Dotnet核心IdentityServer4反向代理 [英] Dotnet core identityserver4 reverse proxy

问题描述

大家好，我对我的dotnet核心应用程序的反向代理配置有疑问.我的问题是，当我使用Identityserver Discovery端点时，URL末尾缺少端口号.

Hi everybody I have a problem with my reverse proxy configuration for my dotnet core application. My problem is that when I am using identityserver discovery endpoint the port number is missing from the end of my url.

我要求将不符要求的文件发送给https://:8421/.well-known/openid-configuration响应如下，这里的问题是身份验证服务的客户端使用该文档作为验证的基础，并使用响应中的jwks_uri属性，该属性中列出的url缺少端口号，因此客户端无法调用openId配置.

I have a request for the discorvery document to https://:8421/.well-known/openid-configuration and the response is the following and the problem here is that the clients of the authentication service are using the document as a base for verification, using jwks_uri property from the response, the url listed in that property has the missing port number, so the clients cant call the openId configuration.

 {
    "issuer": "https://<servername>",
    "jwks_uri": "https://<servername>/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "https://<servername>/connect/authorize",
    "token_endpoint": "https://<servername>/connect/token",
    "userinfo_endpoint": "https://<servername>/connect/userinfo",
    "end_session_endpoint": "https://<servername>/connect/endsession",
    "check_session_iframe": "https://<servername>/connect/checksession",
    "revocation_endpoint": "https://<servername>/connect/revocation",
    "introspection_endpoint": "https://<servername>/connect/introspect",
    "device_authorization_endpoint": "https://<servername>/connect/deviceauthorization"
}

端点配置的预期结果:

  {
    "jwks_uri": "https://<servername>:<port>/.well-known/openid-configuration/jwks",
  }

在我的dotnet应用中，我设置了反向代理设置

In my dotnet app I setup the reverse proxy settings

  services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders =
                         ForwardedHeaders.XForwardedFor |
                         ForwardedHeaders.XForwardedHost |
                         ForwardedHeaders.XForwardedProto;

            options.ForwardLimit = 2;  //Limit number of proxy hops trusted
            options.KnownNetworks.Clear();
            options.KnownProxies.Clear();
        });
  app.UseForwardedHeaders();

nginx配置如下

server {
    listen <ip>:8421 ssl;
    server_name _; 

    ssl_certificate    <certPath> ;
    ssl_certificate_key <certPath>;
 

    location / {
        proxy_pass http://127.0.0.1:8421; 

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port 8421;
    }
}

在更新到Identityserver 4 4.0之前，它具有Public origin属性，但在4.0中已弃用.现在改为使用dotnet baseurl.

Before updateing to Identityserver 4 4.0 it had the Public origin property but it became deprecated with 4.0. Now instead it is using the dotnet baseurl.

在http管道中，我还记录了请求中的所有标头，并得到了以下结果:

In the http pipeline I also logged all the headers from the request and got this result:

2020-07-03 11:40:15.109 +00:00;[INF];Cache-Control--no-cache Connection--upgrade Accept--*/* Accept-Encoding--gzip, deflate, br Host--<hostName> User-Agent--PostmanRuntime/7.26.1 X-Real-IP--<ip> X-Original-Proto--http X-Forwarded-Host--<domainName with port> X-Forwarded-Port--8421 Postman-Token--44dc6573-71eb-4b36-8b2a-9768d71e5b64 X-Original-For--<ip address> ;;

推荐答案

我还必须将端口添加到nginx配置中.将X-Forwarded-Host设置为$ host还不够，还必须添加 $ proxy_port

I had to add the port also to the nginx configuration. Setting the X-Forwarded-Host to $host was not enough also had to add the $proxy_port as well

代理的工作配置

proxy_set_header X-Forwarded-Host $host:$proxy_port;

这篇关于Dotnet核心IdentityServer4反向代理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！