Debian / docker / aspnet core : SSL

Question

I meet some problems with my aspnetcore API's and Linux's environment.

I have an Angular project et 5 .net projects (API's and Worker Services) deployed for each of them in an docker container, all orchestred by a docker-compose.

I have a last Nginx container and I successfully certified my domain with "Letsencrypt" (docker image), that work's with my angular project.

But when I try to do request from the client to the aspnetcore API's (self-signed certificate), this doesn't work at all.

ISSUE => net::ERR_CERT_AUTHORITY_INVALID

So, I read many and many topics and articles about this issue, and I found this last article : https://letsencrypt.org/docs/certificates-for-localhost/, that explain, we can't certified "localhost" , so we should declare our self-signed certificate in each browser.

So my question is : can I do that once for all and for every user want to access my website?

May be aspnetcore and linux are absolutely not compatible (especially for SSL).

What can I do? I am a bit lost now...

Can you post your nginx config? (Please clarify, you are serving just the angular static files from nginx or the api goes through also the proxy?) — IamK, Sep 28 '22 at 12:07
Hi @C1sc0. Thank you for you response. Yes, I serving only the angular static files. And I have an environmentApiUrls file in my angular project, store all urls. I call the urls and pass them in httpClient when I do a request. — Raikho, Sep 28 '22 at 15:13
Before I am trying to pass my website on https, all works fine on http. But now, my client is on https, and I have an issue (Mixed Content: The page at was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint . This request has been blocked; the content must be served over HTTPS.), if I am trying to request an http endpoint. So I tried to also get a certificate for all my aspnecore API's, and I did it well. But it was a self-signed cert => doesn't work. Should I add all my API's containers to Ngninx ? I really don't know how to deal with this problem now.. — Raikho, Sep 28 '22 at 17:48
You have to proxy connections to you API through nginx too, it will handle the TLS stuff, and in local connections it does not matter that it is just http (as an upstream). — IamK, Sep 28 '22 at 17:51

IamK · Accepted Answer · 2022-10-06T09:44:09.217

0

Proxy all your traffix through nginx and set the API as an upstream.

Example nginx config(add your already working TLS config to this):

worker_processes 1;

events { worker_connections 1024; }

http {

    sendfile on;

    upstream web-api {
        server mydotnetapi:80;
    }

    server {
        listen 80;
        server_name example.com;
        location /symbiosisapi/ {
            proxy_pass         http://web-api/;
            proxy_redirect     off;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection keep-alive;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_set_header   X-Forwarded-Host $server_name;
        }
        
        
        location / {
            autoindex on;
            root  /home/www-data/mysite;
        } 
    }
}

If someone hits the / location, it will receive the static stuff, and if someone hits the /api location the requests will be forwarded to your dotnet API. And nginx will handle all the TLS. Change the mydotnetapi to you container name what you set up in your compose file.

edited Oct 06 '22 at 09:44

answered Sep 28 '22 at 17:59

IamK

2,753
5
30
39

Than you so much @C1sc0 ! I will try your solution today, and I will give you a come back. – Raikho Sep 29 '22 at 10:24
Hi @C1sc0 ! I come back to you for news. :) I tried you solution, but I get a 404 not found now. I didn't understand why. I just write the container's api id in a stream like your exemple, and add it into a location in the server. I precise I have a letsencrypt certificate and a server listen 443 and ssl config. Any idea? Thank you so much for your help. – Raikho Oct 06 '22 at 09:06
Hi @Raikho did you succeed? – IamK Oct 06 '22 at 09:08
I think yes. I give you the link of my web site if you want check it may be ? https://symbiosis.ovh/ – Raikho Oct 06 '22 at 09:19
As you can see, if you try to connect (wrong name and password for the try is good), you can see a 404 not found when my client try to request my api. – Raikho Oct 06 '22 at 09:20
The client is served through the same nginx server? – IamK Oct 06 '22 at 09:22
I mean, I succeed to link my statics angular frontend at nginx with ssl. But my aspnetcore api doesn't work at this moment. – Raikho Oct 06 '22 at 09:22
Yes, the client and api are in the same server in nginx. It is a problem? – Raikho Oct 06 '22 at 09:23
I c, `https://symbiosis.ovh/symbiosisapi/Login/Connexion` this path is the right one? (on your localhost this looks the same - except the domain) – IamK Oct 06 '22 at 09:23
As your exemple in this topic. – Raikho Oct 06 '22 at 09:24
i see the problem, in the config that i sent you `location /api` this line tells the nginx which path forward to your api, so change this to `location /symbiosisapi` – IamK Oct 06 '22 at 09:25
Yes the path is the right one. – Raikho Oct 06 '22 at 09:25
For details : - https://symbiosis.ovh = my domain - /symbiosisapi = nginx location - /Login/Connexion = api endpoint (controller + endpoint) – Raikho Oct 06 '22 at 09:25
And as I mentioned, all are in a differents containers (nginx/angular/aspnetcore api). So in the upstream I write a proxy_pass => mycontainerIP:PORT – Raikho Oct 06 '22 at 09:29
Change `proxy_pass http://web-api;` this line to `proxy_pass http://web-api/;` with a trailing slash – IamK Oct 06 '22 at 09:31
1

Oh ok !! That sounds good. I try that at miday and come back tou you. Thank you ! – Raikho Oct 06 '22 at 09:32
I've updated my answer (see the location part `location /symbiosisapi/` and `proxy_pass http://web-api/;` that way your api will get `https://symbiosis.ovh/Login/Connexion` (without the `symbiosisapi`) – IamK Oct 06 '22 at 09:45
Ok and what should my url looks like in angular? Still "ht tps://symbiosis.ovh/symbiosisapi/Login/Connexion" or "ht tps://symbiosis.ovh/Login/Connexion"? – Raikho Oct 06 '22 at 10:01
yes, symbiosis.ovh/symbiosisapi/Login/Connexion – IamK Oct 06 '22 at 10:01
1

Ok perfect ! Thank you so much C1sc0 !!! I give you a return of my tests. – Raikho Oct 06 '22 at 10:02
Hi @C1sc0 ! I don't know if you are still here or not, but I have a question. In fact, I have another PgAdmin container and I obtain a 502 bad gateway from Nginx. I defined an upstream with the pgmadin container ip + port for in nginx. And I also defined a location for this up stream like this : location /pgadmin { } Have you an idea? – Raikho Oct 12 '22 at 09:13
Hi, and all containers are on the same bridge network? – IamK Oct 12 '22 at 21:09
Yes ! All are on the same network and all containers work fine. – Raikho Oct 13 '22 at 00:02
I create earlier, a new topic here (for more details) : https://stackoverflow.com/questions/74045795/nginx-pgadmin-docker-502-bad-gateway?noredirect=1#comment130742047_74045795 – Raikho Oct 13 '22 at 00:04

Debian / docker / aspnet core : SSL

1 Answers1