-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs for UseForwardedHeaders, working with reverse proxies and load balancers #2384
Comments
@Tratcher Please clarify the ask and outline the solution. |
Most sites are hosted behind a reverse proxy, especially our recommended configurations using IIS/ANCM or NGinx. When the request is being proxied some information may be lost like the original scheme (http/https), the client IP address, etc.. You may need these values to properly generate links, evaluate polices, geolocate clients, etc.. There is a convention for the proxies to forward these values as HTTP headers (x-forwarded-*). The UseForwardedHeaders middleware reads these headers and fills in the associated fields on HttpContext. UseForwardedHeaders has pretty complicated settings due to trust concerns with these forwarded headers (e.g. spoofing). Explain how the middleware works overall and each of the settings. UseForwardedHeaders is enabled by default by UseIISIntegration, but with a very restricted configuration specific to ANCM. |
@Tratcher if UseIISIntegration is not enabled and/or IIS is not used (i.e. nginx, apache, etc) it is important to not only have the reverse proxy setup properly for forwarding the requests and headers, but to also add the UseForwardedHeaders middleware. Is that what you are asking here to document? and is more that the following needed:
|
@spboyer yes that's part of it. There are several other settings related to identifying/trusting the proxies. You also need to make sure your reverse proxy is adding the headers. |
https://docs.microsoft.com/en-us/aspnet/core/publishing/linuxproduction captures the nginx specific scenario. |
@Tratcher so are you looking for a specific document targeted at just the setting for UseForwardedHeaders?
|
Not quite. We need to explain the end-to-end scenarios and how the various UseForwardedHeaders settings apply (e.g. IIS+ANCM, Nginx, multiple proxies, etc.). |
We had some problems with forwarding and lost 2 days due to this. It would be nice to mention in the documentation that only headers for KnownProxies / KnownNetworks are taken into account and that the default is only IPAddress.IPv6Loopback / IPAddress.IPLoopback. So changing forwarding limit has basically no effect without modifying KnownProxies / KnownNetworks. And the right way to setup forwarding when there is Proxy -> IIS -> ASPNET situation is:
|
I wanted to pitch in here as I failed to find documentation for what I am doing. I write my nginx configuration in service fabric dynamic from the following code:
and have a few senaries that the UseForwardedHeaders dont cover or I am missing documentation on how to make it work.
basically I have to run the following also to make it work
To update the protocol in those cases where nginx do the ssl offloading and the backend app just uses http. And to set the PathBase, for those cases when nginx has removed part of the path when passing the request forward. If UseForwardedHeaders can do this already, how do i do it? |
X-forwarded-proto support is built in, but it maps to scheme, not protocol (http/1.1). With PathBase make sure you're creating your PathString with the unescaped value. |
thanks for the added info. i will try a few thing then to find out why my identity server generates wrong urls. https://www.earthml.com/identity/.well-known/openid-configuration (the urls it generate should also be https ) |
Can you log your headers as received by the app? The middleware is pretty strict. |
Ye, i am off for a few hours- then i will try to log out some requests to see what actually happens. Thanks for helping |
Here are the headers.
