Identityserver4: Load balancer terminated SSL documentation/configuration?

Created on 17 Jan 2017 · 10Comments · Source: IdentityServer/IdentityServer4

[yes] I read and understood how to enable logging

Issue / Steps to reproduce the problem

I'm having an issue getting IdentityServer4 to function correctly (ideally using the IdentityModel DiscoveryClient) when IDS is behind a load balancer.

The setup is there is a load balancer which is setup to accept HTTPS SSL only. This proxies the request to one of two servers running IDSv4 behind IIS. The load balancer to server link is HTTP.

In the version 3 documentation there were functions mentioned that should support this scenario on this page: https://identityserver.github.io/Documentation/docsv2/advanced/deployment.html

The version 4 documentation is not complete for the same topic: https://identityserver4.readthedocs.io/en/release/topics/deployment.html

In the discovery document all the endpoint URLs are returned as HTTP. I believe I need them to return as HTTPS and IdentityServer to understand that it's real public address is HTTPS.

I've tried some of the options under AddIdentityServer in Startup, like the IssuerUrl or relaxing the client restriction (not ideal), but I'm bouncing between the endpoint URLs being wrong or errors like issuer not matching authority from the client http vs https.

Relevant parts of the log file

I don't think I need to attach a log file at this point. I can certainly do it if there's value in it, let me know.

question

Source

sbobkin

Most helpful comment

@megamindbrian please find the following code, install package Microsoft.AspNetCore.HttpOverrides if you don't have.

app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
                // the first local ip address for X-Forwarded-* from local
                // the second ip address mainly for docker default network, it may not apply based on the docker settings.
                // match the all ips, at the moment, it hard to know which local network it setups
                KnownNetworks =
                {
                    // new IPNetwork(IPAddress.Loopback, 8),
                    // new IPNetwork(IPAddress.Parse("172.0.0.0"), 8)
                    new IPNetwork(IPAddress.Any, 0)
                }
            });

singlewind on 11 Aug 2017

👍2 ❤1

All 10 comments

When you're using the UseIISIntegration extension (https://github.com/IdentityServer/IdentityServer4/blob/dev/src/Host/Program.cs#L27) it should set the incoming host header from the host of IIS. Are you not seeing that?

brockallen on 18 Jan 2017

We are, but you run into the issue that IIS believes it's running on HTTP (it is), and so does IDS (since it gets it form IIS). But the requests come in to the load balancer as HTTPS, terminate there and then continue as HTTP to the servers.

This doesn't work without being able to tell IDS that it's external endpoint is really HTTPS, as seemes to be suggested in the linked v3 documentation.

We decided to just work around the problem for now with doing full SSL pass through so it's HTTPS throug the whole chain, but I do still want to know if that configuration/feature is available or coming.

Thanks for the reply :)

sbobkin on 19 Jan 2017

Oh I see -- the LB is in front of your IIS server? You will have to write your own MW in front of IdentityServer in your pipeline to set the right incoming headers then (which is what the UseIISIntegration does).

brockallen on 21 Jan 2017

Yes, the LB is in front of the IIS server. I'm going to close this issue. As far as I'm concerned it's far easier in our scenario to not off-load SSL and solve this problem that way.

I think writing a middleware to solve the issue that ID4 is listening on HTTP, but needs to believe it's listening on HTTPS and still have all the validation on issuer/etc pass is too high of a chance for issues and in this case would be another piece to maintain.

Thanks for the answers.

sbobkin on 30 Jan 2017

@sbobkin does the LB has the feature to pass a customised header to the the identity server?

singlewind on 2 Jun 2017

@brockallen do you know which headers IdentityServer4 looking for?

singlewind on 2 Jun 2017

host, mainly

check the microsoft middleware to see what they forward to know the full list.

brockallen on 2 Jun 2017

When I connect over HTTPS to the load-balancer, Identity Server's "https://.../.well-known/openid-configuration shows http:// addresses. I need to override this with https://. Any thoughts?

briancullinan on 10 Aug 2017

@megamindbrian please find the following code, install package Microsoft.AspNetCore.HttpOverrides if you don't have.

app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
                // the first local ip address for X-Forwarded-* from local
                // the second ip address mainly for docker default network, it may not apply based on the docker settings.
                // match the all ips, at the moment, it hard to know which local network it setups
                KnownNetworks =
                {
                    // new IPNetwork(IPAddress.Loopback, 8),
                    // new IPNetwork(IPAddress.Parse("172.0.0.0"), 8)
                    new IPNetwork(IPAddress.Any, 0)
                }
            });

singlewind on 11 Aug 2017

👍2 ❤1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.