问题描述
如何让 ASP.net 核心在 SSL 上的 docker 中运行,与 Azure App Service for Containers 一起使用?
How does one get ASP.net core to run in docker on SSL that works with Azure App Service for Containers?
我让它在 HTTP 上工作,但是当我尝试将它绑定到 SSL 以便 ASP.NET 对 oauth 甚至 swagger 等内容的验证将正常工作时,它无法告诉我无法配置 HTTPS 端点.不指定了服务器证书,但找不到默认的开发人员证书."vs.net 生成的仅运行时映像无法运行开发证书,即便如此,这似乎也不安全,并且可能是由于浏览器中的证书错误造成的.
I have it working on HTTP, but as soon as I try and bind it to SSL so that ASP.NET's validation for things like oauth and even swagger will work properly it fails telling me that "Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found." There is no way on the runtime only image that vs.net generates to run the development certificates and even then that would seem insecure and probably through certificate errors in the browser.
基本上我需要 https 从外部端点一直工作,以便 kestrel 进行加密等,而不是 ngix 或默认情况下在外部代理上运行的任何东西.
Basically I need https to work from the external endpoint all of the way through so that kestrel is doing the encryption etc. and not ngix or whatever is running on the outside proxy as it does by default.
这在 vs.net 调试中运行良好,因为它不会出现任何错误,即使绑定到 https 也能正常运行.
This works fine in vs.net debug because it doesn't through any errors and just works even though it's bound to https.
遗憾的是,该文档仅处理最基本的用例,并没有概述如何使真正的 https 网站与 aspnet 核心和 Azure 应用容器可靠地工作.
Sadly the documentation only handles the most basic use cases and doesn't outline how to get a real https website working reliably with aspnet core and Azure app containers.
推荐答案
在到处搜索之后,我能够将一堆迟钝的参考资料放在一起并提出解决方案.
After searching everywhere I was able to put together a bunch of obtuse references and come up with the solution.
Kestrel 将处于 HTTP 模式,但会通过来自反向代理的 ForwardedHeaders 被告知它处于 HTTPS 模式.对于 Azure,您必须使用一个特定的集合.其他人将需要其他选项,并且可能需要额外的设置.本文档将在一般情况下为您提供帮助,但没有 Azure 所需的内容:ASPNet Core 反向代理和负载均衡器配置
Kestrel will be in HTTP mode, but will be told that it's in HTTPS mode by way of ForwardedHeaders from the reverse proxy. In the case of Azure there is a specific set that you must use. Others will require other options and may require additional setup. This documentation will help you in the generic case but doesn't have what's necessary for Azure: ASPNet Core Reverse Proxy and Load Balancer Configuration
如果您使用的是 IIS,它只是因为它是内置的,或者您在过去的 Core 版本中添加了 UseIIS.
If you're using IIS, it just works because it's built in, or you've added the UseIIS in the past versions of Core.
对于容器或基础 Linux 上的 Azure Web 服务,您需要添加以下 Nuget 包:
For Azure Web Services on a container OR base Linux you need to add the following Nuget package:
Microsoft.AspNetCore.HttpOverrides
Microsoft.AspNetCore.HttpOverrides
在 Startup.cs 中的配置中添加后,您首先需要添加以下内容:
Once that is added in the Configure in Startup.cs as the very first thing you need to add the following:
var forwardOptions = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
RequireHeaderSymmetry = false
};
forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardOptions);
请注意,如果没有 KnownNetworks 和 KnownProxies Clear(),它将无法工作.如果没有 RequireHeaderSymmetry = false 它将无法工作,因此您需要所有这些.
Note that without the KnownNetworks and KnownProxies Clear() it won't work. And it won't work without RequireHeaderSymmetry = false so you need all of it.
在 ForwardedHeaders 上,您需要尝试避免 .All 或列出的其他选项,因为它存在安全漏洞.
On the ForwardedHeaders you'll want to try and avoid .All or the other option that is listed because it has a security vulnerability.
然后在应用设置中你需要添加WEBSITES_PORT=80
、ASPNETCORE_URLS=http://+:80
和ASPNETCORE_HTTPS_PORT=443
.在所有这些都出现之前,您将继续得到一个稍微不同的错误.
Then in application settings you need to add WEBSITES_PORT=80
, ASPNETCORE_URLS=http://+:80
and ASPNETCORE_HTTPS_PORT=443
. Until all of these are in you will continue to get a slightly different error.
注意:这不会修复 Swagger 的验证器.它还有其他问题,因为验证器是错误的.json 仍然有效,但域不同,所以它吓坏了.解决这个问题的简单方法是在 UseSwaggerUi 中设置 options.EnableValidator(null);
Note: This won't fix Swagger's validator. It has other issues because the validator is wrong. The json is still valid but the domain is different so it freaks out. The easy way to solve that is in UseSwaggerUi set options.EnableValidator(null);
app.UseSwaggerUI(
options =>
{
options.EnableValidator(null);
});
这篇关于Azure 应用服务容器上的 ASP.net 核心 docker https的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!