Is https required in Kestrel behind my https apache proxy?

Question

Is https required in Kestrel behind my https apache proxy?

I don't quite understand the idea of whether the Kestrel server needs to be encrypted as a local server.

I am using Apache with HTTPS as a proxy for the Kestrel server. Do you need to run https in Kestrel? In theory, what goes through the Apache proxy (HTTPS enabled) needs to be encrypted, right?

Please shed some light if you have any ideas.

+3

apache asp.net-core kestrel-http-server

userIndulgeInDChord May 16 '17 at 10:28

source to share

1 answer

Tseng · Accepted Answer · 2017-05-16T10:45:22+0000

No, you don't need to encrypt traffic between Apache and Kestrel. Apache (or nginx or IIS) will be the SSL termination point.

However, you need to make sure that

that Apache sets the forwarded headers ( x-forwarded-*

headers) correctly
kestrel is properly configured to use these headers ( UseIISIntegration

already does) or register middleware app.UseForwardedHeaders();

that also registers them

Without one of these, your requests will fail if the controllers / actions are marked with the attribute [RequireHttps]

Is https required in Kestrel behind my https apache proxy?

More articles: