[Announcement] HTTPS redirection changes for IIS OutOfProcess in 2.2 and 3.0

[Tratcher]

HTTPS redirection changes for IIS OutOfProcess in 2.2 and 3.0

The new AspNetCoreModule for hosting via IIS OutOfProcess lights up an existing HTTPS redirection feature for both 3.0 and 2.2 applications.

Version introduced

ASP.NET Core 3.0
AspNetCoreModule 13.0.19218.0

Old behavior

The 2.1 project template first introduced support for HTTPS tools like UseHttpsRedirection and UseHsts. Https redirection required configuration to enable since apps in development do not use the default port 443. Hsts is only active if the request is already HTTPS, and skips localhost by default.

New behavior

In 3.0 the IIS HTTPS scenario was enhanced so that the application could discover the server HTTPS ports and make UseHttpsRedirection work by default. InProcess did this via the IServerAddresses feature, which only affects 3.0 applications because the InProcess library is versioned with the framework. OutOfProcess changed to automatically add the ASPNETCORE_HTTPS_PORT environment variable which affected both 2.2 and 3.0 applications because the OutOfProcess component is shared globally. 2.1 apps are not affected because they use a prior version of AspNetCoreModule by default.

The 3.0 version of AspNetCoreModule was recently deployed to Azure Web Sites and some users noticed the that this did affect their 2.2 applications as described above.

Reason for change

Improved 3.0 functionality.

Recommended action

If you want all clients to use HTTPS then no action is required. If you want to allow some clients to use HTTP then take one of the following steps:

A) Remove UseHttpsRedirection and UseHsts from your application's Startup.cs file and redeploy the application.

Or B) Add the environment variable ASPNETCORE_HTTPS_PORT with an empty to your web.config file. This can be done directly on the server without redeploying the application.

      <aspNetCore processPath="dotnet" arguments=".\WebApplication3.dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" >
            <environmentVariables>
            <environmentVariable name="ASPNETCORE_HTTPS_PORT" value="" />
          </environmentVariables>
      </aspNetCore>

Category

ASP.NET

Affected APIs

UseHttpsRedirection

---

Issue metadata

• Issue type: breaking-change

[poke]

I’m not sure I fully understand this. Does this means that HTTPS redirection is now enabled by default and the only way to opt-out would be to specify the ASPNETCORE_HTTPS_PORT environment variable? Or does this only affect applications that are hosted through IIS?

How to enable/disable HTTPS redirection for bare Kestrel applications then (e.g. running naked, or through other reverse proxies)?

[Tratcher]

This change only affects IIS InProc and OutOfProc where they forward the necessary information to the app to automatically activate UseHttpsRedirection. If you don't want auto redirection then remove UseHttpsRedirection. Setting the environment variable to empty is a short term opt-out that doesn't require recompiling or redeploying.

Bare Kestrel and HttpSys already supported auto redirection by exposing the port information via IServerAddresses. Enable or disable it by adding or removing UseHttpsRedirection.

Other reverse proxies would still need to set the ASPNETCORE_HTTPS_PORT environment variable.

[poke]

@Tratcher Thanks for the clarifications!

[Tratcher]

Update: This behavior is being modified in 3.0.1 and 3.1.0-preview3 to reverse the behavior changes in 2.x. These changes only affect IIS out-of-process applications.

As detailed above, installing 3.0.0 had the side effect of also activating the UseHttpsRedirection middleware in 2.x applications. A change is being made to AspNetCoreModule in 3.0.1 and 3.1.0-preview3 such that installing them will no longer have this effect on 2.x applications. The ASPNETCORE_HTTPS_PORT environment variable that AspNetCoreModule populated in 3.0.0 is being changed to ASPNETCORE_ANCM_HTTPS_PORT in 3.0.1 and 3.1.0-preview3. UseHttpsRedirection is also being updated in these releases to understand both the new and old variables. 2.x will not be updated and as a result will revert to its prior behavior (off by default).

UseHttpsRedirection can still be activated manually in 2.x by setting the ASPNETCORE_HTTPS_PORT variable with the appropriate value (443 in most production scenarios). UseHttpsRedirection can also still be deactivated in 3.x by defining ASPNETCORE_ANCM_HTTPS_PORT with an empty value similar to the example given above.

Note that machines running 3.0.0 applications should install 3.0.1 ASP.NET Core runtime before installing the 3.1.0-preview3 AspNetCoreModule to ensure that UseHttpsRedirection continues to operate as expected for the 3.0 applications.

In Azure App Service AspNetCoreModule deploys on a separate schedule from the runtime due to its global nature. AspNetCoreModule will be deployed to Azure with these changes after 3.0.1 and 3.1.0 are deployed.

[jkotalik]

Closing as there have been two releases with this change in it.