I want to be able to develop locally using a custom domain and ssl rather than localhost.
How can I setup a custom domain + ssl in VS Solution instead of localhost?
Simple Setup - Using Server URLs
If you want to associate your server to use all the IP addresses assigned to the server/web host then you can do this:
var host = new WebHostBuilder()
.UseUrls("http://*:80", "http://localhost")
.UseKestrel()
.UseIISIntegration()
.Build();
Note: If you don't want all IP addresses, then you can change from http://* to a specific IP address such as http://111.111.111.111. Also, the port is not a requirement, but I have used it for completeness of the answer. It's also important to note that SSL won't work with UseUrls
There is a great amount of additional detail that you can find over at the official Microsoft Docs about Server URLs here.
Binding SSL Certifications (Kestrel Only) -- Endpoint Configuration
Please note that hosting over a public endpoint via Kestrel (even with SSL) is not recommended and you should use a reverse proxy like Nginx or IIS. You can read more about it from the official Microsoft Docs here.
You didn't mention if you were using Kestrel or not, but I will assume you are... In which case, you can configure an SSL certificate easily by binding sockets using the options.
Here is an example of using TCP sockets using the Listen method:
public static void Main(string[] args)
{
BuildWebHost(args).Run();
}
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseStartup<Startup>()
.UseKestrel(options =>
{
options.Listen(IPAddress.Loopback, 5000);
options.Listen(IPAddress.Loopback, 5001, listenOptions =>
{
listenOptions.UseHttps("testCert.pfx", "testPassword");
});
})
.UseIISIntegration() // <-- don't forget you will need this for IIS!
.Build();
Note: That if you use both the Listen method and UseUrls, the Listen endpoints override the UseUrls endpoints.
You can find more info here at the official Microsoft Docs.
Configuring IISExpress
Using the GUI
You can right-click the project and click [Properties].
Using launchSettings.json.
You have to configure this using the launchSettings.json which you can find here:
"iisSettings": {
"windowsAuthentication": false,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:61471/",
"sslPort": 44360
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"launchUrl": "https://localhost:44360",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
}
Configuring IIS Endpoints
If you use IIS, the URL bindings for IIS override any bindings that you set by calling either Listen or UseUrls. For more information, see Introduction to ASP.NET Core Module.
For .net core, to setup a custom domain:
Add domain to the hosts file, something like www.yourapp.local
find the solution /.vs/applicationhost.config
Add binding e.g.:
In the web project properties > Debug add the App Url to "http://www.yourapp.local:51791/"
(replace port number as required)
For SSL, I assume you can set the above bindings and settings to https and in the web app properties > Debug tick the "Enable SSL" checkbox.
also see this answer: How to enable SSL for IIS Express in VS2015
If you're fine with the certificate validation error in your browser (or whatever client you use), you can put an entry in your hosts file:
www.yourcustomdomain.com 127.0.0.1 (or ::1 if you're on IPv6)
and then use the custom domain to reach your web site locally.
In Windows the hosts file is usually located at C:\Windows\System32\drivers\etc.
First, add an entry in the client's C:\Windows\System32\drivers\etc\hosts text file. Follow instructions in the hosts file itself.
By "develop locally" do you mean on the local machine or local network? If the latter, you must complete the following tasks (in any order).
Generate as described here and configure as described here a certificate on the server, and install it on the client.
Configure the firewall to allow access to your web API as described here.
Bind your web API to a non-localhost URL as described here and here.
I'm not sure off hand, but to get it working with IIS Express you might also need to run netsh http add urlacl as described here and here.
Some of the above links are specific to IIS Express since that's what you asked about. If using Kestrel, then vary the above tasks as follows.
To configure your certificate on the server, add this to appsettings.json:
"Kestrel": {
"Certificates": {
"Default": {
"Subject": "api.mycustomdomain.com",
"Store": "My",
"AllowInvalid": true
}
}
}
To bind your web API to a non-localhost URL, in launchSettings.json's Kestrel profile, replace the localhost part of applicationUrl's value with 0.0.0.0.
