Aspnetcore.docs: Setting the environment variable to enable forwarded headers needs to be more prominent

Created on 28 May 2020 · 6Comments · Source: dotnet/AspNetCore.Docs

While trying to get X-Forwarded-Proto header to be respected and after much frustration I noticed that in of the code sample it has

Environment.GetEnvironmentVariable("ASPNETCORE_FORWARDEDHEADERS_ENABLED")

Which led me to realise that I needed to set this environment variable in order to get it to work. Perhaps this information aught to be more prominent?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: e548cd16-b06c-5802-a1a7-c627167857ae
Version Independent ID: c48abb08-bea3-dcff-c067-2edf5dc9b3a6
Content: Configure ASP.NET Core to work with proxy servers and load balancers
Content Source: aspnetcore/host-and-deploy/proxy-load-balancer.md
Product: aspnet-core
Technology: aspnetcore-hostdeploy
GitHub Login: @Rick-Anderson
Microsoft Alias: riande

Source - Docs.ms

Source

paulcustance-al

Most helpful comment

Yeah, it's on my list.

serpent5 on 12 Jun 2020

🚀1 👍1

All 6 comments

Just FYI, setting this environment variable isn't _required_ - it's for convenience so that you don't have to add both services.Configure<ForwardedHeadersOptions>(...) and app.UseForwardedHeaders(); with the correct setup: https://github.com/dotnet/aspnetcore/blob/release/3.1/src/DefaultBuilder/src/WebHost.cs#L240-L252.

serpent5 on 28 May 2020

👍1

@serpent5 that's great information. Is it worth adding

In the preceding code, setting Environment.GetEnvironmentVariable("ASPNETCORE_FORWARDEDHEADERS_ENABLED") variable isn't _required_ - it's for convenience so that you don't have to add both services.Configure<ForwardedHeadersOptions>(...) and app.UseForwardedHeaders(); with the correct setup: https://github.com/dotnet/aspnetcore/blob/release/3.1/src/DefaultBuilder/src/WebHost.cs#L240-L252.

Let me know if you'd like to add that.

Rick-Anderson on 29 May 2020

It looks like things have changed a bit since that section was written. The code sample that the reader is instructed to add is now part of the ConfigureWebDefaults stuff. I think it might be worth adding a note about how ASPNETCORE_FORWARDEDHEADERS_ENABLED is used by ConfigureWebDefaults to add both the configuration and the middleware. The only mention of that setting right now is in the code sample, but it doesn't really show that it has built-in support.

From what I see, if you're using ConfigureWebDefaults, you can just set the env var, without adding the code shown in the sample. Otherwise, you can add the code yourself, but then there's no need to use the ASPNETCORE prefix on the setting name because it's being read by the app's code.

For reference, I found the PR that made the change: https://github.com/dotnet/AspNetCore.Docs/pull/12740. It looks like it was during the transition to 3.x, so it might be worth seeing if @Tratcher can comment on what I've said above.

serpent5 on 31 May 2020

Yup, these could use some updates.

ASPNETCORE_FORWARDEDHEADERS_ENABLED is supported by ConfigureWebDefaults starting in 3.0. The sample code should only be shown for older versions.
Add a disclaimer: ASPNETCORE_FORWARDEDHEADERS_ENABLED should only be used in deployment scenarios where you're:
A. Positive you're behind a trusted proxy
B. AND the deployment environment is unpredictable such that you can't specify KnownProxies or KnownNetworks. A cloud provider is such an environment.
Otherwise you should configure ForwardedHeadersOptions as shown above and set KnownProxies/Networks.