RequireHttpsAttribute with .NETCore RC2 causes HTTP302 redirect loop on Azure

Asked 21/6, 2016 at 21:21 Answered 24/6, 2016 at 18:8

Solved azure http-redirect azure-web-app-service asp.net-core-1.0 .net-core-rc2

I've been trying to get a .NETCore RC2 web app working on Azure with the RequireHttpsAttribute set but I'm having issues.

To remove the possibility of this being a problem that I've introduced with my code, I cut things back to the bare minimum and recreated it using the "out of box" VS2015 .NETCore RC2 template.

If I deploy the standard VS2015 .NETCore RC2 web app the site runs fine. If I then add [RequireHttps] to the controllers it works fine locally, but on Azure it causes an HTTP302 redirect loop. This seems to be something which has changed since RC1 since the RequireHttpsAttribute works fine in Azure with RC1.

There is a similar question here: HTTP Error 310 ERR_TOO_MANY_REDIRECTS with RequireHttpsAttribute ASP.NET Core, but it's not clear if the question is talking about RC1 or RC2 (I actually suspect RC2), however the only answer is only applicable for RC1.

There is a similar question about this attribute causing a redirect loop on AWS here: RequireHttps causes redirect loop on Amazon Elastic Load Balancer but that is MVC4 and also mentions a header which isn't used by Azure.

Any answered 21/6, 2016 at 21:21 Comment(4)

Do you require an HTTP to HTTPS permanent redirection? – Apollo 22/6, 2016 at 13:1

Kinda. The point of the RequireHttps attribute is that it's an authorisation filter which confirms that requests are received over HTTPS. If not, and it's a GET, it redirects to the HTTPS version of the URI. If it's not a GET then it will return an HTTP403. What's concerning is that this is a standard part of .NET, but it looks like for some reason Azure thinks that HTTPS requests are HTTP and so redirects HTTPS requests to the HTTPS endpoint which causes a redirect loop – Any 22/6, 2016 at 15:53

Looking at the code for the attribute, it looks like filterContext.HttpContext.Request.IsHttps must be returning false when it should be true – Any 22/6, 2016 at 15:55

To prove the point, this is the standard Core RC2 template, and I've just added Request.IsHttps, Request.Host.ToString(), Request.Method, Request.Protocol and Request.Scheme to the markup - IsHttps returns false. Request.Scheme returns http even though it is actually https: corerc2httpstest.azurewebsites.net/Home/About – Any 22/6, 2016 at 16:19

There's currently a bug in Azure and ASP.NET Core RC2 which relates to how Kestrel and IIS are connected and the HTTPS header that says that it's an HTTPS request or not.

I understand that it might get solved soon on RTM since the bug is marked as Done.

A workaround we did is to use web.config to make a permanent redirect from any HTTP request to HTTPS. We use the dotnet-transform package to insert the redirect on Publish only (so locally on a dev environment it doesn't apply). This is optional if you need it as a FYI.

Apollo answered 22/6, 2016 at 16:34 Comment(1)

Looks like that's the issue... I'll check a bit later and report back! Thanks for the pointers! – Any 22/6, 2016 at 16:50

You can work around this by adding the following lines to ConfigureServices in Startup.cs (and add "using Microsoft.AspNetCore.HttpOverrides;")

services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders = ForwardedHeaders.XForwardedProto;
        });

Isoline answered 24/6, 2016 at 18:8 Comment(0)

Recommended topics

Hot tags