Thursday, September 1, 2022

[FIXED] Why is X-Forwarded-Proto always set to HTTP on Elastic Beanstalk?

      , , , ,      No comments   

Issue

Setup

Hi. I'm deploying an ASP.Net Core application to AWS Elastic Beanstalk. The platform I'm running on is 64bit Amazon Linux 2/2.1.5 using Nginx as the proxy server software. I've got a pair of listeners for my load balancer set up in the environment configuration. They are set up as follows:

  • Port=443 Protocol=HTTPS SSL=certificate Process=default
  • Port=80 Protocal=HTTP Process=default

And I've got a single process:

Name=default Port=80 Protocol=HTTPS

Problem

On my ASP.Net Core server, I'm trying to check if the original client to the server is communicating over HTTPS or HTTP. As I understand, the X-Forwarded-Proto header for requests should carry this information. However, the value of X-Forwarded-Proto is always http regardless of how a client connects to the server. Why is the X-Forwarded-Proto not ever set to https even when connected as so from my web browser?

Thanks in advance for any help!


Solution

The problem was in the Nginx configuration as pointed out by @MarkB. AWS Elastic Beanstalk has a default configuration file 00_application.conf in /etc/nginx/conf.d/elasticbeanstalk that is the culprit. It has a declaration:

proxy_set_header    X-Forwarded-Proto     $scheme;

that needed to be changed to:

proxy_set_header    X-Forwarded-Proto     $http_x_forwarded_proto;

To overwrite this file, I used the method detailed here: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html.

I added a file .platform/nginx/conf.d/elasticbeanstalk to the root of my deployed project. It contains:

location / {
    proxy_pass          http://127.0.0.1:5000;
    proxy_http_version  1.1;
    proxy_cache_bypass  $http_upgrade;
    proxy_set_header    Upgrade               $http_upgrade;
    proxy_set_header    Connection            $http_connection;
    proxy_set_header    Host                  $host;
    proxy_set_header    X-Forwarded-For       $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto     $http_x_forwarded_proto;
}

I also had to add a middleware to my ASP.Net Core application to use the forwarded headers as noted in this answer: Redirect URI sent as HTTP and not HTTPS in app running HTTPS.

I added the following to my Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.Configure<ForwardedHeadersOptions>(options =>
    {
        options.ForwardedHeaders =
            ForwardedHeaders.XForwardedFor |
            ForwardedHeaders.XForwardedProto;
        options.KnownNetworks.Clear();
        options.KnownProxies.Clear();
    });
    //...
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    //...
    app.UseForwardedHeaders();
    //...
}

I hope this helps others!



Answered By - Matthew Miller
Answer Checked By - Dawn Plyler (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...