LogTrace($"Using port {port} and sslCertificateSubjectName {sslCertificateSubjectName}");

                            opt.Listen(IPAddress.Any, port, listenOptions =>
                            {
                                listenOptions.NoDelay = true;
                            });
                        })
                        .UseContentRoot(Directory.GetCurrentDirectory())
                        .UseStartup<Startup>()
                        .UseServiceFabricIntegration(listener, ServiceFabricIntegrationOptions.None)
                        .UseUrls(url) // TODO
                        .Build();
                }))
        };
    }

The code that leads to 502: protected override IEnumerable CreateServiceInstanceListeners() { //this.Init(); ///_keyVaultManager = new KeyVaultManager();

        return new[]
        {
            new ServiceInstanceListener(serviceContext =>
                new KestrelCommunicationListener(serviceContext, "SchedulerWebWithKestrelEndpointSecured", (url, listener) =>
                {
                    TracerFactory tracerFactory = new TracerFactory(aiInstrumentationKey: "9a9e811e-afb5-41fa-b7c7-1e12cab0428c");
                    var tracer = tracerFactory.Create(null);

                     tracer.LogTrace($"Starting Kestrel on {url}");

                    ServiceEventSource.Current.ServiceMessage(serviceContext, $"Starting Kestrel on {url}");

                    return new WebHostBuilder()
                        .ConfigureServices(
                            services =>
                            {
                                services.AddSingleton(serviceContext);

                            })
                        .UseKestrel(opt =>
                        {
                            IConfiguration configuration = opt.ApplicationServices.GetRequiredService<IConfiguration>();

                            ConfigurationPackage config = this.Context.CodePackageActivationContext.GetConfigurationPackageObject("Config");
                            KeyedCollection<string, ConfigurationProperty> settings = config.Settings.Sections["Settings"].Parameters;
                            int port = int.Parse(settings["Port"].Value);
                            string sslCertificateSubjectName = settings["SSLCertificateSubjectName"].Value;

                            tracer.LogTrace($"Using port {port} and sslCertificateSubjectName {sslCertificateSubjectName}");

                            opt.Listen(IPAddress.Any, port, listenOptions =>
                            {
                                var httpsconnectionadapteroptions = new HttpsConnectionAdapterOptions
                                {
                                    ClientCertificateMode = ClientCertificateMode.AllowCertificate,
                                    SslProtocols = SslProtocols.Tls12,
                                    ServerCertificate = GetHttpsCertificateFromStore(sslCertificateSubjectName, tracer),
                                    ClientCertificateValidation = (certificate, chain, sslPolicyErrors) =>
                                    {
                                        if (sslPolicyErrors == SslPolicyErrors.None)
                                        {
                                            return true;
                                        }

                                        tracer.LogTrace( $"Certificate failed validation: {certificate.Issuer.ToUpper()} {certificate.Subject.ToUpper()}, errors: {sslPolicyErrors}");

                                        return false;
                                    }
                                };
                                listenOptions.UseHttps(httpsconnectionadapteroptions);
                                //listenOptions.UseHttps(GetHttpsCertificateFromStore("sfendpoint.local", tracer));
                                listenOptions.NoDelay = true;
                            });
                        })
                        .UseContentRoot(Directory.GetCurrentDirectory())
                        .UseStartup<Startup>()
                        .UseServiceFabricIntegration(listener, ServiceFabricIntegrationOptions.None)
                        .UseUrls(url) // TODO
                        .Build();
                }))
        };
    }
aykalder commented 3 years ago

image In Azure, the LB has this rule to transfer requests from 443 port to 4433