|
You have it set to ForwardedHeaders.All, but you don't have an x-Forwarded-For header, so it freaks out and won't process Proto either. Scope it down to just the header you need. |
@pksorensen would you be willing to draft the document for this issue? |
@Rick-Anderson Sure, not sure what exactly that means and what I should do :) The problem was resolved based on @Tratcher comment, about changing @Tratcher Is it ideal that it is this strict? Since the config lays within the application, meaning that if the guy responsible for the nginx setup changes the config, the the app breaks. Worth considering to use thoes headers present when set to all? |
We have an open bug for relaxing some of the defaults to make it easier to use (aspnet/BasicMiddleware#190). However, we still need a writeup explaining the usage scenarios. See #2384 (comment) |
@OsmondJiang Thanks! I applied @nrandell Solution:
I spent one day trying to solve this issue, the documentation should be more clear or at least do not add default values to Thanks!!! |
@Tratcher Can you specify what, if anything, from #2384 (comment) that you'd like me to address in the topic? I'm a bit worried about clearing networks/proxies given the guidance on header spoofing. |
Yeah, clearing isn't an acceptable answer either. You need to actually supply a new value or your app is vulnerable to spoofed requests. |
I think what would be really useful for people is to explain how to do this in various scenarios. So for my example where the debug message said Making it obvious how some of these scenarios work would make things a lot easier. I'm sure there are some standard scenarios, such as Azure app service running docker containers on Linux that would benefit from some of these examples. I'm pretty sure I've copied and pasted the clearing of Is header spoofing really possible if you are sitting on an azure app service (I'm sure I will regret writing this comment …) |
For important fields like x-forwarded-XXX you always need to assume spoofing is possible and guard against it. Yes the risk varies by environment, but it never goes away. |
Isn't there a design issue in "examples" for "standard scenarios"? Do you want to change your application code and rebuild when you switch the hosting environment? Say from Azure to a local server, or whatever. Do you even have the code for all web apps you run? I feel these things should be covered by the hosting environment in a way that doesn't require code changes. |
They should certainly be extracted to config to facilitate environment portability. |
Hi @Tratcher My nginx reverse proxy Ipaddress is: I really want to have configured it in a proper way, what I'm doing wrong? |
Your debug output said the reverse proxy address was |
Now, that might be something documentable:tm:. |
@v1ct0rv please read my post above search for ::ffff: this was explained 4 months ago.. |
Hi All, I finally get working my app, the configuration at the end is:
I think this should be documented on the official documentation, not always we deploy the reverse proxy in the same server, about the ipv6 this should be documented too. Thanks for you help. |
@guardrex you got this? |
Yes, I'll open an issue.
We're going for that ☝️ coverage. Anything else? |
And general discussion around setting KnownNetworks/Proxies. #2384 (comment) |
With due respect, this API is the pit of failure. If you call If you call I would suggest this needs improvement at the API level. If this isn't the appropriate repository, I'm happy to do the legwork of logging additional issues in the correct location. |
@mattnewell Thanks for the feedback! The preferred repo for feedback on the |
This keeps hunting me. I want to get my X-Forwarded-For to work (disabled it long time ago to get thigns working). But when i add it things break again due to ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto not being mappend if somehting going wrong. Reading other comments, its properly something to do with those knownproxies settings. So is there a way to identify from my setup what the correct setttings is supposed to be? Should i add these ips to the known proxies list? |
Comments on closed issues are not tracked, please open a new issue with the details for your scenario. |
Stupid question, because I see this comment a lot: What does that mean “not tracked”? Somebody does get notifications. |
Notifications are the lowest form of tracking, we may or may not notice them in the flood. Open issues get regularly reviewed, put in milestones, assigned, etc.. |
To sum up the 90+ comments here: // In the Configure function in Startup.cs
// Add the ForwardedHeadersOptions that you want.
// By default the options are empty, so you MUST specify what you want.
var options = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
// Clear the forward headers networks so any ip can forward headers
// Should ONLY do this in dev/testing
// options.KnownNetworks.Clear();
// options.KnownProxies.Clear();
// For security you should limit the networks that can forward headers
// Adding a network with a mask
options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("::ffff:111.12.0.0"), 16));
// OR Adding specific ips
options.KnownProxies.Add(IPAddress.Parse("::ffff:10.0.1.2"));
options.KnownProxies.Add(IPAddress.Parse("::ffff:10.0.1.3"));
app.UseForwardedHeaders(options); |
@jondmcelroy the IPv6 restriction no longer applies in 2.2. Clearing the networks and proxies is strongly discouraged. |
@Tratcher strongly discouraged may not be sufficient. You should never ever ever ever consider doing it ;-) |
key point here that f'ed me over: #2384 (comment)
Do NOT use Edit I also ran into the
I'm not sure what the right answer is here... there's no way i can/should-have-to know my network ip addresses in advance. Are you really suggesting that we should be modifying these values (via config or otherwise) for every environment we deploy to? |
@andycmaj Please open a new issue using the Content feedback button at the bottom of the Configure ASP.NET Core to work with proxy servers and load balancers topic. |
https://docs.microsoft.com/en-us/aspnet/core/publishing/linuxproduction
aspnet/Security#1070
aspnet/Security#929
aspnet/Security#757
aspnet/Security#853
aspnet/IISIntegration#140
aspnet/Security#1620
aspnet/Security#1702
Enabled by default by UseIISIntegration, but with limited settings (ANCM reverse proxy on loopback)
The text was updated successfully, but these errors were encountered: