.Net Core 2.0-Azure Active Directory-NGinX反向代理-HTTPS [英] .Net Core 2.0 - Azure Active Directory - NGinX reverse Proxy - HTTPS
问题描述
我有一个.NET Core 2.0网站,在Linux上运行,侦听端口5000,位于NGinX反向代理后面,该代理侦听端口80和442.NGinX配置为将HTTP流量重定向到HTTPS,并处理所有通信通过HTTPS. NGinx反向代理和Asp.Net Core应用位于共享网络中各自的docker容器中.
I have a .NET Core 2.0 website, running on Linux, listening on port 5000, behind an NGinX reverse proxy, which is listening on port 80 and 442. NGinX is configured to redirect HTTP traffic to HTTPS, and handle all communication over HTTPS. The NGinx Reverse Proxy and Asp.Net Core app are within their own docker containers, on a shared network.
此设置当前正在按所述方式运行.
This setup is currently working as described.
但是,我现在想根据我们的Azure Active Directory对用户进行身份验证.我遇到了一个问题,不知道从这里去哪里.
However, I would now like to Authenticate my users against our Azure Active Directory. I have run into a problem and don't know where to go from here.
首先,让我向您展示如何配置其中的大部分内容,然后再说明我的错误.
First, let me show you how I have most of this configured, and then I'll explain my error.
NGinx(nginx.conf)
worker_processes 2;
events { worker_connections 1024; }
http {
sendfile on;
upstream docker-dotnet {
server mycomp_prod:5000;
}
server {
listen 80;
server_name sales.mycompany.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name sales.mycompany.com;
ssl_certificate /etc/nginx/ssl/combined.crt;
ssl_certificate_key /etc/nginx/ssl/salesmycompany.key;
location / {
proxy_pass http://docker-dotnet;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
Dotnet:Startup.cs ConfigureServices()
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddAzureAd(options => Configuration.Bind("AzureAd", options))
.AddCookie();
Dotnet:Startup.cs Configure()
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
app.UseAuthentication();
Dotnet:appsettings.json
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mycompany.com",
"TenantId": "my-tenant-id",
"ClientId": "my-client-id",
"CallbackPath": "/signin-oidc"
},
在我的Azure Active Directory租户"中
我已经配置了2个回复网址"
I have configured 2 "Reply URLs"
- https://sales.mycompany.com/signin-oidc
- https://sales.mycompany.com
现在出现错误/我的问题
当我访问该网站时,我登录.随后登录,然后选择是否保持登录状态",我被带到出现错误的页面.
When I hit the site, I sign in. Afterward signing in, and choosing whether or not to "Stay signed in", I'm taken to a page with an error.
您可以在错误中看到尝试重定向到的回复地址是HTTP,而不是HTTPS.我认为这是来自appsettings.json中的行:
You can see in the error, that the Reply Address that is attempting to be redirected to, is HTTP, not HTTPS. I think this is coming from the line in appsettings.json that says:
"CallbackPath": "/signin-oidc"
并且由于我的.NET Core网站(通过端口5000上的Kestrel)不在HTTPS上,因此它正在尝试加载 http://example .com /signin-oidc ,而不是HTTPS.请记住,我的.NET Core站点位于NGinX反向代理的后面,该代理配置为处理443上的流量.
And since my .NET Core Site (via Kestrel on port 5000) is not on HTTPS, it's trying to load http://example.com/signin-oidc, instead of HTTPS. Remember that my .NET Core Site is behind an NGinX reverse Proxy, which is configured to handle traffic on 443.
谢谢
推荐答案
我看到了这一点,并使其能够正常工作: https://github.com/aspnet/Security/issues/1702
I saw this and was able to get it working: https://github.com/aspnet/Security/issues/1702
var fordwardedHeaderOptions = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
fordwardedHeaderOptions.KnownNetworks.Clear();
fordwardedHeaderOptions.KnownProxies.Clear();
app.UseForwardedHeaders(fordwardedHeaderOptions);
这篇关于.Net Core 2.0-Azure Active Directory-NGinX反向代理-HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
