Need documentation for enabling HTTPS on Linux / OS X

[SteveSandersonMS]

The docs at http://docs.asp.net/en/latest/publishing/linuxproduction.html describe how to set up a reverse-proxy from nginx, and they hint that you can do this to enable HTTPS. However, they don't provide any explicit instructions.

If you just add the minimal nginx config to enable SSL, i.e.,

server {
    listen       443;
    ssl                  on;
    ssl_certificate      ssl/nginx.crt;
    ssl_certificate_key  ssl/nginx.key;
    ... other stuff ...
}

... then it will appear to work, but there's a subtle problem. ASP.NET won't know the requests are being served over HTTPS, and so it won't know to do anything that it normally does over HTTPS (such as mark auth cookies as SSL-only).

I understand there's some sort of ASP.NET Core middleware you're supposed to enable, or HTTP headers you're meant to configure in nginx. This should be made clear in docs.

[dlebedynskyi]

having similar problem as well. There is Kestrel.https package but it lacks documentation.

[Rick-Anderson]

migrated to #1251

[shirhatti]

@Rick-Anderson Hmm. I haven't verified this. I'm reopening the bug for now. I'll close after I'm able to verify this is no longer needed.

[Rick-Anderson]

@shirhatti actually I just migrated it to #1251 but we'll keep it open.

[spboyer]

Issue is dated, however looking at what we have now documented for nginx and Apache is well documented for what is needed in the reverse proxy. For ASP.NET Core to know that the request are SSL and/or to listen on 443. The following must be added.

NuGet package Microsoft.AspNetCore.Kestrel.Https

and in WebHostBuilder add

    var host = new WebHostBuilder()
    .UseKestrel(options => 
     {
          options.UseHttps("MyCert.pfx", "MyPassword");
     })
    .UseUrls("http://localhost:5000", "https://localhost:5001");

cc:\ @blowdart

[SteveSandersonMS]

@spboyer I'm not sure adding that code addresses the issue, which is that if you're reverse-proxying from HTTPS to HTTP, then ASP.NET is taking requests on HTTP, and hence won't flag cookies to the browser as HTTPS-only.

Isn't there a way to tell ASP.NET that even though a certain request is coming in on HTTP, that it should be treated as a secure connection, since it is secure beyond the reverse-proxy?

[spboyer]

@SteveSandersonMS I believe that by adding the XForwardedProto option on UseForwardedHeaders middleware will solve this.

app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
            });

See: #2384 (comment) from @Tratcher

[SteveSandersonMS]

Excellent - that's exactly the functionality I was hoping for. And I see it's mentioned at https://docs.microsoft.com/en-us/aspnet/core/publishing/linuxproduction now too!

Closing because I think all the points here are now addressed, but please reopen if you disagree!