[Announcement] HttpsRedirectionMiddleware will throw if there are multiple ambiguous https ports #29222
Labels
area-middleware
Includes: URL rewrite, redirect, response cache/compression, session, and other general middlesware
Milestone
HttpsRedirectionMiddleware will throw if there are multiple ambiguous https ports
The HttpsRedirectionMiddleware (UseHttpsRedirection) will now throw an InvalidOperationException if it finds multiple https ports in the server config.
"Cannot determine the https port from IServerAddressesFeature, multiple values were found. Set the desired port explicitly on HttpsRedirectionOptions.HttpsPort."
Version introduced
6.0
Old behavior
When the HttpsRedirectionMiddleware isn't explicitly configured with a port it will search IServerAddressesFeature during the first request to figure out what https port it should redirect to. If there are no https ports or multiple distinct ports then it's ambiguous which should be used so the middleware logs a warning and turns itself off. Http requests will be processed normally.
New behavior
When the HttpsRedirectionMiddleware isn't explicitly configured with a port it will search IServerAddressesFeature during the first request to figure out what https port it should redirect to.
If there are no https ports the middleware still logs a warning and turns itself off. Http requests will be processed normally. This supports development scenarios without https, as well as hosted scenarios where TLS is terminated before reaching the server.
If there are multiple distinct ports then it's ambiguous which should be used so the middleware throws an exception and fails the http request.
Reason for change
This is done to prevent potentially sensitive data from being served over un-encrypted http connections when https is known to be available.
Recommended action
To enable https redirection when the server has multiple distinct https ports you must specify one port in the configuration. See https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio#port-configuration.
If you do not need the HttpsRedirectionMiddleware in your app then remove UseHttpsRedirection from Startup.cs.
If you need to select the correct https port dynamically then please provide feedback on #21291.
Category
ASP.NET
Affected APIs
UseHttpsRedirection
Issue metadata
The text was updated successfully, but these errors were encountered: