How to Deploy ASP.NET with enabled SSL in Linux Container?

The great about .NET 6.0 and ASP.NET 6.0 is the Cross-Platform support. Especially when working with native cloud applications and microservices, it is a valid option to run your application inside Linux container.

The typical bootstrap code of an ASP.NET 6.0 application is:

using Microsoft.AspNetCore.HttpOverrides;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddRazorPages();

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios. See https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

//app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

app.UseHttpsRedirection();

app.UseAuthorization();

app.MapRazorPages();

app.Run();

When this code is deployed to the AppService, it will run as expected. You can browse the application by using HTTP and HTTPS. However, in many enterprises, IT decision-makers tend to require hosting the application inside the Docker container inside the AppService. In this case, the magic of the AppService is a bit broken, and the SSL termination of the AppService gateway will not work.
Fortunately, this is not a big issue. However, to make it work, the header forwarding needs to be appended:

using Microsoft.AspNetCore.HttpOverrides;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddRazorPages();

var app = builder.Build();

//------------------------------------------------------------------------

//
// Required for Linux on Azure or any other configuration with the proxy or LoadBalancer in front of the application.
var forwardOptions = new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost,
    AllowedHosts = new List<string>() { "*"},
    RequireHeaderSymmetry = false
};

forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();

app.UseForwardedHeaders(forwardOptions);

//------------------------------------------------------------------------

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios; see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

//app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

app.UseHttpsRedirection();

app.UseAuthorization();

app.MapRazorPages();

app.Run();

Please also note the following line:

AllowedHosts = new List<string>() { "*"},

The line allows any host to be used as a forwarder. So, for example, any endpoint that provides SSL termination will forward your request into the container. This works fine, but it might potentially be a security issue. Therefore, when you host the application behind the Azure Gateway, Azure Front Door or some other Load Balancer, it is recommended to add their endpoint(s) instead of using the wild-card ‘*’. For example:

   AllowedHosts = new List<string>() { "myfrontdorname.azurefd.net"},

comments powered by Disqus