Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.net core docker https on Azure App Service Containers

How does one get ASP.net core to run in docker on SSL that works with Azure App Service for Containers?

I have it working on HTTP, but as soon as I try and bind it to SSL so that ASP.NET's validation for things like oauth and even swagger will work properly it fails telling me that "Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found." There is no way on the runtime only image that vs.net generates to run the development certificates and even then that would seem insecure and probably through certificate errors in the browser.

Basically I need https to work from the external endpoint all of the way through so that kestrel is doing the encryption etc. and not ngix or whatever is running on the outside proxy as it does by default.

This works fine in vs.net debug because it doesn't through any errors and just works even though it's bound to https.

Sadly the documentation only handles the most basic use cases and doesn't outline how to get a real https website working reliably with aspnet core and Azure app containers.

like image 850
James Hancock Avatar asked Jul 02 '18 21:07

James Hancock


People also ask

How do I deploy a Docker container to Azure web app?

In Docker Explorer, navigate to your image under Registries, right-click on the tag, and select Deploy Image To Azure App Service.... When prompted, provide the values for the App Service. New web app name: The name must be unique across Azure. Resource group: Select an existing resource group or create a new one.

Can ASP NET application be run in Docker container?

Choose the docker option to run the application as shown in the following image. After clicking on the docker option, it will build code, create a docker image as well as a docker container and run the application inside the docker container without using the docker commands on the windows command prompt.


1 Answers

After searching everywhere I was able to put together a bunch of obtuse references and come up with the solution.

Kestrel will be in HTTP mode, but will be told that it's in HTTPS mode by way of ForwardedHeaders from the reverse proxy. In the case of Azure there is a specific set that you must use. Others will require other options and may require additional setup. This documentation will help you in the generic case but doesn't have what's necessary for Azure: ASPNet Core Reverse Proxy and Load Balancer Configuration

If you're using IIS, it just works because it's built in, or you've added the UseIIS in the past versions of Core.

For Azure Web Services on a container OR base Linux you need to add the following Nuget package:

Microsoft.AspNetCore.HttpOverrides

Once that is added in the Configure in Startup.cs as the very first thing you need to add the following:

var forwardOptions = new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
    RequireHeaderSymmetry = false
};

forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();

app.UseForwardedHeaders(forwardOptions);

Note that without the KnownNetworks and KnownProxies Clear() it won't work. And it won't work without RequireHeaderSymmetry = false so you need all of it.

On the ForwardedHeaders you'll want to try and avoid .All or the other option that is listed because it has a security vulnerability.

Then in application settings you need to add WEBSITES_PORT=80, ASPNETCORE_URLS=http://+:80 and ASPNETCORE_HTTPS_PORT=443. Until all of these are in you will continue to get a slightly different error.

Note: This won't fix Swagger's validator. It has other issues because the validator is wrong. The json is still valid but the domain is different so it freaks out. The easy way to solve that is in UseSwaggerUi set options.EnableValidator(null);

  app.UseSwaggerUI(
        options =>
        {
            options.EnableValidator(null);                  
        });
like image 136
James Hancock Avatar answered Sep 19 '22 00:09

James Hancock