Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using "RequireHttpsAttribute" on a global level in Asp.net 5 #895

Closed
Sharpiro opened this issue Sep 6, 2015 · 16 comments
Closed

Using "RequireHttpsAttribute" on a global level in Asp.net 5 #895

Sharpiro opened this issue Sep 6, 2015 · 16 comments

Comments

@Sharpiro
Copy link

@Sharpiro Sharpiro commented Sep 6, 2015

I want to declare in code that I want to require the use of HTTPS.

In the past, I used this in Global.asax.cs:

GlobalFilters.Filters.Add(new RequireHttpsAttribute());

I'm currently using this in "ConfigureServices" method of "Startup.cs":

services.Configure<MvcOptions>(options =>
            {
                options.Filters.Add(new RequireHttpsAttribute());
            });

While this works for all of my API calls, it doesn't do anything for my static files and default files which are initialized like so in "Startup.cs":

app.UseDefaultFiles();
app.UseStaticFiles();

I'm currently having to go into Azure after each publish and modify the created web.config (since I don't use it in asp.net 5) and forcing the redirect to HTTPS there.

Is there a way to globally declare the "RequireHttpsAttribute" similar to how it was done in the past? If not, should this be implemented somehow?

Thanks.

@davidfowl
Copy link
Contributor

@davidfowl davidfowl commented Sep 6, 2015

Filters only apply to MVC, you need to write a piece of middleware that does the same thing as the filter.

@guardrex
Copy link
Contributor

@guardrex guardrex commented Sep 6, 2015

Can't we make changes to a web.config file in our wwwroot folder locally that will stick on publish? I understand it wouldn't be a best practice over creating the middleware to solve this issue, but it might save @Sharpiro some time in the meantime.

@davidfowl
Copy link
Contributor

@davidfowl davidfowl commented Sep 6, 2015

I don't see how web.config helps

@guardrex
Copy link
Contributor

@guardrex guardrex commented Sep 6, 2015

You can set a rule for IIS to redirect requests for HTTPS that way.

@guardrex
Copy link
Contributor

@guardrex guardrex commented Sep 6, 2015

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>
@davidfowl
Copy link
Contributor

@davidfowl davidfowl commented Sep 6, 2015

Perfect, you don't even need the MVC filter 😄 Just that you; tied to IIS which might be fine for @Sharpiro

@Sharpiro
Copy link
Author

@Sharpiro Sharpiro commented Sep 6, 2015

The solution @guardrex posted was actually what i was currently doing. It was just a bit tedious having to paste that code snippet into the azure web.config after every publish from VS. But i actually took @davidfowl 's advice and created some middleware that just forces the redirect.

Thanks.

@Sharpiro Sharpiro closed this Sep 6, 2015
@guardrex
Copy link
Contributor

@guardrex guardrex commented Sep 6, 2015

@Sharpiro

It was just a bit tedious having to paste that code snippet into the azure web.config after every publish from VS.

What I was trying to say was that you can put that into a web.config file in your project's wwwroot folder and it should merge into web.config for the server. You shouldn't need to keep logging into Azure every publish was my point.

@Sharpiro
Copy link
Author

@Sharpiro Sharpiro commented Sep 6, 2015

@guardrex

I see, that is a good idea. However, one of the new features i enjoy about asp.net 5 is the lack of a web.config as needed in my project.

Thanks for your help.

@guardrex
Copy link
Contributor

@guardrex guardrex commented Sep 6, 2015

@Sharpiro Would you be opposed to sharing the middleware bit you created? I'd like to see and possibly use that ... esp for a non-IIS project at some point.

@Sharpiro
Copy link
Author

@Sharpiro Sharpiro commented Sep 6, 2015

https://github.com/Sharpiro/ASP5_Template/tree/master/src/ASP5_Template_Web/Middleware

Here's a link to the project i've been working on.

I'm pretty new to Owin so it took me a bit to get all the pieces working. But now that it works it looks pretty simple.

This was just a quick implementation so my logic for moving from "http" to "https" is simplistic and only works in a deployed IIS/Azure environment where port number differences do not matter.

@guardrex
Copy link
Contributor

@guardrex guardrex commented Sep 6, 2015

Oh, yes. Indeed. I like that. Very simple ... very effective. I think that will work anywhere. Thanks for sharing. 🍺

@davidfowl
Copy link
Contributor

@davidfowl davidfowl commented Sep 6, 2015

GetDisplayUrl is the wrong one to use.

@Sharpiro
Copy link
Author

@Sharpiro Sharpiro commented Sep 6, 2015

@davidfowl

Ok, I changed it to: "context.Request.GetEncodedUrl()"

if that's what you're referring to.

@davidfowl
Copy link
Contributor

@davidfowl davidfowl commented Sep 6, 2015

Yes, if you read the doc comments:

GetEncodedUrl

Returns the combined components of the request URL in a fully escaped form suitable for use in HTTP headers and other HTTP operations.

GetDisplayUrl

Returns the combined components of the request URL in a fully un-escaped form (except for the QueryString) suitable only for display. This format should not be used in HTTP headers or other HTTP operations.

@fletchsod-developer
Copy link

@fletchsod-developer fletchsod-developer commented Dec 10, 2015

Thanks for sharing.

jkotalik added a commit that referenced this issue Nov 1, 2018
jkotalik added a commit that referenced this issue Nov 1, 2018
natemcmaster pushed a commit that referenced this issue Nov 20, 2018
- Renamed the type to IHostedService and added Start and Stop.
- Split up the IHostedService execution and IApplicationLifetime to avoid
circular references
- Trigger IHostedService.Start after starting the server
- Trigger IHostedService.Stop before disposing the service provider

#895 #894
@msftbot msftbot bot locked as resolved and limited conversation to collaborators Dec 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.