ASP.Net身份登录重定向强制协议(Https) [英] ASP.Net Identity Login Redirect Enforce Protocol (Https)

问题描述

希望我只是想念一些非常简单/显而易见的内容-为什么，更重要的是，如何在重定向到Login的过程中如何维护(或强制执行)协议?

Hopefully I'm just missing something really simple/obvious - why, and more importantly, how do you maintain (or force) the protocol during the redirect to Login?

说明:

• 原始协议为https
• 人们会认为此应该是login之类的默认"，但如图所示，重定向(似乎)不能保持它.

• the original protocol is https
• one would think this should be the "default" for something like login, but as shown, the redirect (seems) doesn't maintain it.

我尝试过的东西:

• 有一个可以使用的RequireHttps属性，但是:

1. 似乎很奇怪"，需要两次重定向才能获得那里"
2. 在您有负载平衡器和/或在其他地方(不在服务器中)卸载" SSL的情况下，则这将是重定向循环(SSL在客户端和前端之间) net/ssl lb，然后按http到您的包装盒/应用程序中).这实际上是我的生产案例...

1. seems "weird" that it would take 2 redirects to get "there"
2. in situations where you have a load balancer and/or have SSL "offloaded" elsewhere (not in server), then this would then be a redirect loop (SSL is between client and front-end net/ssl lb, and http to your box(es)/application). This is actually my production case...

我已经设置了IIS URL重新写入(对于整个网站，也将规范规则设置为https)，似乎也被忽略了" (规则不检查"https"，否则将遭受相同的重定向循环).

I have already set IIS URL re-write as well (aka canonical rule to https for entire site), and that seems "ignored" (too) (rule does not check for "https" otherwise it suffers same redirect loop).

试图在LoginPath中(在CookieAuthenticationOptions中)设置绝对URL并失败. Owin/PathString.cs"rel =" noreferrer>因为您不能这样做 ...

tried and failed to set absolute URL in LoginPath (in CookieAuthenticationOptions)..because you can't do that...

感谢您的建议或指点...

Thanks for advice or pointers...

关于为什么" ?

1. 在您具有负载平衡器和/或在其他地方(不在服务器中)卸载" SSL的情况下，则这将是 重定向循环(SSL在客户端和前端网络/SSL之间，并且http在您的机器/应用程序之间).这实际上是我的作品 情况..

1. in situations where you have a load balancer and/or have SSL "offloaded" elsewhere (not in server), then this would then be a redirect loop (SSL is between client and front-end net/ssl lb, and http to your box(es)/application). This is actually my production case..

进一步修改后，如上面的(本地主机-我的本地dev框，而不是服务器)请求序列所示(上面的问题体现在生产负载平衡的环境中，其中SSL处理处于栈顶"状态)-例如ARR):

Further tinkering got me to the above, as shown in this (localhost - my local dev box, not server) request sequence (the above issue manifests in a production load balanced environment where SSL processing is "up the stack" - e.g. ARR):

• 协议实际上得到维护
• 该问题似乎完全，与应用和基础结构"不匹配的情况有关.似乎与在代码中执行cert在您的ARR中，而不在您的主机中).在这种情况下，该支票将始终返回false.

• the protocol is in fact maintained
• the issue seems exactly related to the situation where the application and the "infrastructure" don't "match". It seems similar to the situation where in code, you would do a Request.IsSecureConnection in a "load balanced"/"web farm" environment (say ARR where the cert is in your ARR, not in your host/s). That check will always return false in such a situation..

所以问题实际上是关于如何解决此问题的指南?

So the question really is on guidance on how to get around this?

非常感谢Richard在尝试解决此问题时更改了我的方向".我原本是在寻找一种方法来实现:

Many thanks to Richard for changing my "direction" in trying to resolve this. I originally was looking for a way to:

• 设置/告诉OWIN/Identity以使用安全URL(显式)并覆盖"其评估LoginPath的方式.处理cookie的Secure(仅)选项以某种方式引导了我(如果我只能在HTTPS中明确表示cookie，那么它给我的印象是可以使用LoginPath ..另一个)

• set/tell OWIN/Identity to use a secure URL (explicitly) and "override" the way it evaluates LoginPath. The Secure (only) option in handling cookies somehow led me that way (if I can explicitly say cookies in HTTPS only, then it sort of gave me an impression of being able to do so for LoginPath..one way or the other)

在我看来，一种棘手的"方法是仅在客户端(Javascript)上对其进行处理.

a "hacky" way in my mind was to just deal with it client side (Javascript).

最后，Richard的回答将我带到了URL Rewriting(尽管仍然不在LB方面，因为那是我无法控制的).我目前正在(根据我的环境)工作:

In the end, Richard's answer took me to URL Rewriting (though still not on the LB side because that's beyond my control). I'm currently working off of (based on my environment):

<rule name="Redirect to HTTPS" stopProcessing="true">
    <match url=".*" />

    <conditions>
      <add input="{HTTP_CLUSTER_HTTPS}" pattern="^on$" negate="true" />
      <add input="{HTTP_CLUSTER_HTTPS}" pattern=".+" negate="true" />

    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}{SCRIPT_NAME}/{REQUEST_URI}" redirectType="SeeOther" />
</rule>

在隧道尽头看到一些灯光.

and see some light at the end of the tunnel.

再次感谢Richard的侦查！最新的答案也让我大吃一惊，事实证明，有很多有关SO的一些帖子与

Awesome thanks again to Richard for the sleuthing! Latest answer got me sleuthing too and it turns out there's quite a few posts here on SO related to CookieApplyRedirectContext...so now this what I have in place (which is specific to my case), and is what I was originally going after:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
   AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
   LoginPath = new PathString("/Account/Login"),

   //This is why. If I could explicitly set this, then I (thought) I should
   //be able to explicitly enforce https (too..as a setting)
   //for the LoginPath...
   CookieSecure = CookieSecureOption.Always,

   Provider = new CookieAuthenticationProvider 
   {
      OnValidateIdentity = .....
      ,
      OnApplyRedirect = context =>
      {
         Uri absoluteUri;
          if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri))
          {
             var path = PathString.FromUriComponent(absoluteUri);
             if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
             {
                context.RedirectUri = context.RedirectUri.Replace("http:", "https:");
             }
           }
          context.Response.Redirect(context.RedirectUri);
        }
     }
});

推荐答案

之所以会出现此问题，是因为您的应用程序正在发布到绝对URL的重定向.您可以通过两种方式之一在负载均衡器或应用程序本身中解决此问题.

This problem is occurring because your application is issuing a redirect to an absolute URL. You can fix this in one of two ways, in the load balancer or in the application itself.

配置您的负载均衡器以将重定向响应从http重写为https.如果您使用的是ARR，则以下规则(取自此处)应该可以正常工作:

Configure your load balancer to rewrite redirect responses from http to https. If you were using ARR, the following rule (taken from here) should work:

<rule name="forum-redirect" preCondition="IsRedirection" enabled="true">
  <match serverVariable="RESPONSE_LOCATION" pattern="^http://[^/]+/(.*)" />
  <conditions>
    <add input="{ORIGINAL_HOST}" pattern=".+" />
  </conditions>
  <action type="Rewrite" value="http://{ORIGINAL_HOST}/{R:1}" />
</rule>

其他负载均衡器将需要类似的配置.

Other load balancers will require similar configuration.

我们可以用相对URL替换OWIN在授权过程中重定向到的URL，这意味着该协议将保持与浏览器以前使用的相同.

We can replace the URL that OWIN redirects to in the authorization process with a relative URL, which means the protocol will stay as whatever the browser was previously using.

花了一些时间在Owin源码中进行挖掘，才能找到解决方法，但是对Application Start进行以下更改应该可以解决您的问题.首先，从您的启动配置中提取CookieAuthenticationProvider初始化.

It took a bit of digging in the Owin source to find how to do this, but the following change to your Application startup should solve your problems. First, extract the CookieAuthenticationProvider initialisation from your startup config.

更改:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider 
    {
        // Move these options in the step below...
    }
});

收件人:

var cookieProvider = new CookieAuthenticationProvider
{ 
    // ... Options from your existing application
};
// Modify redirect behaviour to convert login URL to relative
var applyRedirect = cookieProvider.OnApplyRedirect;
cookieProvider.OnApplyRedirect = context =>
{
    if (context.RedirectUri.StartsWith("http://" + context.Request.Host))
    {
        context.RedirectUri = context.RedirectUri.Substring(
            context.RedirectUri.IndexOf('/', "http://".Length));
    }
    applyRedirect(context);
};

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = cookieProvider
});

虽然我们无法轻松设置重定向规则，但是OWIN使用委托来执行实际的重定向.我在这里所做的工作是存储该委托，修改将要给它的URL，然后再次调用它.

While we can't get at where the redirection rule is set easily, OWIN uses a delegate to perform the actual redirect. What I've done here is stored that delegate, modified the URL it is about to be given, and then called it again.

使用此选项，请确保您网站内的所有其他重定向和链接都是相对的.

With this option, ensure that any other redirects and links within your site are relative.

这篇关于ASP.Net身份登录重定向强制协议(Https)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！