SignalR 1.x behind reverse proxy which does SSL/TLS termination

Question

In theory this should be a fairly common use case. A .NET webserver behind a reverse proxy which is responsible for the SSL/TLS termination.

But for some mysterious reason this doesn't work for me. I use Pound reverse proxy. And I have the following in the config.

HeadRemove  "X-Forwarded-Proto"
AddHeader   "X-Forwarded-Proto: https"

Chrome gives me a "Failed to load resource: the server responded with a status of 403 (Forbidden: SignalR cross domain is disabled.)".

In the web.config I have added the following to system.webServer

<httpProtocol>s
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="https://some.domain.fake" />
  </customHeaders>
</httpProtocol>

To my understanding I shouldn't need CORS, since I'm not doing any cross domain requests. Mind you everything works fine if I use the non SSL uri.

The following bugs seem to be related, but they should be fixed, and are not exactly the same as the issue I have. Bug with same origin check behind reverse proxies/load balancers etc. Bug with same origin check behind reverse proxies/load balancers for SSL requests.

I have been searching quite a while to find a solution, but I'm suprised that there not a lot more people with the same issue.

The question is: How do I fix this?

Answer 1

If your reverse proxy is setting an Origin header, the server will interpret it as a CORS request.

You'll probably need to use the Microsoft.Owin.Cors NuGet package to allow CORS requests from whatever origin your reverse proxy is setting in the Origin header.

http://www.asp.net/signalr/overview/signalr-20/hubs-api/hubs-api-guide-javascript-client#crossdomain