Does it require https in Kestrel behind my https apache proxy server?

Question

I am not quite clear about the idea whether the Kestrel server needs to be encrypted as a localhost server.

I use Apache with HTTPS as the proxy server for Kestrel server. Does it require to run https in Kestrel as well? In theory, what passes through the Apache proxy server (HTTPS enabled) should be encrypted, right?

Please shed some light if you have any ideas.

Answer 1

No, you don't have to encrypt the traffic between Apache and Kestrel. The apache (or nginx or IIS) will be the SSL termination point.

However what you need to make sure is

1. that Apache correctly sets the forwarded headers (x-forwarded-* headers)
2. kestrel is correctly configured to use these headers (UseIISIntegration already does that) or register the app.UseForwardedHeaders(); middleware which also registers them

Without either one, your requests will fail if the controllers/actions are marked with [RequireHttps] attribute