Aspnetcore.docs: Does NOT work behind load balancers

Hello @khteh ... You've seen the LB/proxy topic? ... reacted to that guidance?

https://docs.microsoft.com/aspnet/core/host-and-deploy/proxy-load-balancer

Yes, I have seen that and have included the necessary code in Startup.cs but to no avail. This is what I get from curl to a Controller method with [EnableCors] attribute. Notice that there is no CORS headers in the response:

< HTTP/2 200 
HTTP/2 200 
< date: Sun, 22 Sep 2019 04:45:28 GMT
date: Sun, 22 Sep 2019 04:45:28 GMT
< content-type: application/json; charset=utf-8
content-type: application/json; charset=utf-8
< set-cookie: AWSALB=somestring; Expires=Sun, 29 Sep 2019 04:45:28 GMT; Path=/
set-cookie: AWSALB=somestring; Expires=Sun, 29 Sep 2019 04:45:28 GMT; Path=/
< server: Kestrel
server: Kestrel
< strict-transport-security: max-age=5184000; includeSubDomains; preload
strict-transport-security: max-age=5184000; includeSubDomains; preload

< 
* Connection #0 to host app.biz4x.com left intact
"Ok

Startup.cs:

services.Configure<ForwardedHeadersOptions>(options => options.ForwardedHeaders = ForwardedHeaders.All);
app.UseForwardedHeaders();

Is your request coming from a different origin? ... that's a requirement for CORS to work and get the headers.

btw -- We're in a tight spot supporting devs on individual projects. There are only a handful of us here (~3 of us ... working >500 issues ... >300 topics ... >100 samples ... you get the picture :smile: lol, and we're always 🏃😅 on doc issues. I'd like to know what the problem turns out to be because YES! we like to add gotchas so that readers don't run into similar problems with similar setups. Your best bet for support (outside of a MS support agreement) is support forums, such as Stack Overflow, and support chats, such as Slack or Gitter. Once you find out what the problem is, then let us know here, and we can see if it would be a good fit to call out in the doc ... or over in the proxy/LB doc.

Hi;
I seems working now. I didn't test it properly. You are right! I didn't set the Origin header when testing it with curl:

$ curl -Lv -H "Origin: http://localhost:8081"  https://cors-endpoint
> GET /api/v1/m/auth/QueryCors HTTP/2
> Host: app.biz4x.com
> User-Agent: curl/7.64.0
> Accept: */*
> Origin: http://localhost:8081
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< date: Mon, 23 Sep 2019 01:56:29 GMT
< content-type: application/json; charset=utf-8
< set-cookie: AWSALB=c1kjax99Mah4gN199prdub5LjYhhNQQbmNwK7aHFDgkvomd59SoR9Re8iqsXe8qS8fQX4OuAlBoIBQwAs8tsA8b6tubExdE0eZFWLRL2mW33NrtoGIUVk77uGL2j; Expires=Mon, 30 Sep 2019 01:56:28 GMT; Path=/
< server: Kestrel
< vary: Origin
< vary: Origin
< access-control-allow-credentials: true
< access-control-allow-origin: http://localhost:8081
< strict-transport-security: max-age=5184000; includeSubDomains; preload
< 
* Connection #0 to host app.biz4x.com left intact
"Ok"

I don't really think that's clear enough. I read thru the topic, and it's only _implied_, but I know it trips up some devs in testing. I've seen this come up in Slack discussions and in blog posts. I'm going to add a line in the test CORS area of the topic to make it clear that the middleware doesn't supply the headers on a same-origin request because there's no point in doing so ... it would just be a waste of bandwidth.