Azure App Service容器上的ASP.net核心Docker https [英] ASP.net core docker https on Azure App Service Containers
问题描述
如何使ASP.net核心在可与适用于容器的Azure应用服务一起使用的SSL上的docker中运行?
How does one get ASP.net core to run in docker on SSL that works with Azure App Service for Containers?
我让它在HTTP上运行,但是一旦我尝试将其绑定到SSL,以便ASP.NET对诸如oauth甚至swagger之类的验证都能正常工作,它会告诉我无法配置HTTPS终结点.已指定服务器证书,并且找不到默认的开发人员证书."vs.net生成的仅运行时映像无法运行运行证书,即使那样,这似乎也不安全,可能是由于浏览器中的证书错误所致.
I have it working on HTTP, but as soon as I try and bind it to SSL so that ASP.NET's validation for things like oauth and even swagger will work properly it fails telling me that "Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found." There is no way on the runtime only image that vs.net generates to run the development certificates and even then that would seem insecure and probably through certificate errors in the browser.
基本上,我需要https始终从外部端点开始工作,以便kestrel进行加密等操作,而不是ngix或默认情况下在外部代理上运行的任何操作.
Basically I need https to work from the external endpoint all of the way through so that kestrel is doing the encryption etc. and not ngix or whatever is running on the outside proxy as it does by default.
这在vs.net调试中效果很好,因为它不会遇到任何错误,即使绑定到https也可以正常工作.
This works fine in vs.net debug because it doesn't through any errors and just works even though it's bound to https.
遗憾的是,该文档仅处理最基本的用例,而未概述如何使真实的https网站与aspnet核心和Azure应用容器可靠地协同工作.
Sadly the documentation only handles the most basic use cases and doesn't outline how to get a real https website working reliably with aspnet core and Azure app containers.
推荐答案
在各处搜索后,我能够整理出一些钝的引用并提出解决方案.
After searching everywhere I was able to put together a bunch of obtuse references and come up with the solution.
Kestrel将处于HTTP模式,但是将通过反向代理的ForwardedHeaders告知其处于HTTPS模式.对于Azure,必须使用一组特定的设置.其他人将需要其他选项,并且可能需要其他设置.本文档将在一般情况下为您提供帮助,但没有Azure所需的条件:
Kestrel will be in HTTP mode, but will be told that it's in HTTPS mode by way of ForwardedHeaders from the reverse proxy. In the case of Azure there is a specific set that you must use. Others will require other options and may require additional setup. This documentation will help you in the generic case but doesn't have what's necessary for Azure: ASPNet Core Reverse Proxy and Load Balancer Configuration
如果您使用的是IIS,它就可以工作,因为它是内置的,或者您在Core的过去版本中添加了UseIIS.
If you're using IIS, it just works because it's built in, or you've added the UseIIS in the past versions of Core.
对于基于容器或基于Linux的Azure Web Services,您需要添加以下Nuget程序包:
For Azure Web Services on a container OR base Linux you need to add the following Nuget package:
Microsoft.AspNetCore.HttpOverrides
Microsoft.AspNetCore.HttpOverrides
在Startup.cs的配置"中添加了第一个内容之后,您需要添加以下内容:
Once that is added in the Configure in Startup.cs as the very first thing you need to add the following:
var forwardOptions = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
RequireHeaderSymmetry = false
};
forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardOptions);
请注意,如果没有KnownNetworks和KnownProxies Clear(),它将无法正常工作.如果没有RequireHeaderSymmetry = false,它将无法正常工作,因此您需要所有这些.
Note that without the KnownNetworks and KnownProxies Clear() it won't work. And it won't work without RequireHeaderSymmetry = false so you need all of it.
在ForwardedHeaders上,您将尝试避免使用.All或列出的其他选项,因为它具有安全漏洞.
On the ForwardedHeaders you'll want to try and avoid .All or the other option that is listed because it has a security vulnerability.
然后在应用程序设置中,需要添加 WEBSITES_PORT = 80 , ASPNETCORE_URLS = http://+:80 和 ASPNETCORE_HTTPS_PORT = 443 .直到所有这些都放入,您将继续得到略有不同的错误.
Then in application settings you need to add WEBSITES_PORT=80, ASPNETCORE_URLS=http://+:80 and ASPNETCORE_HTTPS_PORT=443. Until all of these are in you will continue to get a slightly different error.
注意:这不会修复Swagger的验证器.还有其他问题,因为验证器错误.json仍然有效,但域不同,因此很奇怪.解决这个问题的简单方法是在UseSwaggerUi设置options.EnableValidator(null);
Note: This won't fix Swagger's validator. It has other issues because the validator is wrong. The json is still valid but the domain is different so it freaks out. The easy way to solve that is in UseSwaggerUi set options.EnableValidator(null);
app.UseSwaggerUI(
options =>
{
options.EnableValidator(null);
});
这篇关于Azure App Service容器上的ASP.net核心Docker https的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
