英文:
UseHttpsRedirection and IIS production deployment in .NET 7.0
问题
我正在升级我的.NET Framework应用程序(UI和API)以使用.NET 7.0。
我刚刚将我的应用程序部署到生产服务器,并遇到了一个问题。
由于我正在使用 - app.UseHttpsRedirection(); 当我在服务器上本地浏览到本地主机URL时,它找不到有效的证书,我必须在浏览器中提示后继续以使页面可用。
在我的以前的.NET Framework版本中,没有UseHttpsRedirection的设置,我可以正常通过HTTP浏览我的应用程序,并且在从服务器外部访问我的应用程序时,我在浏览器中使用AWS ELB来处理站点的流量,监听器在HTTPS上,我已将我的SSL证书导入AWS的证书管理器,并在Route 53中的我的站点DNS记录中引用它,这很好地工作。
不幸的是,当AWS尝试重定向到最新版本时,应用程序会超时,我对此感到困惑?
我尝试过将我的证书再次创建为pfx并将其导入到生产服务器上的IIS中,但是在本地主机上浏览时,它会说证书无效,我只能想象这是因为证书专属于我的域名?但这甚至是一个必要的步骤吗?
我移除了 app.UseHttpsRedirection(); 并且还修改了我的 launchSettings.json 以移除https的启动URL(以尝试模拟框架版本)。这样做后,当AWS将我重定向到我的应用程序时,起始URL是HTTP(并超时),但是当我修改URL以使用HTTPS时,我看到了我的应用程序!我不明白为什么我的.NET框架应用程序可以在没有任何修改的情况下正常工作,并且始终通过HTTPS提供服务,但是最新的升级却没有相同的行为?
在弄清楚这个问题之前,我已经回滚到了之前的版本。
在VonC的建议后编辑 -
VonC在他的假设中是正确的,但我还必须做两个小的代码更改。我移除了 app.UseHttpsRedirection(); (因为所有的流量在我的AWS VPC内部都得到了安全处理),我还在UI的program.cs中添加了以下内容 -
app.UseForwardedHeaders(new ForwardedHeadersOptions()
{
ForwardedHeaders = ForwardedHeaders.XForwardedProto
});
还有遇到相同问题的人,我必须修改我的ELB上的HTTP监听器,以便自动重定向到HTTPS。
英文:
I am in the process of upgrading my .NET Framework application (UI and API) to use .NET 7.0.
I have just deployed my application to my production server and I am met with an issue.
As I am using - app.UseHttpsRedirection(); when I browse to my website locally on the server on localhost url it is not finding a valid certificate and I am having to proceed when prompted in the browser for the page to become available.
In my previous .NET Framework version, there was no setting for UseHttpsRedirection and I could browse to my application over HTTP just fine, and when accessing my application outwith the server from a browser where I am using an AWS ELB to handle traffic to the site with a listener on HTTPS, I have imported my SSL certificate into the cert manager in AWS and referenced it in Route 53 in the DNS record for my site, which works fine.
Unfortunately when AWS tries to redirect to the latest version the application is timing out and I am perplexed as to why?
I have tried to create my certificate again as a pfx and import it into IIS on the prod server however when browsing over localhost it says the cert is not valid, I can only imagine this is because the cert is exclusive to my domain name? But is this even a necessary step?
I removed the app.UseHttpsRedirection(); and also modified my launchSettings.json to remove the https start url (to try and mimic the framework version). On doing this when AWS redirected me to my app, the starting url was over HTTP (and timed out) however when I modified the URL to use HTTPS I saw my app! I don't understand why my .NET framework app worked without any modification and was always served over HTTPS outwith the server, but the latest upgrade doesn't have the same behavior?
I have rolled back to my previous version until I figure this out.
Edit after VonC suggestions -
VonC was correct in his assumptions, however I also had to make 2 small code changes. I removed app.UseHttpsRedirection(); (as all traffic is handled securely internally by my AWS VPC, and I also added to my program.cs in the UI the following -
app.UseForwardedHeaders(new ForwardedHeadersOptions()
{
ForwardedHeaders = ForwardedHeaders.XForwardedProto
});
Also anyone with the same issue, I had to modify my HTTP listner on the ELB so that it redirected to HTTPS automatically.