Related
I have made a web app using Blazor and now i want to host in my server with a free .ml domain. But service-worker.js not running without a secure connection. It is a free domain so i don't want to pay for a certificate.
Use SSL option in the project property is unchecked in all projects.
I couldn't find any information about this online.
Can i force to use http ?
Thanks
SSL Error
As far as I know, Service worker requires https except the localhost to work. Both the third-party certificate and the self-signed certificate is ok as long as we established the certificate trust relationship between the client-side and the server-side properly(for exchanging the public key of certificate).
https://developers.google.com/web/fundamentals/primers/service-workers/
For free SSL certificate,
https://geekflare.com/free-ssl-tls-certificate/
For self-signed certificate,
https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
Here is an example of using a self-signed certificate.
Can you use a service worker with a self-signed certificate?
Feel free to let me know if there is anything I can help with.
To use HTTP in a Blazor app, in Program.cs remove UseHsts() and
UseHttpsRedirection() if present:
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for
production scenarios, see https://aka.ms/aspnetcore-hsts.
// app.UseHsts();
}
//app.UseHttpsRedirection();
In launchSettings.json make sure there is only an HTTP URL:
"profiles": {
"Dashboard": {
"commandName": "Project",
"dotnetRunMessages": true,
"launchBrowser": true,
"applicationUrl": "http://10.72.11.110:5238",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
I would like to know if it is possible to use the OpenResty OIDC module as an authentication proxy within an NGINX stream configuration.
(I don't have acccess to NGINX Plus unfortunately)
I have used NGINX with Stream configurations in the past to proxy access to upstream tcp resources and it works like a charm.
I am currently looking at implementing an OIDC proxy in front of various resources, both static html and dynamic apps, because we have an in-house OIDC IDAM provider. I came across OpenResty, and in particular the lua-resty-oidc module, and thanks to some wonderful guides, (https://medium.com/#technospace/nginx-as-an-openid-connect-rp-with-wso2-identity-server-part-1-b9a63f9bef0a , https://developers.redhat.com/blog/2018/10/08/configuring-nginx-keycloak-oauth-oidc/ ), I got this working in no time for static pages, using an http server nginx config.
I can't get it working for stream configurations though. It looks like the stream module is enabled as standard for OpenResty, but from digging around I don't think the 'access_by_lua_block' function is allowed in the stream context.
This may simply not be supported, which is fair enough when begging off other people's great work, but I wondered if there was any intention to include suport within OpenResty / lua-resty-oidc in the future, or whether anyone knew of a good workaround.
This was my naive attempt to get it working but the server complains about the
'access_by_lua_block' command at run time.
2019/08/22 08:20:44 [emerg] 1#1: "access_by_lua_block" directive is not allowed here in /usr/local/openresty/nginx/conf/nginx.conf:49
nginx: [emerg] "access_by_lua_block" directive is not allowed here in /usr/local/openresty/nginx/conf/nginx.conf:49
events {
worker_connections 1024;
}
stream {
lua_package_path "/usr/local/openresty/?.lua;;";
resolver 168.63.129.16;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;
upstream geyser {
server geyser-api.com:3838;
}
server {
listen 443 ssl;
ssl_certificate /usr/local/openresty/nginx/ssl/nginx.crt;
ssl_certificate_key /usr/local/openresty/nginx/ssl/nginx.key;
access_by_lua_block {
local opts = {
redirect_uri_path = "/redirect_uri",
discovery = "https://oidc.provider/discovery",
client_id = "XXXXXXXXXXX",
client_secret = "XXXXXXXXXXX",
ssl_verify = "no",
scope = "openid",
redirect_uri_scheme = "https",
}
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 500
ngx.say(err)
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
ngx.req.set_header("X-USER", res.id_token.sub)
}
proxy_pass geyser;
}
}
Anyone have any advice?
i don't think that's possible.
However to be sure, you should try creating an issue on the official github
https://github.com/zmartzone/lua-resty-openidc/issues
They helped me solve a similar issue before
Is there any node modules for sailsjs framework to make ssl certificate using let's encrypt?
There is a middleware that enables http->https redirect and also handles the ACME-validation requests from Let's Encrypt. As far as I can tell, it does not actually trigger the renewal, nor writes anything, but I believe that the ACME-scripts handle that as cron-jobs every 3 months or so, allowing you app to just validate automatically when they run. I haven't implemented this myself yet though.
I would also ask you to really consider using CloudFlare or some other SSL-termination service, as that also gives you a lot of other benefits like DDoS protection, some CDN-features etc.
Docs:#sailshq/lifejacket
As has been mentioned, you should consider the best overall solution in terms of CloudFlare or SSL-offload via nginx etc.
However, you can use greenlock-express.js for this to achieve SSL with LetsEncrypt directly within the Sails node environment.
The example below:
Configures an HTTP express app using greenlock on port 80 that handles the
redirects to HTTPS and the LetsEncrypt business logic.
Uses the greenlock SSL configuration to configure the primary Sails app as HTTPS on port 443.
Sample configuration for config/local.js:
// returns an instance of greenlock.js with additional helper methods
var glx = require('greenlock-express').create({
server: 'https://acme-v02.api.letsencrypt.org/directory'
, version: 'draft-11' // Let's Encrypt v2 (ACME v2)
, telemetry: true
, servername: 'domainname.com'
, configDir: '/tmp/acme/'
, email: 'myemail#somewhere.com'
, agreeTos: true
, communityMember: true
, approveDomains: [ 'domainname.com', 'www.domainname.com' ]
, debug: true
});
// handles acme-challenge and redirects to https
require('http').createServer(glx.middleware(require('redirect-https')())).listen(80, function () {
console.log("Listening for ACME http-01 challenges on", this.address());
});
module.exports = {
port: 443,
ssl: true,
http: {
serverOptions: glx.httpsOptions,
},
};
Refer to the greenlock documentation for fine-tuning configuration detail, but the above gets an out-of-the-box LetsEncrypt working with Sails.
Note also, that you may wish to place this configuration in somewhere like config/env/production.js as appropriate.
I have installed api man as defined in
http://www.apiman.io/latest/download.html
I performed following instructions.
mkdir ~/apiman-1.2.5.Final
cd ~/apiman-1.2.5.Final
curl http://download.jboss.org/wildfly/10.0.0.Final/wildfly-10.0.0.Final.zip -o wildfly-10.0.0.Final.zip
curl http://downloads.jboss.org/apiman/1.2.5.Final/apiman-distro-wildfly10-1.2.5.Final-overlay.zip -o apiman-distro-wildfly10-1.2.5.Final-overlay.zip
unzip wildfly-10.0.0.Final.zip
unzip -o apiman-distro-wildfly10-1.2.5.Final-overlay.zip -d wildfly-10.0.0.Final
cd wildfly-10.0.0.Final
./bin/standalone.sh -c standalone-apiman.xml
after this i can login as a admin that is predefined and create organisation, apis and rest.
but at login page New User Registration option is not coming.
here login page snap
How can i get new user register option ? .I am using apache tomcat.
Here is snap what is missing
"Register?New User" option is not coming
Rationale
In our WildFly distributions we use Keycloak for identity management and auth; it's all rolled into a single server including all of apiman's components and Keycloak. However, Keycloak can't run on Tomcat, so by default our Tomcat quickstart just uses tomcat's inbuilt auth mechanisms (which you can configure to use LDAP, JDBC, etc).
So, if you want Keycloak plus apiman, you need to do a little bit of extra work. However, this brings a lot of capabilities, so it's likely worth it for real deployments.
