Support for Lets Encrypt for TLS termination

[RehanSaeed]

What should we add or change to make your life better?

Most reverse proxies out there support Lets Encrypt. @natemcmaster runs https://github.com/natemcmaster/LetsEncrypt which is trying to add LetsEncrypt support to ASP.NET Core. Please help him finish, so it can also be used on this project.

Why is this important to you?

A reverse proxy without TLS termination is not very useful. Lets Encrypt is a great choice for TLS, being free, secure and automated.

[Tratcher]

@natemcmaster is a former team member and we're well aware of that project. It seems to be going well and should already work with this project. Is there something specific it needs from us?

[RehanSaeed]

It's a great project but needs some work to make it actually usable. If you can help him get these across the line, we'd all appreciate it.

• Auto-renew certificates when close to expiring Auto-renew certificates when close to expiring natemcmaster/LettuceEncrypt#11
• Support wildcard domains Support wildcard domains natemcmaster/LettuceEncrypt#1

[Tratcher]

Step 1: Add a LetsEncrypt sample to this repo for experimentation purposes.

[natemcmaster]

Contributions to my project always welcome! Feel free to reach out on GitHub or Twitter if you're interested in helping.

[Tratcher]

From: natemcmaster/LettuceEncrypt#50

The existing Kestrel integration should work with YARP today. The biggest question in my mind is what happens in YARPs pre-built exe scenario (not started yet).

[Tratcher]

Related work: dotnet/aspnetcore#4712

[MarioGK]

Any plans to add this in the future? what is required to add this feature to YARP?

[MihaZupan]

@MarioGK which part are you referring to? Are you missing any specific functionality?

https://github.com/natemcmaster/LettuceEncrypt can be used together with YARP already.

[MarioGK]

@MihaZupan Oh my bad, i did not know that there was an updated branch of LettuceEncrypt, i just looked at the old branch, thanks for helping and sorry for my blunder.

[glent1]

Like many people, I'm keen to replace nginx with Yarp. I've looked through all of the documentation and searched open and closed issues and its obvious I do not understand something fundamental here. Particularly, I do not understand the phrase "https://github.com/natemcmaster/LettuceEncrypt can be used together with YARP already."

In my nginx configuration, which uses Let's Encrypt (managed by certbot), the certificate files are explicitly named. Nginx handles the https communication and the destination app listens only on http, on a port not open to the world. I understand that LettuceEncrypt will essentially perform the same job as certbot. What I do not understand is how to plug LettuceEncrypt into Yarp. My assumption for this to be possible is that Yarp itself is running in Kestrel, but if that is true I can't see any Kestrel configuration in the Yarp examples.

The alternative is that what is implied here is that I plug LettuceEncrypt into my destination service, but if that is true the documentation of Yarp's capabilities is at best misleading.

I realise that since most of the replies to questions like this suggest that the answer is obvious, it must be me that is missing the obvious connection here, so I appologise to anyone's time I have wasted.

[samsp-msft]

You could use YARP in the same way as nginx, doing TLS from the client to YARP and then private http communication from YARP to the backend.

YARP is indeed using Kestrel, and is implemented as ASP.NET middleware, which is why the samples start with the blank ASP.NET Core template. In your YARP project, you can use other middleware exactly the same as you would for a website or webAPI.

Assuming your using a .NET 5 style project, your startup.cs would look like:

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;

namespace BasicYARPSample
{
    // Sets up the ASP.NET application with the reverse proxy enabled.
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            // Default configuration comes from AppSettings.json file in project/output
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add capabilities to
        // the web application via services in the DI container.
        public void ConfigureServices(IServiceCollection services)
        {

            /******************************************************************
            *
            * Change for lets encrypt support
            *
            */

            services.AddLettuceEncrypt();


            // Add the reverse proxy capability to the server
            var proxyBuilder = services.AddReverseProxy();
            // Initialize the reverse proxy from the "ReverseProxy" section of configuration
            proxyBuilder.LoadFromConfig(Configuration.GetSection("ReverseProxy"));
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request 
        // pipeline that handles requests
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            // Enable endpoint routing, required for the reverse proxy
            app.UseRouting();
            // Register the reverse proxy routes
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapReverseProxy();
            });
        }
    }
}

And the config section for LettuceEncrypt would be a peer to ReverseProxy in the JSON:

{
  // Base URLs the server listens on, must be configured independently of the routes below.
  // Can also be configured via Kestrel/Endpoints, see https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/endpoints
  "Urls": "http://localhost:5000;https://localhost:5001",

  //Sets the Logging level for ASP.NET
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      // Uncomment to hide diagnostic messages from runtime and proxy
      // "Microsoft": "Warning",
      // "Yarp" : "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },

  "ReverseProxy": {
    // Routes tell the proxy which requests to forward
    "Routes": { ...  },
    // Clusters tell the proxy where and how to forward requests
    "Clusters": { ...  }
  },
  
  "LettuceEncrypt": {
    // Set this to automatically accept the terms of service of your certificate authority.
    // If you don't set this in config, you will need to press "y" whenever the application starts
    "AcceptTermsOfService": true,

    // You must at least one domain name
    "DomainNames": [ "example.com", "www.example.com" ],

    // You must specify an email address to register with the certificate authority
    "EmailAddress": "it-admin@example.com"
  }
}

As far as Lets Encrypt is concerned, YARP is the front end in this case. The fact that YARP will be forwarding requests is an implementation detail.

[glent1]

Thankyou so much for explaining - that's cleared it up and I have it all working nicely.

[samsp-msft]

Lets doc and/or add a sample.

[karelz]

Triage: We need good E2E docs -- based on #110 (comment) above.

[RehanSaeed]

LettuceEncrypt still does not have wildcard domain support. Any plans to add that also?