Add support to reverse proxies

[fume]

We actually generate the AssertionConsumerServiceUrl using the HTTP Request host. This won't work in scenarios where reverse proxies are used, since the request host will be different from the "public" host that users can reach.

We basically need to change the following line

SPID-and-Digital-Identity-Enabler/WebApps/Proxy/Microsoft.SPID.Proxy/Services/Implementations/SAMLService.cs

Lines 32 to 36 in 63ef10f

	public string GetAttributeConsumerService()
	{
	return $"https://{_httpContextAccessor.HttpContext.Request.Host}/proxy/assertionconsumer";
	}

We could use the x-forwarded-host header (https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0) or, eventually, just put the right host in config.

[fume]

I just noticed that the ForwardedHeadersMiddleware can be enabled as simply as setting the env variable ASPNETCORE_FORWARDEDHEADERS_ENABLED to true (ForwardedHeaderStartupFilter). Doing so, the default values for the ForwardedHeadersOptions are going to be used except for the overridden options in the (ForwardedHeadersOptionsSetup). Basically, only the x-forwarded-proto and x-forwarded-for headers are going to be used, which is not enough for us since we also need x-forwarded-host.

I see two options here:

• We check for the ASPNETCORE_FORWARDEDHEADERS_ENABLED env variable, and if set to true we configure the ForwardedHeadersOptions as we desire
• We add the ForwardedHeaders middleware on our own

[fume]

I have an implementation proposal on the support-reverse-proxies branch.

In Program.cs

SPID-and-Digital-Identity-Enabler/WebApps/Proxy/Microsoft.SPID.Proxy/Program.cs

Lines 13 to 16 in 16796aa

	if (string.Equals(builder.Configuration["ASPNETCORE_FORWARDEDHEADERS_ENABLED"], "true", StringComparison.OrdinalIgnoreCase))
	{
	ConfigureForwardedHeadersOptions();
	}

Where ConfigureForwardedHeadersOptions() is

SPID-and-Digital-Identity-Enabler/WebApps/Proxy/Microsoft.SPID.Proxy/Program.cs

Lines 78 to 111 in 16796aa

	void ConfigureForwardedHeadersOptions()
	{
	builder.Services.Configure<ForwardedHeadersOptions>(options =>
	{
	var section = builder.Configuration.GetSection("ForwardedHeaders");
	section.Bind(options);
	var knownProxies = section.GetValue<string>("KnownProxies")?.Split(',');
	var knownNetworks = section.GetValue<string>("KnownNetworks")?.Split(',');
	if (knownProxies?.Length > 0)
	{
	options.KnownProxies.Clear();
	foreach (var ip in knownProxies)
	{
	options.KnownProxies.Add(IPAddress.Parse(ip));
	}
	}
	if (knownNetworks?.Length > 0)
	{
	options.KnownNetworks.Clear();
	foreach (var network in knownNetworks)
	{
	var networkSplit = network.Split('/');
	var prefix = networkSplit[0];
	var prefixLength = int.Parse(networkSplit[1]);
	options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse(prefix), prefixLength));
	}
	}
	});
	}

Then in the appsettings we can define the ForwardedHeaders section and set all the required options. The ForwardedHeaders are defaulted to All (Which means X-Forwarded-For | X-Forwarded-Proto | X-Forwarded-Host)

SPID-and-Digital-Identity-Enabler/WebApps/Proxy/Microsoft.SPID.Proxy/appsettings.json

Lines 161 to 163 in 16796aa

	"ForwardedHeaders": {
	"ForwardedHeaders": "All"
	}

@MarcoZama , @tommasodotNET , @PaoloCastAway , any thoughts?