6

I am not quite clear about the idea whether the Kestrel server needs to be encrypted as a localhost server.

I use Apache with HTTPS as the proxy server for Kestrel server. Does it require to run https in Kestrel as well? In theory, what passes through the Apache proxy server (HTTPS enabled) should be encrypted, right?

Please shed some light if you have any ideas.

Return-1
  • 2,329
  • 3
  • 21
  • 56
userIndulgeInDChord
  • 170
  • 1
  • 10

1 Answers1

8

No, you don't have to encrypt the traffic between Apache and Kestrel. The apache (or nginx or IIS) will be the SSL termination point.

However what you need to make sure is

  1. that Apache correctly sets the forwarded headers (x-forwarded-* headers)
  2. kestrel is correctly configured to use these headers (UseIISIntegration already does that) or register the app.UseForwardedHeaders(); middleware which also registers them

Without either one, your requests will fail if the controllers/actions are marked with [RequireHttps] attribute

Tseng
  • 61,549
  • 15
  • 193
  • 205
  • By the way, Tseng. How can I know whether I have already set the forwarded headers correctly? – userIndulgeInDChord May 17 '17 at 07:07
  • Log the traffic. Or set a breakpoint in some middleware and log/inspect it. When all is set correctly, calls to method with `[RequireHttps]` should work w/o any issues – Tseng May 17 '17 at 07:10
  • Tseng. How about if I call a web service from Kestrel where the web service requires https? As the Kestrel is running in http. – userIndulgeInDChord May 20 '17 at 04:05
  • You can't create a Webservices in .NET Core, so this excludes usage of ASP.NET Core with apache2/nginx on Linux/Mac and means you can only run it on WIndows targeting .NET Framework >=4.5 anyways and there you can host it on IIS (and use HTTPS/Windows Auth) or run WebListener. If you wanna call Rest Services via HTTPs you can also do that by calling the reverse proxy instead of using the internal IPs and the reverse proxy will redirect it to the correct service. – Tseng May 20 '17 at 11:30
  • Newer versions Kestrel also support https, but there is no need to encrypt traffic between proxy and your app (unnecessary CPU usage) unless you have some very strong security requirements and/or run these in an untrusted network – Tseng May 20 '17 at 11:31
  • Tseng, how do I call the reverse proxy instead of using the internal IP? As I can see from the error message, I am using the domain name instead of IP already. But the protocol is not encrypted as I called the API from Kestrel. – userIndulgeInDChord May 21 '17 at 09:59
  • If your reverse proxy is available at `http://example.com`, then just call `https://example.com/api/mymicroservice` instead of `http://10.1.2.3:5001/api/mymicroservice`. When you call the webproxy you use SSL, but when the proxy redirects it to the webservice, it doesn't, just sends the header – Tseng May 21 '17 at 12:56