问题描述

我正在框架2.2上构建一个asp.net核心Web应用程序，并在Linux应用程序服务计划上的azure应用程序服务上进行托管.

I'm building an asp.net core web application on framework 2.2 and hosting on an azure app service on a linux app service plan.

在我的应用程序内部，我检查 HttpRequest.Scheme .在本地运行时，如果我使用https发出请求，则返回https.在天蓝色上运行时，它返回http.

Inside my application I inspect HttpRequest.Scheme. Running locally this returns https if I make a request using https. Running on azure it returns http.

看来，Azure App Services正在终止SSL连接并代理到我的应用程序. 有没有一种方法可以配置Azure App Services，使https请求可以不修改我的应用程序?或至少 HttpRequest .方案符合原始请求吗?

It appears Azure App Services is terminating the SSL connection and proxying to my app. Is there a way to configure Azure App Services so the https request makes it to my application unmodified? Or at least HttpRequest.Scheme matches the original request?

我已经建立了一个示例诊断页面来显示此行为:

I've built a sample diagnostic page to show this behavior:

var healthStatus = new
{
    Port = context.Request.Host.Port?.ToString() ?? "unknown",
    context.Request.Scheme,
    context.Request.IsHttps,
    Headers = context.Request.Headers.Select(x => $"{x.Key}:{x.Value}").ToArray()
 };

context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(healthStatus));

在VS中进行本地调试:https://localhost:1234/ping:

Debugging in VS Locally: https://localhost:1234/ping:

{
   "Port":1234,
   "Scheme": "https",
   "IsHttps": true,
   "Headers": <standard headers - nothing interesting>
}

部署到Azure App Services:https://appServiceExample.myDomain.com/ping:

Deploying to Azure App Services: https://appServiceExample.myDomain.com/ping:

{
   "Port":"unknown",
   "Scheme": "http",
   "IsHttps": false,
   Headers: [
     // there are several more headers, but only these looked interesting:
     "X-Forwarded-For:195.206.xxx.xxx:6922",
     "X-Forwarded-Proto:https",
     "X-AppService-Proto:https"
    ]
}

一种解决方法:我可以依靠X-AppService-Proto或X-Forwarded-Proto标头解决此问题吗?但这似乎有点hack，因为我宁愿检查原始的传入请求，也不确定这些标头的可靠性.

As a workaround: Could I solve this problem my relying on the X-AppService-Proto or X-Forwarded-Proto header? But this seems a bit of a hack, as I'd rather inspect the original incoming request - and I'm unsure how reliable these headers are.

推荐答案

只需总结您的评论即可.

Just summarize your comment.

Azure应用程序服务前端层终止 TLS通道(又名TLS卸载)，并打开一个新的纯HTTP 连接到您的代码所在的Web Worker.路由由ARR(应用程序请求路由)执行.

The Azure App Service frontend layer TERMINATES the TLS channel (aka TLS offloading) and opens a new plain HTTP connection to your Web Worker, where your code lives. Routing is performed by ARR (Application Request Routing).

因此，从代码的角度来看，每个请求都是"不安全".

Therefore, from the point of view of your code every single request is "insecure".

X-Forwarded-Proto=https提示有关原始请求(到达前端).

X-Forwarded-Proto=https hints about the original request (that hit the frontends).

如果必须进行检查，请改为针对X-ARR-SSL.

If checks have to be made, make them against X-ARR-SSL instead.

有关更多详细信息，您可以参考此 SO线程.

For more details, you could refer to this SO thread.

这篇关于Azure应用服务在应用程序之前终止https?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！