How can I enforce SSL using ASP.NET Core and nginx

Question

I spun up a new VM running Ubuntu 16.04 and ran the command. dotnet new -t web which creates a new basic MVC web template. Next I ran the app and the connection was successful.

After that I modified nginx.conf to use SSL

server {
    listen                      443 http2 ssl default;

    ssl_certificate             /etc/ssl/certs/testCert.crt;
    ssl_certificate_key         /etc/ssl/certs/testCert.key;
    ssl_protocols               TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve              secp384r1;
    ssl_session_cache           shared:SSL:10m;
    ssl_session_tickets         off;
    ssl_stapling                on;
    ssl_stapling_verify         on;

    location / {
        proxy_pass              http://localhost:5000;
        proxy_cache_bypass      $http_upgrade;
        proxy_redirect          off;
        proxy_set_header        Host $host;
        proxy_http_version      1.1;
        proxy_set_header        Upgrade $http_upgrade;
        proxy_set_header        Connection keep-alive;
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_connect_timeout   90;
        proxy_send_timeout      90;
        proxy_read_timeout      90;
        proxy_buffers           32 4k;

    }
}

Ran the app again and it was running under HTTPS without errors.

Then I configured MVC services in Startup.cs to enforce HTTPS.

services.AddMvc(config =>
{
    config.Filters.Add(new RequireHttpsAttribute());
});

Finally I tried to connect again but get ERR_TOO_MANY_REDIRECTS. However if I only run on Kestrel and configure some options it will work just fine.

services.Configure<KestrelServerOptions>(options =>
{
    options.AddServerHeader = false;
    options.UseHttps("devcert.pfx", "password");
});

It seems like it must be nginx, however it could be a problem with MVC/ASP.NET Core. How can I further diagnose this issue or fix it?

Answer 1

Your SSL connection is terminated as nginx, which communicates with Kestrel in plain http. Kestrel redirects user to https, which is terminated again in nginx, passed to Kestrel as http and again and again. That's endless loop.

Configure nginx to require https (redirect http to https), don't touch Kestrel. You site itself will always work without SSL, and nginx will deliver it to users (and back) using SSL.