答案1
得分: 2
以下是您要翻译的内容:
当我在服务器上本地浏览我的网站时,使用localhost URL,它找不到有效的证书,我不得不在浏览器中提示时继续,以使页面可用。
这是预期的情况:如果您使用localhost或服务器的本地IP浏览网站,证书将无效,因为它是为您的域名颁发的,而不是为localhost或IP地址颁发的。这不会影响通过您的域名访问网站的用户。
在我之前的.NET Framework版本中,没有UseHttpsRedirection的设置,我可以正常使用HTTP浏览我的应用程序,当我从服务器外部的浏览器访问我的应用程序,我使用AWS ELB处理站点流量,ELB上有一个HTTPS监听器,我已经将我的SSL证书导入AWS的证书管理器,并在我的站点的Route 53中引用它,这一切都正常运作。
这意味着在您之前的设置中,HTTPS终止是在AWS Elastic Load Balancer(ELB)的级别处理的。
SSL/TLS证书已安装在负载均衡器上,负载均衡器负责加密和解密与客户端之间的流量。这是一种常见的模式,通常建议使用,因为它将SSL/TLS加密/解密的计算开销卸载到应用程序服务器之外。
当客户端连接到您的网站时,连接将通过HTTPS到ELB。但是,ELB与应用程序服务器之间的连接可以是HTTP,这就是为什么您不需要在应用程序中使用UseHttpsRedirection的原因。
随着您升级到.NET 7并包括UseHttpsRedirection,应用程序现在正在强制所有连接使用HTTPS。这可能会导致流量在ELB和应用程序服务器之间的路由方式出现问题。
如果您想保持以前的行为,即HTTPS在ELB级别处理,而ELB和服务器之间使用HTTP,您可以考虑从应用程序中删除UseHttpsRedirection中间件。
请记住,只要ELB和应用程序服务器之间的流量在安全网络内,比如AWS VPC内,从安全性的角度来看,这种方法是可以接受的。这被称为负载均衡器上的SSL/TLS终止。
但值得注意的是,.NET 7引入了指定单独的HTTP和HTTPS配置文件的功能(如dotnet/aspnetcore问题44722所示),这可能会使您在管理流量模式时具有更大的灵活性。
OP补充道:
我删除了app.UseHttpsRedirection();(因为所有流量都在我的AWS VPC内安全处理)。
我还在UI的program.cs中添加了以下内容:app.UseForwardedHeaders(new ForwardedHeadersOptions() { ForwardedHeaders = ForwardedHeaders.XForwardedProto });此外,遇到相同问题的任何人,我不得不修改ELB上的HTTP监听器,以便自动重定向到HTTPS。
通过进行这些更改,您将SSL终止委派给了ELB,同时仍然为客户端维持了安全通信。
这是一种常见的配置,并被认为是在负载均衡器或反向代理后部署应用程序的最佳实践。
英文:
> When I browse to my website locally on the server on localhost url it is not finding a valid certificate and I am having to proceed when prompted in the browser for the page to become available.
That is expected: If you are browsing to the site using localhost or the server's local IP, the certificate is not going to be valid because it is issued for your domain name, not for localhost or an IP address. It does not affect users accessing the site via your domain name.
> In my previous .NET Framework version, there was no setting for UseHttpsRedirection and I could browse to my application over HTTP just fine, and when accessing my application outwith the server from a browser where I am using an AWS ELB to handle traffic to the site with a listener on HTTPS, I have imported my SSL certificate into the cert manager in AWS and referenced it in Route 53 in the DNS record for my site, which works fine.
That means the HTTPS termination was handled at the level of the AWS Elastic Load Balancer (ELB) in your previous setup.
The SSL/TLS certificate was installed on the load balancer, and the load balancer was responsible for encrypting and decrypting traffic to and from the client. This is a common pattern and is generally recommended because it offloads the computational overhead of SSL/TLS encryption/decryption from the application servers.
When a client connected to your website, the connection would be over HTTPS to the ELB. However, the connection from the ELB to your application servers could be over HTTP, which is why you did not need to use UseHttpsRedirection in your application.
With your upgrade to .NET 7 and the inclusion of UseHttpsRedirection, the application is now enforcing HTTPS for all connections. This could be causing issues with the way traffic is routed between the ELB and your application servers.
If you want to maintain the previous behavior, where HTTPS is handled at the ELB level and HTTP is used between the ELB and your servers, you might consider removing the UseHttpsRedirection middleware from your application.
Remember that this approach is fine from a security standpoint as long as the traffic between the ELB and your application servers is within a secure network, such as within an AWS VPC. This is known as SSL/TLS termination at the load balancer.
However, it is also worth noting that .NET 7 has introduced the ability to specify separate HTTP and HTTPS profiles (as illustrated in dotnet/aspnetcore issue 44722), which might give you more flexibility in managing your traffic patterns.
The OP adds:
> I removed app.UseHttpsRedirection(); (as all traffic is handled securely internally by my AWS VPC).
And I also added to my program.cs in the UI the following
>
> cs
>app.UseForwardedHeaders(new ForwardedHeadersOptions()
>{
> ForwardedHeaders = ForwardedHeaders.XForwardedProto
>});
>
>
> Also anyone with the same issue, I had to modify my HTTP listner on the ELB so that it redirected to HTTPS automatically.
By making these changes, you are delegating the SSL termination to the ELB, while still maintaining secure communication for your clients.
This is a common configuration and is considered a best practice for deploying applications behind load balancers or reverse proxies.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论