问题
Hi everybody I have a problem with my reverse proxy configuration for my dotnet core application. My problem is that when I am using identityserver discovery endpoint the port number is missing from the end of my url.
I have a request for the discorvery document to https://:8421/.well-known/openid-configuration and the response is the following and the problem here is that the clients of the authentication service are using the document as a base for verification, using jwks_uri property from the response, the url listed in that property has the missing port number, so the clients cant call the openId configuration.
{
"issuer": "https://<servername>",
"jwks_uri": "https://<servername>/.well-known/openid-configuration/jwks",
"authorization_endpoint": "https://<servername>/connect/authorize",
"token_endpoint": "https://<servername>/connect/token",
"userinfo_endpoint": "https://<servername>/connect/userinfo",
"end_session_endpoint": "https://<servername>/connect/endsession",
"check_session_iframe": "https://<servername>/connect/checksession",
"revocation_endpoint": "https://<servername>/connect/revocation",
"introspection_endpoint": "https://<servername>/connect/introspect",
"device_authorization_endpoint": "https://<servername>/connect/deviceauthorization"
}
expected result for endpoint config:
{
"jwks_uri": "https://<servername>:<port>/.well-known/openid-configuration/jwks",
}
In my dotnet app I setup the reverse proxy settings
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor |
ForwardedHeaders.XForwardedHost |
ForwardedHeaders.XForwardedProto;
options.ForwardLimit = 2; //Limit number of proxy hops trusted
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
app.UseForwardedHeaders();
nginx config is the following
server {
listen <ip>:8421 ssl;
server_name _;
ssl_certificate <certPath> ;
ssl_certificate_key <certPath>;
location / {
proxy_pass http://127.0.0.1:8421;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 8421;
}
}
Before updateing to Identityserver 4 4.0 it had the Public origin property but it became deprecated with 4.0. Now instead it is using the dotnet baseurl.
In the http pipeline I also logged all the headers from the request and got this result:
2020-07-03 11:40:15.109 +00:00;[INF];Cache-Control--no-cache Connection--upgrade Accept--*/* Accept-Encoding--gzip, deflate, br Host--<hostName> User-Agent--PostmanRuntime/7.26.1 X-Real-IP--<ip> X-Original-Proto--http X-Forwarded-Host--<domainName with port> X-Forwarded-Port--8421 Postman-Token--44dc6573-71eb-4b36-8b2a-9768d71e5b64 X-Original-For--<ip address> ;;
回答1:
I had to add the port also to the nginx configuration. Setting the X-Forwarded-Host to $host was not enough also had to add the $proxy_port as well
The working confiugration for proxy
proxy_set_header X-Forwarded-Host $host:$proxy_port;
来源:https://stackoverflow.com/questions/62713022/dotnet-core-identityserver4-reverse-proxy