Bear in mind that this is slighly verbose to describe, but actually rather quick to implement.
Naturally, just using the WildFly all-in-one might be less hassle, especially for a quick test :-).
I'll add this to the apiman documentation shortly.
Using Keycloak IDM with apiman on Tomcat
Get Keycloak running
Download Keycloak, and run. Create your administrative user and log in.
Import the apiman Keycloak realm. This is just a demo walkthrough, you'll want to regenerate the keys and secrets for production :-).
For the clients apiman and apimanui, modify your Valid Redirect URIs to be the absolute URLs to your apiman instance(s) (e.g. http://myapiman.url:8080/apimanui/*).
Prepare Tomcat
The generic instructions are available in the Keycloak documentation, but I'll endeavour to provide more specialised config information.
Download and extract keycloak-tomcat8-adapter-dist into the global lib directory of Tomcat.
Modify apiman
Extract apiman.war, apimanui.war, and apiman-gateway-api.war and add the following:
META-INF/context.xml
In apiman.war:
<Context path="/apiman">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
In apimanui.war
<Context path="/apimanui">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
In apiman-gateway-api.war
<Context path="/apiman-gateway-api">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
WEB-INF/keycloak.json
In apiman.war:
{
"realm": "apiman",
"resource": "apiman",
"realm-public-key": "<YOUR REALM'S PUBLIC KEY>",
"auth-server-url": "http://localhost:9080/auth",
"ssl-required": "none",
"use-resource-role-mappings": false,
"enable-cors": true,
"cors-max-age": 1000,
"cors-allowed-methods": "POST, PUT, DELETE, GET",
"bearer-only": false,
"enable-basic-auth": true,
"expose-token": true,
"credentials" : {
"secret" : "<APIMAN SECRET HERE, IF ANY>"
},
"connection-pool-size": 20,
"principal-attribute": "preferred_username"
}
In apimanui.war, config as above, but with:
{
"realm": "apiman",
"resource": "apimanui",
"realm-public-key": "<YOUR REALM'S PUBLIC KEY>",
...
"credentials" : {
"secret" : "<APIMANUI SECRET HERE, IF ANY>"
},
"principal-attribute": "preferred_username"
}
In apiman-gateway-api.war, config as above, but with:
{
"realm": "apiman",
"resource": "apiman-gateway-api",
"realm-public-key": "<YOUR REALM'S PUBLIC KEY>",
...
"credentials" : {
"secret" : "<APIMAN-GATEWAY-API SECRET HERE, IF ANY>"
},
"principal-attribute": "preferred_username"
}
WEB-INF/web.xml
For all of the above, replace the login-config section with:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>apiman</realm-name>
</login-config>
Other issues
You may want to copy over themes (or make your own). It's rather easy, but out of the scope of this response.
if you are using apache tomcat the keycloak web application isn't deployed with the apiman tomcat overlay. Instead the users and passwords are defined in the tomcat/conf/tomcat-users.xml file, there you can include new users, but as far as i know you cant create new users via the apimanui.
In my search to find SSL support, I have looked at the Rikulo Security package, which unfortunately does not support SSL.
If it does not support SSL, it would be nice if the url mapping could define this somehow (similar to how security plugin does it in Grails), and with config parameter for the path of the SSL certificate.
An example of the way it could be configured:
var urlMap = {
"/": home,
"/login": SECURE_CHANNEL(login), // I made this part up
.....
};
new StreamServer(uriMapping: urlMap)
..start(port: 8080);
Has anyone got SSL working with Rikulo Stream?
First, you shall use startSecure():
new StreamServer()
..start(port: 80)
..startSecure(address: "11.22.33.44", port: 443);
Second, the routing map shall be the same, i.e., no special handling.
If you'd like to have different routing map for HTTP and HTTPS, you can start two servers:
new StreamServer(mapping1).start(port: 80);
new StreamServer(mapping2).startSecure(address: "11.22.33.44", port: 443);