Menu
I deployed my asp.net core 2.1 WebApi to IIS 10. (The IIS worked as a proxy)
I have added a SSL cert in IIS and bindings for both insecure port (8081) and secure port (8082).
But when I visit http://localhost:8081/api/values, the browser just return me 403 Forbidden, not redirect me to https://localhost:8082/api/values.
My StartUp Code is as below:
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc()
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddHttpsRedirection(options=>
{
options.HttpsPort = 8082;
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
//app.UseForwardedHeaders();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseMvc();
}
576
UseHttpsRedirection(); is a single line code, which you have to write under Configure method to secure . NET Core solutions. Moreover, you don't always have to configure this middleware, as most ASP.NET web app templates, such as MVC, come with it by default enabled with it.
The ASP.NET Core Module receives the native request and passes it to IIS HTTP Server ( IISHttpServer ). IIS HTTP Server is an in-process server implementation for IIS that converts the request from native to managed. The request is sent to the ASP.NET Core middleware pipeline.
ASP.NET Core 2.1 comes with new features making it easy to enforce HTTPS. New projects are enabled by default, using UseHttpsRedirection middleware in Startup.Configure to handle the redirection. After migrating to 2.1 and following the Migrate from ASP.NET Core 2.0 article, I expected the HTTPS redirection to work.
app.UseHttpsRedirection (); is a single line code, which you have to write under Configure method to secure .NET Core solutions. Moreover, you don’t always have to configure this middleware, as most ASP.NET web app templates, such as MVC, come with it by default enabled with it.
ASP.NET Core 2.1 comes with new features making it easy to enforce HTTPS. New projects are enabled by default, using UseHttpsRedirection middleware in Startup.Configure to handle the redirection.
In my startup.cs i made this settings
public void ConfigureServices(IServiceCollection services)
{
try
{
//..other codes
services.AddHttpsRedirection(options =>
{
options.HttpsPort = 443;
});
}
catch (Exception ex)
{
string innerMessage = "";
if (ex.InnerException != null)
innerMessage = ex.InnerException.Message;
Log.Logger.Error("ConfigureServices Message: " + ex.Message + " inner Message:" + innerMessage + "Env.Name:" + _env.EnvironmentName);
}
}
And in the Configure method, i used like this
app.UseHttpsRedirection();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
In my case, the error was that I was calling things in an unsupported order. By rearranging my code to first call:
app.UserHttpsRedirection()
and then call
app.UseHsts()
it started to work instead of the other way around.
36
The issue I found was that a change from .net core 2.0 to .net core 2.1 meant that the https port needed to be specified explicitly in startup.cs
services.AddHttpsRedirection(options =>
{
options.HttpsPort = 443;
});
See here for more info: https://github.com/aspnet/AspNetCore/issues/3176
33
You received this status code because you have selected Require SSL in SSL Settings.
If you want to use your code to redirect to https unchecked this option.
But first you should read carefully documentation: Enforce HTTPS in ASP.NET Core
Do not use RequireHttpsAttribute on Web APIs that receive sensitive information. RequireHttpsAttribute uses HTTP status codes to redirect browsers from HTTP to HTTPS. API clients may not understand or obey redirects from HTTP to HTTPS. Such clients may send information over HTTP. Web APIs should either:
- Not listen on HTTP.
- Close the connection with status code 400 (Bad Request) and not serve the request.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
