So we've run into this really weird issue with the URLs on which we want to host our APIs.
We are currently using ASP.NET Core (.NET7) and Kestrel on Windows for self-hosting. We have a certificate and usually everything works as expected.
We typically use the URLs:
"http://abc.ourdomain.com"
"https://abc.ourdomain.com"
this works very well.
If we switch to only use a single:
"https://abc.ourdomain.com"
it works as well.
However, if we switch to only multiple https URLs:
"https://abc.ourdomain.com"
"https://def.ourdomain.com"
none of them works!
Unless we also add a http for either of them:
"http://abc.ourdomain.com"
"https://abc.ourdomain.com"
"https://def.ourdomain.com"
Then they all work!
Which URLs we use are set using:
app.Urls.Add(url)
And we use:
builder.WebHost.ConfigureKestrel(serverOptions =>
{
serverOptions.ConfigureEndpointDefaults(listenOptions =>
{
listenOptions.UseHttps(/*cert info*/);
});
});
to configure Kestrel.
We've tried with https redirection on and off. No difference.
So basically, to sum up it seems like we need at least one http endpoint OR only one single https endpoint. This this makes no sense.
Can someone explain what is going on?
It turns out that this was just the tip of the iceberg of issues we ran into. Coming from .NET Framework 4.8 using OWIN and migrating to .NET7 and ASP.NET Core.
I don't consider this a solution to the problem stated above, we simply never solved it. However when having expectations such as:
those above
being able to host multiple servers on the same port (different URLs)
make it work on older windows servers (Kestrel only worked on 2022 for us)
use registered certs automatically
etc
then Kestrel simply isn't the way to go. Once we switched to HTTP.sys it all worked like a charm. Sure this makes us bound to Windows, but that is the case for us anyway.
There are some good information on how to set it up and what HTTP.sys provides that Kestrel don't here:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-7.0
Please note that I am not suggesting HTTP.sys over Kestrel in general. But it solved our scenario and I hope this info helps others trying to do the same upgrade and are stuck!
Related
I downloaded the latest aspboilerplate. In documentation
it lists 3 tenant resolvers.
document ask to add;
Configuration.Modules.AbpWebCommon().MultiTenancy.DomainFormat = "{0}.mydomain.com";
to get domain based tenant resolving.
I am using hosts file to simulate actual URLs. So, I feel the app config should be something like below (apart from above code change to Abp module);
"App": {
"ServerRootAddress": "http://server.mydomain.com",
"ClientRootAddress": "http://{0}.mydomain.com",
"CorsOrigins": "...."
},
But the documentation doesn't mention anything related to that. So, I don't think the documentation is complete.
Then in IIS, I have two sites.
API site : server.mydomain.com. Bindings set to server.mydomain.com
Client site : mydomain.com. A new binding will be added such as subdomain.mydomain.com for new tenant(s). So basically in IIS for client site there can be many bindings with different subdomains portion, but pointing to the same site.
Then I ran the api site xxxx.web.host.exe. I assume it should pick the correct urls to listen to from appsettings. But it doesn't. it shows;
Now listening on: http://localhost:5000
And I am not sure where its coming from since there is no reference to that in code.
How can I get this properly configured to run on IIS with subdomain based tenant resolver?
Actual issue(s) were outside of what I have thought. In brief;
https://edi.wang/post/2018/12/27/path-caveat-with-aspnet-core-22-iis-hosting is one issue which crashed the app at the very beginning. Reason is it was loading log4net config file at Startup() and because of the way asp.net core 2.2 works, in IIS inproc mode it can't find the file.
https://weblog.west-wind.com/posts/2019/Mar/16/ASPNET-Core-Hosting-on-IIS-with-ASPNET-Core-22 this helped a lot to understand and tackle the issue.
Make sure you don't mix 32bit 64bit when hosting in IIS.
I am currently hosting the contents of a site with ProviderA. I have a domain registered with ProviderB. I want users to access the contents (www.providerA.com/sub/content) by visiting www.providerB.com. A domain forward is easy enough and works as intended, however, unless I embed the site in a frame (which is a big no-no), the actual URL reads www.providerA.com/sub/content despite the user inputting www.providerB.com.
I really need a solution for this. A domain masking without the use of a frame. I'm sure this has been done before. An .htaccess domain rewrite?
Your help would be hugely appreciated! I'm going nuts trying to find a solution.
For Apache
Usual way: setup mod_proxy. The apache on providerB becomes a client to providerA's apache. It gets the content and sends it back to the client.
But looks like you only have .htaccess. So no proxy, you need full configuration access for that.
So you cannot, see: How to set up proxy in .htaccess
If you have PHP on providerB
Setup a proxy written in PHP. All requests to providerB are intercepted by that PHP proxy. It gets the content from providerA and sends it back. So it does the same thing as the Apache module. However, depending on the quality of the implementation, it might fail on some requests, types, sizes, timeouts, ...
Search for "php proxy" on the web, you will see a couple available on GitHub and others. YMMV as to how difficult it is to setup, and the reliability.
No PHP but some other server side language
Obviously that could be done in another language, I checked PHP because that is what I use the most.
The best solution would be to transfer the content to providerB :-)
I'm using authlib in my project. I have a local IDP setup using http atm.
For testing, this code is blocking me because my dev environment is http.
https://github.com/lepture/authlib/blob/master/authlib/client/oauth2.py#L155
I can carry on by commenting out the line. But, i think having a way to turn of https check is neater.
So, dose anyway know a way to turn off https check in Authlib ?
It can be solved by setting an environment:
AUTHLIB_INSECURE_TRANSPORT=true
This is not documented on client sections, it is documented on the server parts like https://docs.authlib.org/en/latest/flask/oauth2.html
I'm looking for a mod_auth_tkt for Nginx? I have multiple applications using auth_tkt compatible cookies and would like to have SSO. I don't want to use apache2 mod_auth_tkt, since I have nginx already running. Is there a auth_tkt compatible module for nginx?
I came across this challenge today (multi-domain SSO using Nginx), so I suppose an answer is better late than never.
I was coming from having used auth_tkt with Apache2.
Ultimately I ended up with an implementation of Pubcookie, for which somebody wrote and documented an Nginx module.
The setup is very similar:
A CGI script intercepts the request and performs login procedure for the user using whatever mechanism is configured
Upon successful authentication:
a. A cookie is set on the enterprise_domain
b. User is redirected to the originally requested resources
Some warning though, I had to hack the source a fair bit for pubcookie and the nginx module to get it to work with non-SSL sites - it seems to have been written with SSL as a fixed assumption.
When I turn on output caching for my service it doesn't appear to be cache-worthy in IIS. It really should be since I'm returning the same JSON content over and over. The varyByQueryString option seems like it would do the trick, but since my resources are URI based, there really isn't a query string, just a path to a resource. Has anyone successfully gotten IIS to output cache a WCF REST service?
After much digging using the FREB logs in IIS, my service is in fact cache-worthy. You can listen to the Cache events in IIS and it will show you exactly what is and is not caching. I found this more helpful that using PerfMon. I used the following link to set it up. Output caching will work and will in fact serve your content right out of memory after things get warmed up.